Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1499936
MD5:	e492ac6462163322873acd722cda21f6
SHA1:	a7a24e37488e35b22e8519c1122eee402df5926f
SHA256:	ef4ed3b3b8d21ca6b161f8f151ab3644876767c8c01d6472bf1a52c03d306978
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 1004 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E492AC6462163322873ACD722CDA21F6)

msedge.exe (PID: 6952 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5668 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2064,i,16296085406379612282,8535261573425614236,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3820 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8224 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7156 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8232 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7136 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8760 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9016 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1180 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1828 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7720 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1920 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6836 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1496 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Length: 2342Content-Type: text/htmlDate: Tue, 27 Aug 2024 16:20:33 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.39862c17.1724775633.9473799Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: *Access-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin: *

Source: file.exe, 00000000.00000002.2498890342.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: file.exe, 00000000.00000002.2497221758.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/passwordC:
Source: file.exe, 00000000.00000002.2498890342.0000000001522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/passwordD
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.76:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.76:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.137.106.217:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.137.106.217:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49791 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00F9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.1241606473.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_55c3ff9e-4
Source: file.exe, 00000000.00000000.1241606473.0000000000FF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_9f30dc20-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_570a7d1f-1
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_faeef1f4-0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00F9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F38060	0_2_00F38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2046	0_2_00FA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F98298	0_2_00F98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6E4FF	0_2_00F6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6676B	0_2_00F6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC4873	0_2_00FC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3CAF0	0_2_00F3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5CAA0	0_2_00F5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4CC39	0_2_00F4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F66DD9	0_2_00F66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F391C0	0_2_00F391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4B119	0_2_00F4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51394	0_2_00F51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51706	0_2_00F51706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5781B	0_2_00F5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F519B0	0_2_00F519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4997D	0_2_00F4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F37920	0_2_00F37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F57A4A	0_2_00F57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F57CA7	0_2_00F57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51C77	0_2_00F51C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F69EEE	0_2_00F69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBBE44	0_2_00FBBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F51F32	0_2_00F51F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F4F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F39CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@71/316@12/10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA37B5 GetLastError,FormatMessageW,

0_2_00FA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F910BF AdjustTokenPrivileges,CloseHandle,		0_2_00F910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FBA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FBA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F342A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\544f9ce8-421b-473a-b398-a95659eeb719.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2064,i,16296085406379612282,8535261573425614236,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7156 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7136 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1828 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1496 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2064,i,16296085406379612282,8535261573425614236,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7156 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7136 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1828 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1496 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F50A76 push ecx; ret

0_2_00F50A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97275

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6303

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 4.0 %

Source: C:\Users\user\Desktop\file.exe TID: 1200

Thread sleep time: -63030s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6303 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6C2A2 FindFirstFileExW,	0_2_00F6C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA68EE FindFirstFileW,FindClose,	0_2_00FA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Web Data.23.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Web Data.23.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Web Data.23.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Web Data.23.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Web Data.23.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Web Data.23.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Web Data.23.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Web Data.23.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Web Data.23.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Web Data.23.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Web Data.23.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Web Data.23.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Web Data.23.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Web Data.23.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96693

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAEAA2 BlockInput,

0_2_00FAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00F54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00F90B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F509D5 SetUnhandledExceptionFilter,	0_2_00F509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00F91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F72BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F4F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FB22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00F90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F50698 cpuid

0_2_00F50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FA8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F8D27A GetUserNameW,

0_2_00F8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F6B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00F6B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F342DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/passwordD	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/passwordC:	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL.6.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://myaccount.google.com/signinoptions/passwordD	file.exe, 00000000.00000002.2498890342.0000000001522000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://myaccount.google.com/signinoptions/passwordC:	file.exe, 00000000.00000002.2497221758.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.65.196	unknown	United States	15169	GOOGLEUS	false
142.251.40.206	unknown	United States	15169	GOOGLEUS	false
172.253.62.84	unknown	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.44.133.57	unknown	United States	20940	AKAMAI-ASN1EU	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.35.174	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499936
Start date and time:	2024-08-27 18:18:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@71/316@12/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 43 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 108.177.15.84, 13.107.21.239, 204.79.197.239, 13.107.6.158, 2.19.126.145, 2.19.126.152, 74.125.138.94, 216.58.206.67, 23.222.241.154, 23.222.241.137, 23.222.241.148, 23.222.241.146, 23.222.241.155, 23.222.241.136, 23.222.241.132, 20.223.35.26, 138.113.219.71, 216.58.206.78, 142.250.65.195, 142.250.65.227, 172.217.165.131
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, time.windows.com, arc.msn.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, e86303.dscx.akamaiedge.net, clients2.google.com, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, clients.l.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:19:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
18:19:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
239.255.255.250	ocedures.msg	Get hash	malicious	Unknown	Browse
	Smeg SignRequest.pdf	Get hash	malicious	HTMLPhisher	Browse
	Murexltd Mail Security Update Required For gjohnson@murexltd.com.msg	Get hash	malicious	HTMLPhisher	Browse
	https://employment-hr.com/66ccd2230405d/5b8cbe0b82e29621df5c72296fc0599da0566b48/	Get hash	malicious	Unknown	Browse
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse
	http://journalscene.secondstreetapp.com/api/organization_user_email_verifications?token=npv0kjeneci&opid=1033948&lrt=rmsqe55tykx&bf=bc07ae1cf7bbffb3bcd5bc7a10f031b8&ip=207.144.57.39&redirect=https://unsus3.ru/oth/chameleon/#tbianetskaya@pierceatwood.com	Get hash	malicious	Unknown	Browse
	Vertexgroup#Signature.pdf	Get hash	malicious	Unknown	Browse
	http://pixelmeldit.ru/RMQf	Get hash	malicious	HTMLPhisher	Browse
23.44.133.57	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	FAX_202405_136088.xhtml	Get hash	malicious	Unknown	Browse
	Payment Confirmation#U007e#U007e6985.rtf	Get hash	malicious	HTMLPhisher	Browse
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	http://stream.crichd.vip/update/sscricket.php	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
s-part-0032.t-0009.t-msedge.net	RFQ No. 109078906.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://www.dropbox.com/scl/fi/divczsjhc8wrt1wb18r2b/AT-Society-Directory.docx?rlkey=sjkzm3g8jkcekmsxm460sja78&st=r52leq64&dl=0	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	13.107.246.60
	https://support.microsoft.com/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://secure-validation.tiiny.site/#info@magmutual.com	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	ocedures.msg	Get hash	malicious	Unknown	Browse	104.17.25.14
	Smeg SignRequest.pdf	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Murexltd Mail Security Update Required For gjohnson@murexltd.com.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	104.26.13.205
	RFQ-MR-24-09101 .xls	Get hash	malicious	Unknown	Browse	162.159.134.233
	https://downloads-global.3cx.com/downloads/3CXPhoneSystem18.exe	Get hash	malicious	Unknown	Browse	104.18.35.19
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	172.67.202.66
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	172.67.202.66
AKAMAI-ASN1EU	Vertexgroup#Signature.pdf	Get hash	malicious	Unknown	Browse	2.16.238.136
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	https://www.dropbox.com/scl/fi/divczsjhc8wrt1wb18r2b/AT-Society-Directory.docx?rlkey=sjkzm3g8jkcekmsxm460sja78&st=r52leq64&dl=0	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	2.16.164.19
	https://support.microsoft.com/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	Get hash	malicious	HTMLPhisher	Browse	88.221.110.179
	file.exe	Get hash	malicious	Unknown	Browse	23.54.161.105
	https://u9qjc.tarihitasci.net/lawfirm/TUxPRG9jc0BsYmN1Lm9yZw==	Get hash	malicious	Unknown	Browse	172.232.31.180
	file.exe	Get hash	malicious	Unknown	Browse	23.55.235.170
	https://wavebrowser.co/	Get hash	malicious	Unknown	Browse	104.96.220.107
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	virus total.pdf	Get hash	malicious	HTMLPhisher	Browse	2.16.164.19
CLOUDFLARENETUS	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	ocedures.msg	Get hash	malicious	Unknown	Browse	104.17.25.14
	Smeg SignRequest.pdf	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	Murexltd Mail Security Update Required For gjohnson@murexltd.com.msg	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	PO_111234242 6553432.exe	Get hash	malicious	Xeno Stealer	Browse	104.26.13.205
	RFQ-MR-24-09101 .xls	Get hash	malicious	Unknown	Browse	162.159.134.233
	https://downloads-global.3cx.com/downloads/3CXPhoneSystem18.exe	Get hash	malicious	Unknown	Browse	104.18.35.19
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	172.67.202.66
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	172.67.202.66
MICROSOFT-CORP-MSN-AS-BLOCKUS	ocedures.msg	Get hash	malicious	Unknown	Browse	52.109.76.240
	RFQ No. 109078906.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	Murexltd Mail Security Update Required For gjohnson@murexltd.com.msg	Get hash	malicious	HTMLPhisher	Browse	20.44.10.122
	Vertexgroup#Signature.pdf	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://files.fm/u/vtrxvgdh6w	Get hash	malicious	GuLoader	Browse	13.107.42.14
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	52.123.243.146
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	original (3).eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	https://www.dropbox.com/scl/fi/divczsjhc8wrt1wb18r2b/AT-Society-Directory.docx?rlkey=sjkzm3g8jkcekmsxm460sja78&st=r52leq64&dl=0	Get hash	malicious	HTMLPhisher, ReCaptcha Phish	Browse	40.126.28.21
	http://hcmexelatech.com	Get hash	malicious	Unknown	Browse	150.171.23.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://employment-hr.com/66ccd2230405d/5b8cbe0b82e29621df5c72296fc0599da0566b48/	Get hash	malicious	Unknown	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	http://journalscene.secondstreetapp.com/api/organization_user_email_verifications?token=npv0kjeneci&opid=1033948&lrt=rmsqe55tykx&bf=bc07ae1cf7bbffb3bcd5bc7a10f031b8&ip=207.144.57.39&redirect=https://unsus3.ru/oth/chameleon/#tbianetskaya@pierceatwood.com	Get hash	malicious	Unknown	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFgXXvv2-2BWxavJhSFh1X9YeE09JxYfGZOrfNXpE1b1zMSec6V_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZNvtRLmuq9nwTUBLvlyUQLSTjA0dDcTtmNJHz5AQBzdlGtncKRz08-2BYDBtkpKhh0KX17i2fmd5it7ecx-2FWvhsbD-2BwYBTTPKQ3j-2FAyMvTur79Dsx-2FPO7GwMrKARE8VWDjAjvStKY75qeeBLXHuDipEV3KKO3k4ABqkQG2RlytfHIDieNQv9UnoJapwQuVaik0jLuTXarvnnfl3sa3LYFT4h4hVVagLZJwfqoXYBXcReN-2F1X4eM9FZF-2BvVOXIZ-2BqDy2Q-3D	Get hash	malicious	HTMLPhisher	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	http://journalscene.secondstreetapp.com/api/organization_user_email_verifications?token=npv0kjeneci&opid=1033948&lrt=rmsqe55tykx&bf=bc07ae1cf7bbffb3bcd5bc7a10f031b8&ip=207.144.57.39&redirect=https://unsus3.ru/oth/chameleon/#mloomans@securustech.net	Get hash	malicious	HTMLPhisher	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	Gov Annual Salary + Employer - Provided Benefits.pdf	Get hash	malicious	Phisher	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	52.137.106.217 40.126.32.76 13.85.23.86 51.124.78.146 40.68.123.157 184.28.90.27

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70248
Entropy (8bit):	6.072609394216475
Encrypted:	false
SSDEEP:	1536:LMSzvKYqstxAAMjw6q6/UFrTvk+qD1PMPQRacI+Q8d:LMS2dKKAMhar7cYQ07+Q8d
MD5:	05674ECD2995B48116299A8E414B7303
SHA1:	F23AAF70B7182B585DAA5F5D48C4CA100435FC82
SHA-256:	F6A4FC8726F22C6E0AA335183E5CAC0871A389946C2C9C520F88F02E8AAD645A
SHA-512:	7ED975D0E5E16201212433E387A5B2AF4EC924F2B17860D6E080F293EEE9F51DA37D1A1AECC9537D2DE35B369F5CF6E9ED85B76E563B9E65FDC1163F41A46013
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\430dfcb9-cf19-4e76-b1ab-75fa27c079d3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.585701231576191
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afEQYxra0ckHB+ldrxwKVvBuY3/9R5SaJkXzycHSwlRoqB0:Xq8NkC1fEJxrL3BWVVvkA5bJkjyc3rq
MD5:	B503F77A002081B366EBD97B8CD2FD51
SHA1:	E2E79BD377F10DB5D100005C3CB6B854EED6537A
SHA-256:	ACDACEC4FDDD7C8178D309800C36CADD13920E30AFD92D054CD4303EF810A521
SHA-512:	87BC297F3DA6B4C87CA24495CE4644D2A5EAF8B0FC9898F8320932FED532F60ED2B84D2008360D84D4848190B5601C686C449B4E67BD8C52FCF20F28516F0609
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"policy":{"last_statistics_update":"13369249166833161"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\46666afe-26d7-4aa1-93e9-67eeedd6a750.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\54321731-e14e-481e-86fd-9faf279b4386.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70209
Entropy (8bit):	6.072531358240263
Encrypted:	false
SSDEEP:	1536:LMSzvKYqstwAAMjw6q6/UFrTvk+qD1PMPQRacI+Q8d:LMS2dKFAMhar7cYQ07+Q8d
MD5:	2EE7D84A87808BF666014624C7F53CB6
SHA1:	B88EA6D770AB5CA049DD74547D082052485FF967
SHA-256:	80D164CC68CF6A6E321366EEA8C2470A787241A41C7AD22EBA03F052382CA3DE
SHA-512:	F55181D95C71CFA12EA8BBD21BF1AF72146DCBF26BE51ADC7A7768738D07FD0A0E752E391A45C360E93F85787D5574D6EF856B8D321AFB6F62FA8B095D70672D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640139867263744
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7D:fwUQC5VwBIiElEd2K57P7D
MD5:	515BFDD0A8E03F491ED66894DAC7434B
SHA1:	00534E56EA194556D8E48772D2463BB291B567AC
SHA-256:	C76D8691C06568DE0108BAD3E4C5596E5B6DB4AF6864E0C4B57F3EE2C909FA18
SHA-512:	649D4F9FF7446C1DB4B16F6A4C9BEBF0A92A9E266898D653A11CBC44FCCDE8472D91758A624AA5D5A1B306DFA793E5F72370ED70514CB25312B76ACD605EA652
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\c8881dda-bd4b-4ca5-806f-3152e23da470.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640139867263744
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7D:fwUQC5VwBIiElEd2K57P7D
MD5:	515BFDD0A8E03F491ED66894DAC7434B
SHA1:	00534E56EA194556D8E48772D2463BB291B567AC
SHA-256:	C76D8691C06568DE0108BAD3E4C5596E5B6DB4AF6864E0C4B57F3EE2C909FA18
SHA-512:	649D4F9FF7446C1DB4B16F6A4C9BEBF0A92A9E266898D653A11CBC44FCCDE8472D91758A624AA5D5A1B306DFA793E5F72370ED70514CB25312B76ACD605EA652
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CDFC8E-1B28.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0404999906403632
Encrypted:	false
SSDEEP:	192:yaUjLYiVWK+ggCdlhJtD+FX9X5CokgV8vYhXxNEq4bcRQM9TmRDLn8y08Tcm2RGY:PUjjlVqj5nhBCQ0RDL08T2RGOD
MD5:	354B417F8FE8705C57DD72C765D22DF4
SHA1:	A6A114A27F41CEE4551A36DB2E5319A668FE5191
SHA-256:	3F00BDB5AB43A294A14945029619C17AD196C9AB8A8A2BB0A8DADBFD69C72DEC
SHA-512:	ACC27986B65E7BEA192DA74EC8C641D9651F8A54CAF8A23DBF3AE63CFEAA8F5A904B66AE38B7210261BE638B43535F9C1B8C90C336DED8DC54F5F960976F007E
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".aaivmm20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@............+.....................$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....v....M@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CDFC8F-12C8.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.45044125855879735
Encrypted:	false
SSDEEP:	3072:XYGZosIyXlKB+gbyeIEMSgawCL8XfMISV2gGm6g1HFMO6GuU2hYJ63qRFYSfyNaF:gs1lGGm6aHGSGW4LdaHKUoSE++36T
MD5:	98DAB57DA9E298879CB6D00F4882281E
SHA1:	FA9FA1BE2082C34191AF44619214A841A7343F47
SHA-256:	D6ED319ADEC8138B196F64CB9E9BBAEE3B1B2A17296C8311C4175ECFFE0BEEC1
SHA-512:	A4C39B095B348A8A24F7B4C5E7600B890E497F71CC59E55D32E9126120F27243855511E7EC8C922E26F927BEF2CB8DD93BB2E0529136A740F87664E389196493
Malicious:	false
Preview:	...@..@...@.....C.].....@................=.. =..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?.......".aaivmm20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.181834402164097
Encrypted:	false
SSDEEP:	3:FiWWltlZttHvm3ViHSRqOFhJXI2EyBl+BVP/Sh/JzvhzL5iLGXUXsltl:o1OViyRqsx+BVsJDhn53XOslX
MD5:	63EEE59DFE70F4541E37222853496A8F
SHA1:	EFCC5929DD98458F113D42530740E39C135D23AD
SHA-256:	CE34D6248EEBD2120F4D5E2993B8A18BAB34A0D185B89306508175A943875768
SHA-512:	3EF0274D742CB3B8A3A7C8B4E4573D41A426DAF30967CFEBEDF2DE53ABCFE60FEE586DACFC30E6821DCDC8D33E868BE10B6377119734DFE5FA4E0E610F38BADC
Malicious:	false
Preview:	sdPC......................J....C.@....."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................cc46cfaa-38e9-45af-b583-06ec046cf97f............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\007bdf9d-32d5-46dc-8026-ea04ef039bdc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\1325f8b3-d282-4d45-b7d7-24c3a08e034e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.973831156050774
Encrypted:	false
SSDEEP:	96:stxqfLis10b9/PvbQN8zCs85eh6Cb7/x+6MhmuecmAeMAq+2M4/EJ:stxds+MNkCs88bV+FiAv+P4MJ
MD5:	D6D9EDFC0C14FE9A45DB5DA1F0D3EADB
SHA1:	2A1440EE2AD4253C2D8551A46422961A8D54DA8F
SHA-256:	DEB4CD1E7DB9FD2F02C96ADD46D9E544F8E9139729350B0BA1BB8D1019F423E2
SHA-512:	44E10705EF0D84F4BDA4E39A12F82528FFF996AD4419C1CDEABC540DCAA16AA6F933C75B16DBAC44BEF5C9214BCA19771D22DE1A1030313C0A9730EB4CA4B54E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249168705142","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369249168701613"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\275430f7-1f81-4309-a71e-8bd29de34161.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566287420740072
Encrypted:	false
SSDEEP:	768:vbbg29WPukfj38F1+UoAYDCx9Tuqh0VfUC9xbog/OVm3kb8rwlEqpGtuY4:vbbg29WPukfj3u1janUb1lctH4
MD5:	5F7985B93F3C9EAA3A2B64CCE7CDC0ED
SHA1:	D9891D8BE81A210D03D5EA2C09B8DCC51D46691F
SHA-256:	01B000EEEE7ADA4258CCF72FD8B02FA576478E41FD962FDA36937361AD6EAEE6
SHA-512:	E7A6F2BE3FAE3985721E815847539215ED32F6636882002B7E7137C591904218730A198B24156306AA6BF8A0230885263D088DB9A5C4B9646172AE922BEAECB1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369249167564169","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369249167564169","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\477983c4-6fec-4d81-8488-247c11ba8ed4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6432
Entropy (8bit):	4.98162084825108
Encrypted:	false
SSDEEP:	96:stxqfLis10b9/PvbQN8zCs85eh6Cb7/x+6MhmuecmAeMJQ3+2M4/EJ:stxds+MNkCs88bV+FiAq+P4MJ
MD5:	FC885A556A9AE0BAD16F6AAD8E76E754
SHA1:	4A0249619589654F7B436DF39E05196F10199EBE
SHA-256:	E04CA60D2523F6C0200170E54423F248824A8FE5F040EA5F21C50632D0634FB7
SHA-512:	A219940C50C7E6ECEF286B4730AAD53BBFE51A6D55674D95EFDBA726D9540FD47640384230EA04CFAF5884A2E61F7B0E15690AADE43C192CF615DEF8CF6E630C
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249168705142","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369249168701613"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\47f826ca-7d4f-48a1-9c26-109b6adc4f1b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566697704553282
Encrypted:	false
SSDEEP:	768:vbbg29WPukfI38F1+UoAYDCx9Tuqh0VfUC9xbog/OVm3kb8rwlEKxpGtu5:vbbg29WPukfI3u1janUb1lHOti
MD5:	D0C11F6B24FE0D283A56DD84F9CE85E2
SHA1:	5828E1E16A15FDA820B4568E39789853601722ED
SHA-256:	1F0280B97A53B7F51DE400A720A14020DC1D4B480536467A4B946CA1AEA6CC61
SHA-512:	F9C4DD65A326846D73DB618E7B29A483D34BBC85AD38D9D48F38B7594C8198971208435FDFB980AFA4A09E9CDFE608C6240D3BF4F0B4CCA3CC0B8E4C7006B420
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369249167564169","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369249167564169","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5055eadf-8703-4466-a20a-5a6b1ce1cfa7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\8e6b487f-0fe4-4416-844d-42bcd6c3189f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6534
Entropy (8bit):	4.983886193518038
Encrypted:	false
SSDEEP:	96:stxqfLis10b9/PvbQN8zCs85eh6Cb7/x+6MhmuecmAeMBQ3+2M4/EJ:stxds+MNkCs88bV+FiA6+P4MJ
MD5:	CA6BA65A53057062E89A0A6C2D20C2A7
SHA1:	7CF6DCA9E4E3939BB64B2CDCBC9BA553148CC680
SHA-256:	C09EB7A08D1413A33E80036C3EFCEA38F55E447AB14966961CD53A2284B9E7FF
SHA-512:	BB087745DE4AC212EEFCDA8C9E3457A28EDB41F5D7FFD50E0262129C8783270BE8D0F0CB6653D1A5B606469558AA56DAC83295AD376660AEA4760DEDA74A5258
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249168705142","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369249168701613"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.320745351821168
Encrypted:	false
SSDEEP:	192:6AOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:tOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	01AD0330A67B0EE84E546ADF14154EE3
SHA1:	971FE13780FEA8C8FDDA7469009B7F4F79D0624B
SHA-256:	B4EC7A51451B466336ADB43E664BE5CED12AA0A1CC0BFE9A91FE969F4F64339E
SHA-512:	5C4A86361A5A95AE5168F75C7E1F847FB4E2246BA28F2E066BCBA85B5AF293E84D08D43A3FE075EFF0FC0D9E867591FACB6176B3FCF2705C9146788AED26B355
Malicious:	false
Preview:	...m.................DB_VERSION.1..I(.................QUERY_TIMESTAMP:arbitration_priority_list4...13369249173842010.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.135170543900327
Encrypted:	false
SSDEEP:	6:N7Om81cNwi23oH+TcwtOEh1ZB2KLlL7OI8t+q2PcNwi23oH+TcwtOEh1tIFUv:N7O5ZYebOEh1ZFL17O/ovLZYebOEh16g
MD5:	223F53EBABE6485A4D1A143506693E2C
SHA1:	0C2D0D7525D0D81BD4EEFAD619ED41779006DDD3
SHA-256:	1C15E1E954C61589AE29D2E5BDDA32FF18F391FF3511ABE4F5E697C3BC00C5DA
SHA-512:	4006C41405EE1FE3F950447C52BDB0BFCFA37CA3D8617E23C372F455D8FFD0ADE903235887B532750041BD18535A70564DAAA2433AFE9514BC4C9325D208741E
Malicious:	false
Preview:	2024/08/27-12:19:33.039 2048 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/27-12:19:33.138 2048 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.044150444453720225
Encrypted:	false
SSDEEP:	6:/Fii2rmkM/lPovGunav0PtpzSRll+ME3swM/lCt:dkTEPovGoaMlpzw/+MuEC
MD5:	ABA5E92FE7B833E8FF1E55CD18625E06
SHA1:	6E7D348A0BC6B6DC0E190D07975864EE551BB9E3
SHA-256:	42E6E1A0C630C0F8D11ED25A629EC12F55D9829D49D68BFB03BD6C6F5EDC37BA
SHA-512:	92AF9ABD6778FEE919BAB821AA85473B6E507D0EAE9C295D59DA53286105E6CD644519A0E236E47481AE74FC86F61E08D80D604CCC20CEBAC9C62F09115D58AF
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09579591409533872
Encrypted:	false
SSDEEP:	48:RVV4XeskDeV4A3es3NUeGAAsMT3lWp4Z/:RVV4X3/V4A333NLGAAV3LF
MD5:	93C7D6718A450B08A56C7E6F5F822658
SHA1:	70F57921D2085DE2F76AF2A0D820C152428F0F89
SHA-256:	F8C67AB2AD72E3801D795BAAC95FEEA5694F27B056E53F5F441A15BF8BA72BC7
SHA-512:	D12E5ADC47242E92D3644CE69364239D3AAAD66161A1CF8FAE353EB4CAB643A9179CAEF426D2E4FD73F4A587858DD5B5EB27F65A7EFF3C57514F220B14C4FF88
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.283404424816883
Encrypted:	false
SSDEEP:	384:91PJtMf1PJtMb7Jtbr7JtbxXzJtpdksTR:91PJt81PJtu7Jt37JtRJt
MD5:	B8282D3F06ED0C6CDE1D2C75815D7A0E
SHA1:	810AD97D6D65DD3E2F812524A9DF051083DBF390
SHA-256:	F3CEA5FD37383C66FBD4A0CBD426356A8A30F01AF812EAD01EAA7679C0890EF1
SHA-512:	9E182A9BB8602EDD6CBB89BB8F2F3FD03D73998E8117078E039356841E64572C5E6719125497CFC0602220C833F2A64F7555EF2EC6147592980CEA9E3642E066
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulOJp:LszJ
MD5:	B804F88BB9935BE7E0DA477BDD9CC792
SHA1:	E8A68AF33D24458C160B09372A8E02B5C304E4AC
SHA-256:	10467EB2083FB2B2D1621F053BC752C196EDAC894506F29940395A4FC02DE791
SHA-512:	80D17EEB013D04A1044067F0A8BEE239D70C871F18DFAEE2DBFC29F3088B46487413E1C7F6742E583FACCB75676DE553FD0332FD96F85F29F64836C00F38934C
Malicious:	false
Preview:	.........................................,..B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:NsJMKPyEYJ:+JMKP9E
MD5:	80F8B27EE0D96ABFCFF2B2E4C1B86A50
SHA1:	319AC1506A8E18F27CD838C74C3E0D52B80234A1
SHA-256:	3F25C5535EA73DA5A141A2C42AA19D4B3FE37750BBA4B5C84E5BB50F77C3B74A
SHA-512:	09261198C1D06CB47308556BC492D082871E8B0A1ED1902011514DA7BC4DE02DF332A2B0AC9C0CEF3FA4D1E6CFF6245F4E7F3CE43D817451181C4DB8C535459D
Malicious:	false
Preview:	(....Il.oy retne............................B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:NsJMKPyEYJ:+JMKP9E
MD5:	80F8B27EE0D96ABFCFF2B2E4C1B86A50
SHA1:	319AC1506A8E18F27CD838C74C3E0D52B80234A1
SHA-256:	3F25C5535EA73DA5A141A2C42AA19D4B3FE37750BBA4B5C84E5BB50F77C3B74A
SHA-512:	09261198C1D06CB47308556BC492D082871E8B0A1ED1902011514DA7BC4DE02DF332A2B0AC9C0CEF3FA4D1E6CFF6245F4E7F3CE43D817451181C4DB8C535459D
Malicious:	false
Preview:	(....Il.oy retne............................B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:6mbu00Ehm0GnaKln:6Ihm/a+
MD5:	BB521B093A9985FD1A3F6A36F169E423
SHA1:	77A076A36C38009208327E6CE38E0EF1C309B962
SHA-256:	6544CC38BE1222D6CB7AB818B6E2B2B5BD49268E35DF5116B8CE649DDC8CDAE1
SHA-512:	30A53ADAAE0FB2D8E17266D2FCDB2C793F2FA08FEFFAC8E8456674EDB34FCCDC4BE80DC016E5449030B493DFBB9E21BF74546D4723E8AB5CD872809EEB5F2A10
Malicious:	false
Preview:	(......oy retne........................}C..B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:6mbu00Ehm0GnaKln:6Ihm/a+
MD5:	BB521B093A9985FD1A3F6A36F169E423
SHA1:	77A076A36C38009208327E6CE38E0EF1C309B962
SHA-256:	6544CC38BE1222D6CB7AB818B6E2B2B5BD49268E35DF5116B8CE649DDC8CDAE1
SHA-512:	30A53ADAAE0FB2D8E17266D2FCDB2C793F2FA08FEFFAC8E8456674EDB34FCCDC4BE80DC016E5449030B493DFBB9E21BF74546D4723E8AB5CD872809EEB5F2A10
Malicious:	false
Preview:	(......oy retne........................}C..B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlRna+:Ls3BT
MD5:	17DD37F992954B0DD6546BE4935E5281
SHA1:	6ADC6E29210D8415EB9875BD7EFAA749A3E46123
SHA-256:	15894AE16F4CA410D66E713144C433A0EFDD13C31619E18C69169239676D60FF
SHA-512:	93C2199DE3EC04F6EA9EF81283ADAFB7173B1AAD8FB924AA4C4F54C39594D6AD49DF48415C6B14FECA1D74223548BB3DEEF5ECEC6821FB73434E3D639F6FAAD2
Malicious:	false
Preview:	...........................................B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354111132956504
Encrypted:	false
SSDEEP:	6144:jA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:jFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	7EDEF0ACA2BBD50EB8431D0AD050B175
SHA1:	513DD4BEE92600501ED2CD2C9CEC1293AE8D59BA
SHA-256:	0979A4874BFB5CA7A489B8E57941BFE2BE4A38B782820601328224E73F495444
SHA-512:	02F9A6FB3CD57D240D628431D2565E2F1CFEA3EF203FA7A400C8F6EB2B863707BEC5E6E1A857AF265BAD61AA0E3B662B9057B48E462DECFEBAA6507BA6B0D29C
Malicious:	false
Preview:	...m.................DB_VERSION.1J/..q...............&QUERY_TIMESTAMP:domains_config_gz2...13369249173798720..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.200448553240166
Encrypted:	false
SSDEEP:	6:N7ObVFmR1cNwi23oH+Tcwtj2WwnvB2KLlL7OUU1L+q2PcNwi23oH+Tcwtj2Wwnvh:N7ObVF8ZYebjxwnvFL17OUuyvLZYebj8
MD5:	416B2BEACB0575FB5153E294F00901E3
SHA1:	BADFFEE44D659E6A2C9800CF85CD38BADEB71F9B
SHA-256:	61CC50DC203D6A728F1EBF6FD590B456CA77F6556CC64AF9B15E7DCAD970AB94
SHA-512:	975653C067842D54D092CDB88AEF2D269E45F13B0FBB2E7C00E0EBF02BCBB4346FA437B9FBD88B1AE1FF3CCEE8130317AA6B4528FFF642E880E3C25102EF6723
Malicious:	false
Preview:	2024/08/27-12:19:33.000 2058 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/27-12:19:33.018 2058 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358859
Entropy (8bit):	5.324618337298151
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RS:C1gAg1zfva
MD5:	F21161988240434A47AFFF696CDAEC44
SHA1:	258ED083E8E5810D26168C21368A17C4EC1342C5
SHA-256:	C80CC0C0CBE43182FBE4809CD8733AA0FAD6B838A7CE21F83960CB77A522B2F9
SHA-512:	A4B9930404D97DFF68D504A6EA3BD1EA68D61ED8441C3457F672B1C949D858243F073B15D538B59F68CF4E4ADE89EA7FE2D9C07F949D62A0B1F756386326BB52
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.187144765317721
Encrypted:	false
SSDEEP:	6:N7OFjF/ms1cNwi23oH+TcwttaVdg2KLlL7OFbFOq2PcNwi23oH+TcwttaPrqIFUv:N7OF5uWZYebDL17OFpOvLZYeb83FUv
MD5:	80A880EE0FAB043C0813ABAE5DB83511
SHA1:	68AE06F998A137AF6FCF27D55482660E47A62581
SHA-256:	B3311243089C058B2705D9C334667DC350664B692EAE9F895DC7316C0C91988B
SHA-512:	D5D7896FFE03F1D85298A63B0D25E0411929FB1D479EC5B1C71ACAF2E8B95D6B149C63E68CD88F1FE57D214BA87639120C566440BBE1442FF81A994A04B278DC
Malicious:	false
Preview:	2024/08/27-12:19:27.612 820 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/27-12:19:27.630 820 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.180920293784727
Encrypted:	false
SSDEEP:	6:N7OFZYs1cNwi23oH+Tcwtt6FB2KLlL7OFFIq2PcNwi23oH+Tcwtt65IFUv:N7OFZYWZYeb8FFL17OFFIvLZYeb8WFUv
MD5:	AA8B7ECEB8934CF00E570D63C0E8F62F
SHA1:	2C69170687E6F3A84CBB4D8A08D0E33110198457
SHA-256:	162D8955F9FE78FA15D1051C41AD9D61EAE1BF522544F4C363AA6F49D8B017CC
SHA-512:	700F353576CA07A6CD3036D1281337841413EAAA5955D2CA0AA977010F4FE7EB0E1314C7D99BB8EDFAD1ED5DCA1AC9CC446EF66D48E03BA73FBF5931A93E2272
Malicious:	false
Preview:	2024/08/27-12:19:27.632 820 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/27-12:19:27.661 820 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.173959052586597
Encrypted:	false
SSDEEP:	6:N7OF6h1cNwi23oH+TcwttYg2KLlL7OFQFCQ+q2PcNwi23oH+TcwttNIFUv:N7OFkZYebJL17OFQFCQ+vLZYeb0FUv
MD5:	EA81A0BD6B424716C9CD17AFAE9AB9AC
SHA1:	E85672B9AC8BD058302209107396CF288570FAB4
SHA-256:	FCA9127465783626FB8846D4424A36BAEF8A7CF9DDD16F2E01A7B636E2165468
SHA-512:	9805671B3F6C69E043F994846F5D943B13884DD94E1EBDED534F3ACC0E830ECA129720F3E2A6F93F4847927B43B78CC554B9ADF96C6803B749E6A02C439F7525
Malicious:	false
Preview:	2024/08/27-12:19:29.123 19cc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/27-12:19:29.363 19cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNloa+l:Ls3oa
MD5:	00825EDE817958EDC14A00273F2424BE
SHA1:	24C856BD0C53D8D61D197DB9E9DB9EAFB74E47E1
SHA-256:	FCA7258F834157A455AB86D14FCCA0FF85CE52170B030A4F5E9E84AE7959051C
SHA-512:	61360EC492C90FE2060FAB82A7AB4D2A8BB97D3B27323B0A1739BEF524AFD1F6E158FC48CEA83F91E9904854CD0C279DDEC68DD4DE5A58991131F618F246E948
Malicious:	false
Preview:	........................................)..B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2191763562065486
Encrypted:	false
SSDEEP:	3:SlDntFlljq7A/mhWJFuQ3yy7IOWUzL/dweytllrE9SFcTp4AGbNCV9RUI+u:175fO1L/d0Xi99pEYP
MD5:	63583CA0E61E885B15D03174002A9231
SHA1:	F68C0E578343D927E061FFC7E207FAAF7DB0B401
SHA-256:	6E9C20ADF08D80FFA212FE4F2999BE48BBA1351ADE0AC13DE2A940C8D2F85B40
SHA-512:	B110AA836A4CBC7CA3A14A22A3089950929ADAB7D5EB70C371085FD056BA2F262787DF90D44B8BDC1E7A54F9CF58E2DFCD30E6C23E275EC1E3EFE502A4B6ADB7
Malicious:	false
Preview:	............j.CK...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	385
Entropy (8bit):	5.244442838574563
Encrypted:	false
SSDEEP:	12:N7O1ZYebRrcHEZrEkVL17O5d4vLZYebRrcHEZrELFUv:NCzYebRnZrEkVL1C/KlYebRnZrEx2
MD5:	74986432987CC8F8007A73C1E8D6BD20
SHA1:	CEDAE2429606F2436C6E5720FC6C1130F41A9B77
SHA-256:	D7F2CC33B83D098808208EB8BB2952FBF4EABDC48982A81A774A52818FBBF446
SHA-512:	84DC68323CD7AD924F8F67EC8B30DE334E8924A15BD84E60388888A1AC2C03D6DEB22364D412D48B955664B809840F06C4E1195E7C7C778E81BADE00B6EB86F1
Malicious:	false
Preview:	2024/08/27-12:19:30.133 1328 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/27-12:19:30.146 1328 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.210886937040698
Encrypted:	false
SSDEEP:	6:N7OFd5Fm3M1cNwi23oH+TcwtRa2jM8B2KLlL7OFd5Oq2PcNwi23oH+TcwtRa2jMY:N7OF/c32ZYebRjFL17OFmvLZYebREFUv
MD5:	EBF6883FA1FF4040F2379389A6F0D9EE
SHA1:	731524D7B148F0D917F7574287B3FC9CFFE1F853
SHA-256:	407577512A498AA3591664FDAA089E882AE4D59613556134275DB7F3F0A50276
SHA-512:	A52A6BC137D9A5D6FCE6CBAC0A216C4F7D4A8DEACB6FEFAC4A227F57F30D36C4044AA034A0A2375C205DC299BC27706733A5B637A119F3FAC733B7F4FB93E163
Malicious:	false
Preview:	2024/08/27-12:19:28.867 1194 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/27-12:19:28.889 1194 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\04bc37a0-6459-41f0-9e67-617fbb923cc9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.902189221807403
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbSpDkYMKWKWMS7PMVKJq0nMb1KKtiVY:YHpo03h6ubSpDd4MS7PMVKJTnMRK3VY
MD5:	176882E2C5301BB3929B39FF4DAB2E4E
SHA1:	B8B8E3C038708D56429C86D9F0FBB832EE6047F1
SHA-256:	2EB4EBEE3CEED5D175975BAED1834CBADC2C8CE1F416ABA18F73BAEC0B8A7C6C
SHA-512:	519A55DA583DA9E56B06BBAA50878C9D9A928F12F64C14AF471A600D24F660640AE0D66274291F8A20D217F545C447FBBF0638A864D822E606AEDCF481EB8CCA
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\5fffbbc6-ecaa-4946-8741-56d4625b06c6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\658421a6-0c2c-4069-b5be-c8aa7e9bbbc2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF315bb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7604778709309585
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBk+i:uIEumQv8m1ccnvS6w
MD5:	BF0FD9EE5B1B1CB1CBCBA122DA66AD1A
SHA1:	5FBBABEA5E97F493FD7C010F65257AE7FE1F5247
SHA-256:	72BDD7C0C0B7B2290D30F0BDDF2E0C877C9A87EA7F4EA6A54EAD6D68794FCE72
SHA-512:	C4E84F2BC581DC35D262C334E1CA174213E6CF0022D8B55011170EAAA5B7866189A165441AD43D6426B904F52BF16679AA833607AE73C9EE2503C15851007330
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF1f49c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\c35357f5-8ae9-4c46-983f-e7fafc40a785.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\d55f4716-c188-404d-8733-0eaef21eeae6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.973831156050774
Encrypted:	false
SSDEEP:	96:stxqfLis10b9/PvbQN8zCs85eh6Cb7/x+6MhmuecmAeMAq+2M4/EJ:stxds+MNkCs88bV+FiAv+P4MJ
MD5:	D6D9EDFC0C14FE9A45DB5DA1F0D3EADB
SHA1:	2A1440EE2AD4253C2D8551A46422961A8D54DA8F
SHA-256:	DEB4CD1E7DB9FD2F02C96ADD46D9E544F8E9139729350B0BA1BB8D1019F423E2
SHA-512:	44E10705EF0D84F4BDA4E39A12F82528FFF996AD4419C1CDEABC540DCAA16AA6F933C75B16DBAC44BEF5C9214BCA19771D22DE1A1030313C0A9730EB4CA4B54E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249168705142","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369249168701613"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF284d6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.973831156050774
Encrypted:	false
SSDEEP:	96:stxqfLis10b9/PvbQN8zCs85eh6Cb7/x+6MhmuecmAeMAq+2M4/EJ:stxds+MNkCs88bV+FiAv+P4MJ
MD5:	D6D9EDFC0C14FE9A45DB5DA1F0D3EADB
SHA1:	2A1440EE2AD4253C2D8551A46422961A8D54DA8F
SHA-256:	DEB4CD1E7DB9FD2F02C96ADD46D9E544F8E9139729350B0BA1BB8D1019F423E2
SHA-512:	44E10705EF0D84F4BDA4E39A12F82528FFF996AD4419C1CDEABC540DCAA16AA6F933C75B16DBAC44BEF5C9214BCA19771D22DE1A1030313C0A9730EB4CA4B54E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249168705142","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369249168701613"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF2f9f6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.973831156050774
Encrypted:	false
SSDEEP:	96:stxqfLis10b9/PvbQN8zCs85eh6Cb7/x+6MhmuecmAeMAq+2M4/EJ:stxds+MNkCs88bV+FiAv+P4MJ
MD5:	D6D9EDFC0C14FE9A45DB5DA1F0D3EADB
SHA1:	2A1440EE2AD4253C2D8551A46422961A8D54DA8F
SHA-256:	DEB4CD1E7DB9FD2F02C96ADD46D9E544F8E9139729350B0BA1BB8D1019F423E2
SHA-512:	44E10705EF0D84F4BDA4E39A12F82528FFF996AD4419C1CDEABC540DCAA16AA6F933C75B16DBAC44BEF5C9214BCA19771D22DE1A1030313C0A9730EB4CA4B54E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249168705142","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369249168701613"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566697704553282
Encrypted:	false
SSDEEP:	768:vbbg29WPukfI38F1+UoAYDCx9Tuqh0VfUC9xbog/OVm3kb8rwlEKxpGtu5:vbbg29WPukfI3u1janUb1lHOti
MD5:	D0C11F6B24FE0D283A56DD84F9CE85E2
SHA1:	5828E1E16A15FDA820B4568E39789853601722ED
SHA-256:	1F0280B97A53B7F51DE400A720A14020DC1D4B480536467A4B946CA1AEA6CC61
SHA-512:	F9C4DD65A326846D73DB618E7B29A483D34BBC85AD38D9D48F38B7594C8198971208435FDFB980AFA4A09E9CDFE608C6240D3BF4F0B4CCA3CC0B8E4C7006B420
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369249167564169","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369249167564169","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF25440.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566697704553282
Encrypted:	false
SSDEEP:	768:vbbg29WPukfI38F1+UoAYDCx9Tuqh0VfUC9xbog/OVm3kb8rwlEKxpGtu5:vbbg29WPukfI3u1janUb1lHOti
MD5:	D0C11F6B24FE0D283A56DD84F9CE85E2
SHA1:	5828E1E16A15FDA820B4568E39789853601722ED
SHA-256:	1F0280B97A53B7F51DE400A720A14020DC1D4B480536467A4B946CA1AEA6CC61
SHA-512:	F9C4DD65A326846D73DB618E7B29A483D34BBC85AD38D9D48F38B7594C8198971208435FDFB980AFA4A09E9CDFE608C6240D3BF4F0B4CCA3CC0B8E4C7006B420
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369249167564169","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369249167564169","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.144755315761212
Encrypted:	false
SSDEEP:	6:N7ODRLOUA3M1cNwi23oH+TcwtSQM72KLlL7ODRLJFIq2PcNwi23oH+TcwtSQMxIg:N7ONLOUA32ZYeb0L17ONLkvLZYebrFUv
MD5:	88200B6F0D75AAA8544A3BD14AB7BF65
SHA1:	E45E1418C46036E9430F4457229F0F4CFD077E73
SHA-256:	CB86C2A454290EAA1B8F20DB9C6F9A49290F5680F26424F230FBBF92EFF3E550
SHA-512:	5502A8E1ECE882717A12D1785AEE6941D38FEE8148AB854DCADD73E90EA13F7B9A4C5A56D6F04A28880D9BD622DE5823D6B8571DA27514E8CBD1E81B47777420
Malicious:	false
Preview:	2024/08/27-12:19:44.906 1194 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/27-12:19:44.997 1194 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.14548891778635
Encrypted:	false
SSDEEP:	6:N7OFGi1cNwi23oH+TcwtgUh2gr52KLlL7OFlTVQyq2PcNwi23oH+TcwtgUh2ghZh:N7OFZZYeb3hHJL17OFlTVVvLZYeb3hHl
MD5:	EF7FF913C2EDAD53BCBAD80B5A6703F6
SHA1:	10CF2984D3FFD878CEF2AFA7C4F89F35F6E73BE6
SHA-256:	8F93A03CF26036F300BF6D1BFD0379749D0689F840453EA6AE20B6CCB5701EF3
SHA-512:	6770800EA05B8512C5340228616CF85A45F5D875817C441CCA59D8F88CF4C5C64AAB0DE1E4828ADA632A1C3FC1BAC5652F32CF4247C0694B2E6B6F9E7BFD94CE
Malicious:	false
Preview:	2024/08/27-12:19:27.582 1630 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/27-12:19:27.660 1630 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulovK/:Lse
MD5:	70B560172AD45D1333BB8A390D6E6F15
SHA1:	DE26521E0EFA182FFABEFCA0B65EFB7866B8C727
SHA-256:	D0B5B70E044FDD4DE549262A5EBFF600E038D4ABFC55673BDBC599A5BE831367
SHA-512:	869CECDD1F75650761BDA4A88EC5095E57E7FF019625BDAF65664D3856C9F41F72644A0BED500381F73922132384CBE9C74FBF0E6F07323BA6BAA18A23C3A5D8
Malicious:	false
Preview:	............................................B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:RNc7yEYJwTn:I79JTn
MD5:	0CEC4BDD6099AA359AC31386E7E121F0
SHA1:	9B4317835D8260A45F94E629470E92B290397B56
SHA-256:	533CCBC56BC1450A92213D9B11C163FD6A9741ACB7C67869AAD2A2B0849C62DD
SHA-512:	7AFD80D76679319F08FED3DC68684CD1074DBEA5A3016AAF257E65D667F797454DB34F903B39B5688D4B82C8FD42E92212C5DFDFD1AB074F2CCB9FB2967D80DF
Malicious:	false
Preview:	(....(9.oy retne........................D...B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:RNc7yEYJwTn:I79JTn
MD5:	0CEC4BDD6099AA359AC31386E7E121F0
SHA1:	9B4317835D8260A45F94E629470E92B290397B56
SHA-256:	533CCBC56BC1450A92213D9B11C163FD6A9741ACB7C67869AAD2A2B0849C62DD
SHA-512:	7AFD80D76679319F08FED3DC68684CD1074DBEA5A3016AAF257E65D667F797454DB34F903B39B5688D4B82C8FD42E92212C5DFDFD1AB074F2CCB9FB2967D80DF
Malicious:	false
Preview:	(....(9.oy retne........................D...B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:pI8QKc9Eh/nT:m8cqhr
MD5:	4E572C39344AFB8E301EEB34EB0FCF41
SHA1:	19E8183AD8CB6231DB1A1744AF4ABBB9BBA2B85A
SHA-256:	2B6900EB9F110F5B59075AE3A28DF823A74AC08459115063A18C4F90CDEAB3A4
SHA-512:	DDB2543AE7A4E302043A777E8E1AE3715683810143F5EBCD03136A4320D14180E66E253D160144CA1327CAB3BD2732207C610C479B836A2ED726D975CE6A0C67
Malicious:	false
Preview:	(....-Y.oy retne............................B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:pI8QKc9Eh/nT:m8cqhr
MD5:	4E572C39344AFB8E301EEB34EB0FCF41
SHA1:	19E8183AD8CB6231DB1A1744AF4ABBB9BBA2B85A
SHA-256:	2B6900EB9F110F5B59075AE3A28DF823A74AC08459115063A18C4F90CDEAB3A4
SHA-512:	DDB2543AE7A4E302043A777E8E1AE3715683810143F5EBCD03136A4320D14180E66E253D160144CA1327CAB3BD2732207C610C479B836A2ED726D975CE6A0C67
Malicious:	false
Preview:	(....-Y.oy retne............................B./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl0Gn:Ls30G
MD5:	9E9690B8293C6959AE4D539880C22A39
SHA1:	F66D2650086F2FAC5764493693EA8C95B9F40ACE
SHA-256:	7E9C55ED4CC2F5150CD236C076EB4E5771D9785AF8D8A8D94439F2E360DA7A49
SHA-512:	DF6653503BCF921F54109E61C388B189173E9ADA68ACDCFBC7B4DF2D5E8A101A90E690BF5DC58F26D23EC3BF39440846313A8826D0203BD5FA652DB0D409338D
Malicious:	false
Preview:	...........................................B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl:Ls3
MD5:	D638E41F5395EF4BFA197F0982759439
SHA1:	B7491C19C6C746DA0C64AA76FA285553C1CA6E0B
SHA-256:	FB39DA465FDFC50B99ACDD1FBAB500D2FEA6D355CB441BB1C8A3409CD1AB5945
SHA-512:	107C9E7A545B8B0CA897DB3F49D1F90B406877E7F075021B924A56AE84E5CCDE2DFA656EDB9316F8B41DBCB549EF9A01BD72E8F8561C49902FEE13BB99F2C98E
Malicious:	false
Preview:	.........................................2..B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.196131749601486
Encrypted:	false
SSDEEP:	12:N7OF+km32ZYebqqBvFL17OFAlUxvLZYebqqBQFUv:NCEv3iYebq8L1CqU9lYebqZ2
MD5:	950CBA75FB02554539540FC5F88A7FCE
SHA1:	6EA4BD47173F0CA4E6F9CC44D35051F9B70B2F33
SHA-256:	3B396BC6B5981DD464970C62BFC6EBA7033C519E564FF902416E759EB6D17280
SHA-512:	C850340367D7F7E34D7D2628BF2FA31DBBAE97E2A3C9482D545C66815F457DA1B1AA79CBA529B09F8385A273710B2CC5D0DB715982E12462C70AE2319EEAED22
Malicious:	false
Preview:	2024/08/27-12:19:29.080 1194 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/27-12:19:29.241 1194 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\142d8580-ad41-48b6-b115-b779e0009786.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7be98a86-45e3-4dec-9f33-ed177b681880.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\8e9d7fdc-8fa0-460a-81eb-60d8980e10ca.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF31619.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a145c4af-ebe9-4612-87fd-21523f834156.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	399
Entropy (8bit):	5.207318245157541
Encrypted:	false
SSDEEP:	12:N7OdRc32ZYebqqB6L17OGvLZYebqqBZFUv:NCTc3iYebqbL1CElYebqy2
MD5:	AA1E138AB433B357F696DED3BFE75F6B
SHA1:	0C69CCE40D02387C1B421BC0D0A21F76EFBDAC5C
SHA-256:	68A3A3F13B9064EBBF27D54CAE9911F3EA80E6C7C558763154C316E5E13561B2
SHA-512:	CBA00C1D815129C736CB131CC872D1553FEC9BEFCC0735ED786E1670AFC3B9FE2B55866732F11B20B5E28CB8314FD2007130567CB228C60B6F286B5306C779A0
Malicious:	false
Preview:	2024/08/27-12:19:45.439 1194 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/27-12:19:45.471 1194 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.23325872584129
Encrypted:	false
SSDEEP:	6:N7OF/j1cNwi23oH+Tcwtkx2KLlL7OF+R9+q2PcNwi23oH+TcwtCIFUv:N7OF/ZZYebkVL17OFq4vLZYebLFUv
MD5:	C0A2ACF587BF6D3F5250E5B249D724AF
SHA1:	060DEABFE2510C537A8F487DDD938CEC69205487
SHA-256:	7614D02C452CAF107AD7510BDFB11353E5061ADD5A8739E2B670FDC6542F9807
SHA-512:	980D0B027D7801AEB6F9F20B87C3C9C7C9E91C635BF146852925CCFCAD8C0B68FC2549163E39F78F1BECA64C4125673FCF92F25DC97128E89383ABDF87DF452E
Malicious:	false
Preview:	2024/08/27-12:19:27.691 18f8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/27-12:19:27.986 18f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVzX/:IiVj
MD5:	A93EAB5BD1A163B3BF03299968A445A2
SHA1:	CEFD9DD55EBA9AAC1C088DBF52F131E11EC8DE5F
SHA-256:	2099E5D6C89CDCF500F5760CD03159CCE7B02D03135CB274E8C6C17D1E9462CE
SHA-512:	917E4B5A52DD2F8CDC7D8F1995CB4BFE18BF6AA0E0FBCC64EE07A6A92C640B31A8FE4727C1D6585016D9D5463D9551DDB7D1EFDEE3719C70EA8A3502D019270C
Malicious:	false
Preview:	VLnk.....?..........,O{.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0769487986864132
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkOeSAE+WslKOMq+vVumYZ5dn66:e/2qOB1nxCkOeSAELyKOMq+vVummp
MD5:	8FC7FAFA1E45F06281F057C3A66F67B5
SHA1:	E78DA8284F3E9D1177346DC5BFC555742EC2A9D1
SHA-256:	416582470DDC83A8A632498EA625F2C1139C3B624562F2B286482EF567136F76
SHA-512:	5F074B1F30F3D2BD2E30587E8E92B2DB5DF8A957809532E8B727F7BE1384A0B03AE98F7CCF91802E5605F3FD488A52ED885FB4E853040EA22D1A6FB71A83BF48
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/TtRt//lFll:7+/l/T7t
MD5:	D983387D1496D173A627BE5FF60F4F2E
SHA1:	55726C9BC4A712EE256792E262D5E9477948F5DE
SHA-256:	77A4074AF10D8E4FA1DF4B2D824D1241AA20F48859EBC18586331D2410F97994
SHA-512:	C286C27FF93B5DB9C8DFB4BD9FE2C950AE7517880FAFAF8BF95B60E10D6BCEBA18A356173D678C11D3DFF575E6E779F3B607341391014456DAB6962A67B57462
Malicious:	false
Preview:	.... .c.....6.W.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049658994923281956
Encrypted:	false
SSDEEP:	6:GLW04ss7GWTW04ss7GcL9X8hslotGLNl0ml/XoQDeX:aeGWDeGoGEjVl/XoQ
MD5:	4221639DD6FA5B5F3422010B79046160
SHA1:	34B760E31D760C8E07E0A1A8938817AA680B0ABB
SHA-256:	10DDADE6E8DBD05567B4F80D506737F8666194A38F11905058F613749653E7EC
SHA-512:	BE7FB54F6FA28D909A7FD7DAFDF04E646F165F3BEC12FF7141B57B604EDBA5955E6B1FD26C33C2AAECEC51502281742CE2CE263502037A921BEB7527F21FE723
Malicious:	false
Preview:	..-.....................D..Q0?..F.B..<..:.......-.....................D..Q0?..F.B..<..:.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9988308005341078
Encrypted:	false
SSDEEP:	48:MX+lzxMDXlO+2cbX+fhn9VAKAFXX+mg2VAKAFXX+gEpxOqVAKAFXX+CnUYVAKAFG:MX+hxMDPgfKNspNsrfO5NstNsnqE
MD5:	FC40D37C18B3912B3B9893C6962C42C4
SHA1:	061F49B7DB1711AB821392DB2D0C5C00912FEDA8
SHA-256:	AE644B75FC35C9E8CF58E1048807C64CB13B7B26E33166042EE23D933DC69428
SHA-512:	E9FA20E0D1C6A0821CF38267873D52D15C8EB9AAC756B10FC794416C33BF2E79ECA133E7EE0131B74FA877AC8FAA2EC95F113042341390D8425AF9C455B31292
Malicious:	false
Preview:	7....-...........F.B..<...I0............F.B..<.K.I/{0.,SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.4887827632004385
Encrypted:	false
SSDEEP:	48:gZvY8GSBSRNQQEPPHRHrxRIYjIYfzPqkiMYjMYDyAAlkfAlkE3W:g0EQAIYjIYfzPbiMYjMYRYcYR3W
MD5:	702192965C6354D043EE04528A892901
SHA1:	2F56C97E4D87C4E52F068F43B2D1E894E5C692D2
SHA-256:	9234A90BAB977F49C757565FFD3D36A758AE9CE89AAF75EED124A94D8ECB0A78
SHA-512:	8F6591A047A9F1FA767A1302240B46420B6373584E7C48AA26C5361684ECA024D69A11E68E806E76512A74CA46E323EE5F684B66B22E6B63542E2361DBF0D9D3
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f.................&f....................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPa

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.268100896711227
Encrypted:	false
SSDEEP:	6:N7OFd0Wb1cNwi23oH+Tcwt0rl2KLlL7OFd4QyQyq2PcNwi23oH+Tcwt0rK+IFUv:N7OFHZYebeL17OFaXVvLZYeb13FUv
MD5:	49585909C39EB0A6C82A452803B00973
SHA1:	DE06003B67F18AC1049C00B4B73A56EE643E6CA9
SHA-256:	3F5AE1911E6D7F8F29DC0B297243E9448B66EC280B289046B9990D8C1706A751
SHA-512:	347BC16ACD4DCDD9DDFFB63B15AD7A188C9594917323FC2C46F45DBBEFA61CB872F7F595C0F6EA52AF0C1B8DA8F3EEB7BF87E80C0F059E9F105E0A60B2E2ABA7
Malicious:	false
Preview:	2024/08/27-12:19:28.824 1630 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/27-12:19:28.835 1630 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.931105053495172
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/UT8g6JbZfPsdZOgbG0lbANqa:G0nYUtypD3RkeFZf1Gm
MD5:	620C05D5B4C6493A53F937059DFCBE91
SHA1:	358606F4C4239EA8EE7103A55535FE583CA76EED
SHA-256:	969DA0AF3B2A0B41175DE3B60D8F1D6995B63FBFCFFBE9F66B9487853CD43565
SHA-512:	C5A72FE75923C261D8355E2A2595C1559E21B9D3BD619CC712C4F4CD07BB287DFE0CEC314360D04596AA027735A6028204E64C25A85DC39D9CE785F05BDE3C0F
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_.....5oP..................3_.......\4.................4_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....I.Ha.................37_......A@8.................3_......a...................4_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.218931696130824
Encrypted:	false
SSDEEP:	6:N7OFd3b1cNwi23oH+Tcwt0rzs52KLlL7OFd6DQyq2PcNwi23oH+Tcwt0rzAdIFUv:N7OFVRZYeb99L17OFmVvLZYebyFUv
MD5:	8381CE8D385028F77279C6AA3BD0AA18
SHA1:	543E13379A17309B5872941A553562F63D53DBFA
SHA-256:	A8790EB39A0C739BACC087D9FBFAE0B9E441DBF452507BA1D331A4FD9E1431D2
SHA-512:	675528B865821693A77674B7CA1FBD53B8B88FAC6D2D0697FDAB4A1706656B8E94D2D00F82335E95785CF2328E7F404DFB72E623BAAECCBA130DEDD77309ABA8
Malicious:	false
Preview:	2024/08/27-12:19:28.727 1630 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/27-12:19:28.819 1630 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlhMGna:Ls3Na
MD5:	0AF716C6C7C859A8FB45F0E033FB9D7D
SHA1:	868FFA4425BE0975F94330CB553FF9678CD2FCA0
SHA-256:	2D317FB870F551CB53A5305ADE6B6F84FAF18DA5A65E043B7C5D4AAAADDF6F9E
SHA-512:	6E7BF51749965C80DD2FAFAAF70AECBEC48D31CAC2313BF21E2E2DD531F9801FF981DE68606ECA43902639669CD9DFDE6364582FA6913EA2322FF295E86D2EAA
Malicious:	false
Preview:	........................................;+..B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlL:Ls3
MD5:	DC3227CFB50E428365FC3D0A549E9255
SHA1:	D52392DDA34E657306649F30FF0EF5B5CC27C660
SHA-256:	DC39458760B8DACFF4D2A49789ED0AFED679269A374FE875BCDBC39567DCD7EC
SHA-512:	F1D87A7636F8688E106A9764A3067077CF03BC2AF7862C66D6D353C4B5F3C3B9AB20DFE47D60D2B01693D8074517653C84D2940B954F4D6D3F943A3776924C8C
Malicious:	false
Preview:	........................................X...B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1e73e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1e74e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1e8c5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1e942.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF21023.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2579c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2d2d6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2f9e6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF35b60.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.5166217576017855
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtQh/IYxtlRhEr/Dayik/xJdXBuBuwBua353XCNhFbFXUQQRCYh:YuBqDPafEQYxrawcgBzBuY3EhF5B0
MD5:	8CBE2D53DBEA7C2DE784DD31142D3E3A
SHA1:	FF33E70C27253B868EE225AA8AC2C09EE2F634F7
SHA-256:	D5EA3C418AD067CA85002F75E5519CC122EA6AAD5A5F20BC310DFB9B953E81F3
SHA-512:	4E67462C4654C88C1D5C65F3A66B9032C9DDA8332FB25B65B1B10B5F104B81F0754E2CD920C9510459BDBC5A4459DD8A04D5860A91106AD780BA48E5787EDB0F
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"profile":{"info_cache":{},"profile_counts_reported":"13369249166810131","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724775566"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlEl:Ls3
MD5:	140E29C43152EEEE2E77768733BE3B05
SHA1:	CD58C919734A5CA5E19EB8915A44E8A8B2D4AF82
SHA-256:	33868FF46888D9FC3E66668BFC839FD4CAB95BDE79D46FC0F69FEFE1D7DE7E94
SHA-512:	C772569F7DF28BAE2EE9B9F36C6267F8955F5A077B595FFB90F97EA1D28F8FFAB06D730D99972B47EDFBACC26BB7078E9417E0C495FB4E76F7DCA1E71D96BE07
Malicious:	false
Preview:	........................................Bu..B./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\baca8d06-1c71-4db8-884f-3a712c6a55b1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.492447809110723
Encrypted:	false
SSDEEP:	96:0q8NkGS1fEJxrL58rh/cI9URoDotoMHBWVVvkXItJkjyc8SDS4S4SDSmQI4a:/8NBSeb8eoDU9MCIDkjyj
MD5:	DEB114E6B410FD99EDB8651B87B377C4
SHA1:	EE1193A3F03582F0030FFA36FE89F01267283C2A
SHA-256:	4A7753A0BBEB4575C933CF78E36D76FC7408AACE6E355891F3A50B79B5A87FD1
SHA-512:	EC40AFD8269BF2868BE03AF3BF33CABBF20ACC946D2AFF8C84BB81AA254827B6D9F541A22E751342A350550686E8402AE1C3D6204CC336C34B39CB0A7884E66D
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXti

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\be60e650-fa85-4876-a5de-d3c4f4bff4c8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20759
Entropy (8bit):	6.066980929642414
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NBSdai/AGjprhVwjY1TQTW8:LM7X2zt1jKYqHkZeMwi/AGjxj+Q8d
MD5:	B556DFA6792A5F2ABF152B5294CC6E40
SHA1:	32E39AFBCAEA76A2E5205592D593CB7A572F2751
SHA-256:	B3D604864F51518B0A6AFF9CF59C049FBA74FEEDB331E3C8316405CE40887529
SHA-512:	4DD2641E0F5E59A74F45327057AACDF2FD6AA22AF156393EF0743C2D6C56A4A872926FE3D4FF3CDB92AF5D920AA3C1318427BFA00C04427D7864DA16F0EB8CA5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\cfc6f398-1cb8-4b90-a1e6-3ab016550378.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20759
Entropy (8bit):	6.066996641861061
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NBSsai/AGjprhVwjY1TQTW8:LM7X2zt1jKYqHkZeMJi/AGjxj+Q8d
MD5:	3B9BE8C0A19080E1359636E7D9AFACF7
SHA1:	84D1AAEDB3E831B487754159F38599DD3D9A26FD
SHA-256:	7A467B84855B6ECD6C88D3C1DEE42F1A0EF091DB302344BA3EE6AA99B0E6D094
SHA-512:	9EA4D9D04F144102732342B88AF62393F520108A223C65460370F5339BC1BF245FBCCDEFC2E5DD5F96114E44FC79FD6FFC27DCFEB93423328206E952CFFD50AE
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\d6c58e24-10cb-4a98-b656-5921ca55bc77.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.585701231576191
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afEQYxra0ckHB+ldrxwKVvBuY3/9R5SaJkXzycHSwlRoqB0:Xq8NkC1fEJxrL3BWVVvkA5bJkjyc3rq
MD5:	B503F77A002081B366EBD97B8CD2FD51
SHA1:	E2E79BD377F10DB5D100005C3CB6B854EED6537A
SHA-256:	ACDACEC4FDDD7C8178D309800C36CADD13920E30AFD92D054CD4303EF810A521
SHA-512:	87BC297F3DA6B4C87CA24495CE4644D2A5EAF8B0FC9898F8320932FED532F60ED2B84D2008360D84D4848190B5601C686C449B4E67BD8C52FCF20F28516F0609
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"policy":{"last_statistics_update":"13369249166833161"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ee3cdd67-8eb2-4079-997b-90616a8fd323.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24083
Entropy (8bit):	6.056131186784734
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NGsayirqdFVEQRacLprhVwjY1TQTW8:LM7X2zt1jKYqHkZeMTyiBQRacLxj+Q8d
MD5:	3E645AF26AD8B6422BC7A5EEACF32418
SHA1:	F5AA888B3CD10922E2E0217211648C479E8FD820
SHA-256:	473E94DB1481B17C300221EAD4BC35C0DD6EBCA3587FF7E79E49E757F3B31882
SHA-512:	D04C9A4812B9394517785546575E84CD81F29F515E147C605DD0FEE5A38016C83C27C886429466458FF30A09E8C3D990453BC047ED5D69184ACE8E060C81EA76
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\f6211fe3-b774-4383-8103-b63a33c33b3a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.607716000577817
Encrypted:	false
SSDEEP:	96:0q8NkC1fEJxrLXxBWVVvkXItJkjyc8SDS4S4SDSmQI4a:/8NbebrMCIDkjyj
MD5:	A08C75BF17E62FD2C461EC16642907BB
SHA1:	C3C1D85C4F62355659322D68F2BF6C42B2B05978
SHA-256:	DD4618368EC243B524F661BF322F944A69FFB6FC534E69CD4880F18F99690ECE
SHA-512:	EB94F4A64451362D18734F02EBD1827F88AACB062EFEBE9DB40455A21C2249E04D6A2909EBFD7AA6E092AB39CB4F373AEDDB4351A234D35EEB86C379839E9EAE
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAB9s40NvuaLTaE6n7eCgh4hEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAABHb9OM3hhed+QWs4mAfhkd2bxD25ptoMeijrpaDmh3RwAAAAAOgAAAAAIAACAAAAAbgpuIa0s3PDJJbkdjuFRw9rYFn34HieJVFj1TNnRUEjAAAADeIRRBHm348lIx5HHGFtgmMn72F2FYVi5vPDfM7KPjceVX9FknGPvJByQb6hq4z7FAAAAApy26HprSEPd0sVHs84DBQ+FqqLYBNBfJtDSbc0Gwns3bHjtMGZcfEDh06NfEYsKCFihS/Xag+8s2KjXtizMHig=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0d38830f-8568-4b36-abdb-a765d2752378.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3763e244-a592-433f-ac78-5983ff6c200b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44752
Entropy (8bit):	6.094974105463212
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xi+KKGf4AqaG3FEEvAKN7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yOlN7VLyMV/YoskFoz
MD5:	EB24D7CDD4A4F953D916D542D25E4D55
SHA1:	857A8ADBE9B8D5C832238FA5872DC2FF33DDE024
SHA-256:	3B38C9EF406CE4B78260F11A699818C39A0F390D05C2E8B4C2CCFDB97EFBC33E
SHA-512:	84CD940DAC523B46B4603C0D581363E57C87186E95B16ED897AE303788B00D06A46CEA7E1F8286AC27FC155766C2AF342BF4A4C7BB2FF430C50F1EB0355ED94B
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\3ee9ec7d-ea6c-4c26-95d2-f4a4350fbff8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44751
Entropy (8bit):	6.095033464783492
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xh+KKGf4AIFGiMOPXzcF2N7DRo+yM/42cRaLMoskCiG:z/Ps+wsI7yOkN7VLyMV/YoskFoz
MD5:	E0144A5D1A24336AC0257CD59EC3F5F9
SHA1:	71ACC732F9082805C084E6AFEE8A4FD9A99DF5F6
SHA-256:	59A09FB05224886B8273ABF05D7187F77DB6B7449D9422A55B69D0F7E2B56A34
SHA-512:	67B9AD5BE4708C3001AF18280CF1891A9176ADFD9C26F8058930593512238498A089E03A0331DA9CE4D4FE73B1E7B58A89C253D5CFC8449F9900E3377B326E1C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66CDFCA1-2238.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1603783691688209
Encrypted:	false
SSDEEP:	1536:NFZLI/5HagCwRG0fLO/gdg6iVEb1HwLRG:NrLmRagC9mIgdg6ig1Hw0
MD5:	866F9A978ECE2793C59B3E8FA44F6240
SHA1:	F2DE9310F63E49E74AF0D8759BFD89C8D6D9F5D3
SHA-256:	18944C7D03735F16CD23D2363BAACCCFBAD9CBC03BFF6436EF1D3B39C9022C83
SHA-512:	0821ABD2FB128ABF1D60E92248B87739CAAD043D8B7EAABFA3D3729129D82F0658C271C28398EC9DF4F1A62BEF3A4858A036895E78F629078CC2497B502A55CB
Malicious:	false
Preview:	...@..@...@.....C.].....@...................x...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".aaivmm20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U].0r........>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2..........I...... .`2........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66CE0CA5-1E28.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.14114377347722148
Encrypted:	false
SSDEEP:	768:I5jtvJZei1bpxmH60nAi2xUbWzzAntlRGOGzSw1LRGO:I5ZvJUi1txG1Ai2xUbgE/RGkw1LRG
MD5:	8067DF9DD58999952F1E5249306857BA
SHA1:	4CDF3FFD59199DBA3E1ADE866DD3BCBE71247828
SHA-256:	C0CB7CDFA281B2B27A8C6E6FA8FAE648F71796985B8B3CA293A882EB6F2376DC
SHA-512:	5BFD719DE158E990FAB370B1B44895A81BCED01884F3A54D7FE851195212CD07E901B09C354283B60A6AB468E07ABEF069CFF9D6C98F4CCB405F6668B982164C
Malicious:	false
Preview:	...@..@...@.....C.].....@...................................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".aaivmm20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U].0r........>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.........5...... .2........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.16517681506792
Encrypted:	false
SSDEEP:	3:FiWWltlrPYjpVjP9M4UcLH3RvwAH/llwBVP/Sh/Jzv/jSIHmsdJEU9VUn5lt:o1rPWVjWZq3RvtNlwBVsJDL7b/3U7
MD5:	C847567DEE0317368C1EC824DE025887
SHA1:	554098F22FEA9282FE1AAB35560849CD6FF546B1
SHA-256:	3CF2B1CBE4F4CCFC640BCF581FD4D9FC84254D2B3839C96EA4909B61AAF28932
SHA-512:	A976744405F6ABEBFB7513A3A6A776680334BB94A9E52AEEFE2B05259BCB3CF9781B1CCDA3655D8AA4C1E923143168F29EF3208F81ABCB93AFF5215ED3798219
Malicious:	false
Preview:	sdPC.....................!...W.F....+F."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................8889edf7-b09d-4a45-9ea5-adabbfd01bb9............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7506263e-c203-48b7-94f9-92f6ae62b4ed.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9c5a37af-817f-4aec-9413-266e94cff6f8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.5685834426886345
Encrypted:	false
SSDEEP:	768:KhgMetWPjuf+x8F1+UoAYDCx9Tuqh0VfUC9xbog/OVc15wIrwuwpbtuJ:KhgMetWPjuf+xu1ja5fwZu0t+
MD5:	6BEFF1EA54BB9EAA4C0EFD2A272FEC78
SHA1:	719BA6891838F1C91F256B5E6BEC6B45D9B6F2DB
SHA-256:	8D5720335DCA1B93F2975518B5655898E7140238AB367C9FE3E710D608E3C793
SHA-512:	225AD3A41D8CE64EDBDF988E4FDB3D920970C27929738FFA5CB520412A71CC87F089F37ABAD97FC3AF506654851D0509EECE020512633AF9368860F683427BAD
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369249185792756","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369249185792756","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.19637593207887
Encrypted:	false
SSDEEP:	6:N7ODTLqAVq2PcNwi23oH+TcwtnG2tMsIFUt887ODTLqAgZmw+87ODTLwOAIkwOcK:N7ONvLZYebn9GFUt887Oo/+87O0Q54Z5
MD5:	481C75E4B668E10FCAB33BBF8E79566C
SHA1:	A14AF9B441431D44241EDFA3579580396045EA37
SHA-256:	E626A6FF8755FCF3FF6EDDF20BB53E139D0F1976895126E0601352C8F1F08545
SHA-512:	2E8EBDAA87BD55D2AB4CAFC485F203D893E173A1FC19964D1CB6D82365859C2A6F4A58206099DAB94CE9C0B57B13A970554B412C9D32890D2FB70C64B31867FB
Malicious:	false
Preview:	2024/08/27-12:19:46.026 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/27-12:19:46.026 22a0 Recovering log #3.2024/08/27-12:19:46.027 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.19637593207887
Encrypted:	false
SSDEEP:	6:N7ODTLqAVq2PcNwi23oH+TcwtnG2tMsIFUt887ODTLqAgZmw+87ODTLwOAIkwOcK:N7ONvLZYebn9GFUt887Oo/+87O0Q54Z5
MD5:	481C75E4B668E10FCAB33BBF8E79566C
SHA1:	A14AF9B441431D44241EDFA3579580396045EA37
SHA-256:	E626A6FF8755FCF3FF6EDDF20BB53E139D0F1976895126E0601352C8F1F08545
SHA-512:	2E8EBDAA87BD55D2AB4CAFC485F203D893E173A1FC19964D1CB6D82365859C2A6F4A58206099DAB94CE9C0B57B13A970554B412C9D32890D2FB70C64B31867FB
Malicious:	false
Preview:	2024/08/27-12:19:46.026 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/27-12:19:46.026 22a0 Recovering log #3.2024/08/27-12:19:46.027 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF25077.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.19637593207887
Encrypted:	false
SSDEEP:	6:N7ODTLqAVq2PcNwi23oH+TcwtnG2tMsIFUt887ODTLqAgZmw+87ODTLwOAIkwOcK:N7ONvLZYebn9GFUt887Oo/+87O0Q54Z5
MD5:	481C75E4B668E10FCAB33BBF8E79566C
SHA1:	A14AF9B441431D44241EDFA3579580396045EA37
SHA-256:	E626A6FF8755FCF3FF6EDDF20BB53E139D0F1976895126E0601352C8F1F08545
SHA-512:	2E8EBDAA87BD55D2AB4CAFC485F203D893E173A1FC19964D1CB6D82365859C2A6F4A58206099DAB94CE9C0B57B13A970554B412C9D32890D2FB70C64B31867FB
Malicious:	false
Preview:	2024/08/27-12:19:46.026 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/27-12:19:46.026 22a0 Recovering log #3.2024/08/27-12:19:46.027 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.225530568154497
Encrypted:	false
SSDEEP:	6:N7ODPq9+q2PcNwi23oH+Tcwt8aPrqIFUt887ODPqJZmw+87ODG69VkwOcNwi23oD:N7OrJvLZYebL3FUt887OrU/+87O6E546
MD5:	5814115219703B9437173B2B1F3BAA73
SHA1:	9ED91A0818511E7753218CB1FCE673F0505DB12F
SHA-256:	CE8556AC11C96BAC5119D844A92A3DF619FE72BF2192C3E1334B35B8B40CA39D
SHA-512:	99F30AE4D9807CE6166DCFC2DBEF32BA14E3342675EE31370E199CA375EA847AEC72A485FFF132DB84A0426291AC0B303ACE669EA3E1D10653521C1BC9F78558
Malicious:	false
Preview:	2024/08/27-12:19:45.876 22e8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/27-12:19:45.876 22e8 Recovering log #3.2024/08/27-12:19:45.877 22e8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.225530568154497
Encrypted:	false
SSDEEP:	6:N7ODPq9+q2PcNwi23oH+Tcwt8aPrqIFUt887ODPqJZmw+87ODG69VkwOcNwi23oD:N7OrJvLZYebL3FUt887OrU/+87O6E546
MD5:	5814115219703B9437173B2B1F3BAA73
SHA1:	9ED91A0818511E7753218CB1FCE673F0505DB12F
SHA-256:	CE8556AC11C96BAC5119D844A92A3DF619FE72BF2192C3E1334B35B8B40CA39D
SHA-512:	99F30AE4D9807CE6166DCFC2DBEF32BA14E3342675EE31370E199CA375EA847AEC72A485FFF132DB84A0426291AC0B303ACE669EA3E1D10653521C1BC9F78558
Malicious:	false
Preview:	2024/08/27-12:19:45.876 22e8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/27-12:19:45.876 22e8 Recovering log #3.2024/08/27-12:19:45.877 22e8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.248705617848338
Encrypted:	false
SSDEEP:	6:N7ODaPq2PcNwi23oH+Tcwt865IFUt887ODOZmw+87ODikwOcNwi23oH+Tcwt86+e:N7OYvLZYeb/WFUt887OK/+87O254ZYev
MD5:	8EAE6CFF1AAC1E718879DB4ED5E94BE3
SHA1:	7D08C5C90F2AB94924C999CEFFCB2C5E6A11AEC3
SHA-256:	D209DB1A008C54E8E742AF8D7CB7F7C282912BC0C28019BD5E4D78D67BCBB321
SHA-512:	6AD7D895E3B127AF4348249EC02E20E66BE763740926F58B19E43CDFEE892D78DD3BE42410BD4F4DC00F6220DCEE8624D022E50FEF5A29608CA0754BE6F37E6C
Malicious:	false
Preview:	2024/08/27-12:19:45.936 2304 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/27-12:19:45.937 2304 Recovering log #3.2024/08/27-12:19:45.937 2304 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.248705617848338
Encrypted:	false
SSDEEP:	6:N7ODaPq2PcNwi23oH+Tcwt865IFUt887ODOZmw+87ODikwOcNwi23oH+Tcwt86+e:N7OYvLZYeb/WFUt887OK/+87O254ZYev
MD5:	8EAE6CFF1AAC1E718879DB4ED5E94BE3
SHA1:	7D08C5C90F2AB94924C999CEFFCB2C5E6A11AEC3
SHA-256:	D209DB1A008C54E8E742AF8D7CB7F7C282912BC0C28019BD5E4D78D67BCBB321
SHA-512:	6AD7D895E3B127AF4348249EC02E20E66BE763740926F58B19E43CDFEE892D78DD3BE42410BD4F4DC00F6220DCEE8624D022E50FEF5A29608CA0754BE6F37E6C
Malicious:	false
Preview:	2024/08/27-12:19:45.936 2304 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/27-12:19:45.937 2304 Recovering log #3.2024/08/27-12:19:45.937 2304 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.169277345633845
Encrypted:	false
SSDEEP:	6:N7ODTLNAVq2PcNwi23oH+Tcwt8NIFUt887ODTLjoAgZmw+87ODTLjoAIkwOcNwiV:N7OCvLZYebpFUt887O/6/+87O/G54ZYN
MD5:	2CF1641D00E2B39FC612B728C0A7A25E
SHA1:	1754070EE6451CDEE7C125F767EB99A7A16577EF
SHA-256:	22513CC13BE3522C5DC9951D8765C82B2E2A24A2A09EA05DB1D1A004D57C6B1A
SHA-512:	2B21140FFA809BC8258606ADFA6802C407DA603BFBD6DCD479446203FC893A29ABDF8FE6F1377AB432B0D2894307C4A56E8B2ABB7B3D658D9A9D86B2B13A3A8A
Malicious:	false
Preview:	2024/08/27-12:19:46.171 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/27-12:19:46.172 22a0 Recovering log #3.2024/08/27-12:19:46.172 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.169277345633845
Encrypted:	false
SSDEEP:	6:N7ODTLNAVq2PcNwi23oH+Tcwt8NIFUt887ODTLjoAgZmw+87ODTLjoAIkwOcNwiV:N7OCvLZYebpFUt887O/6/+87O/G54ZYN
MD5:	2CF1641D00E2B39FC612B728C0A7A25E
SHA1:	1754070EE6451CDEE7C125F767EB99A7A16577EF
SHA-256:	22513CC13BE3522C5DC9951D8765C82B2E2A24A2A09EA05DB1D1A004D57C6B1A
SHA-512:	2B21140FFA809BC8258606ADFA6802C407DA603BFBD6DCD479446203FC893A29ABDF8FE6F1377AB432B0D2894307C4A56E8B2ABB7B3D658D9A9D86B2B13A3A8A
Malicious:	false
Preview:	2024/08/27-12:19:46.171 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/27-12:19:46.172 22a0 Recovering log #3.2024/08/27-12:19:46.172 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF25097.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.169277345633845
Encrypted:	false
SSDEEP:	6:N7ODTLNAVq2PcNwi23oH+Tcwt8NIFUt887ODTLjoAgZmw+87ODTLjoAIkwOcNwiV:N7OCvLZYebpFUt887O/6/+87O/G54ZYN
MD5:	2CF1641D00E2B39FC612B728C0A7A25E
SHA1:	1754070EE6451CDEE7C125F767EB99A7A16577EF
SHA-256:	22513CC13BE3522C5DC9951D8765C82B2E2A24A2A09EA05DB1D1A004D57C6B1A
SHA-512:	2B21140FFA809BC8258606ADFA6802C407DA603BFBD6DCD479446203FC893A29ABDF8FE6F1377AB432B0D2894307C4A56E8B2ABB7B3D658D9A9D86B2B13A3A8A
Malicious:	false
Preview:	2024/08/27-12:19:46.171 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/27-12:19:46.172 22a0 Recovering log #3.2024/08/27-12:19:46.172 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.230608177610519
Encrypted:	false
SSDEEP:	6:N7ODTLXjyq2PcNwi23oH+Tcwt8a2jMGIFUt887ODTL+z1Zmw+87ODTLLXXRkwOcT:N7OzOvLZYeb8EFUt887Oqz1/+87OHx5h
MD5:	F2AC9E6F93A818259601FF3E1832773B
SHA1:	EDB455159D83C5FDB7AA34E13F5343026D274FEF
SHA-256:	F5A911E0B52BA2A5588049B84A68904A4145124BE036BDD46FA0D77F998FDDA0
SHA-512:	D0293DA24F91D7C5EC379A8C62D6165781F9D92A8263361F5F6152D9F70D72A4AF7A9E8754AAC7E937BE1FD3BDCC4C8640302A9E5CE625DDF1A3AB96611876AF
Malicious:	false
Preview:	2024/08/27-12:19:46.664 2150 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/27-12:19:46.670 2150 Recovering log #3.2024/08/27-12:19:46.673 2150 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.230608177610519
Encrypted:	false
SSDEEP:	6:N7ODTLXjyq2PcNwi23oH+Tcwt8a2jMGIFUt887ODTL+z1Zmw+87ODTLLXXRkwOcT:N7OzOvLZYeb8EFUt887Oqz1/+87OHx5h
MD5:	F2AC9E6F93A818259601FF3E1832773B
SHA1:	EDB455159D83C5FDB7AA34E13F5343026D274FEF
SHA-256:	F5A911E0B52BA2A5588049B84A68904A4145124BE036BDD46FA0D77F998FDDA0
SHA-512:	D0293DA24F91D7C5EC379A8C62D6165781F9D92A8263361F5F6152D9F70D72A4AF7A9E8754AAC7E937BE1FD3BDCC4C8640302A9E5CE625DDF1A3AB96611876AF
Malicious:	false
Preview:	2024/08/27-12:19:46.664 2150 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/27-12:19:46.670 2150 Recovering log #3.2024/08/27-12:19:46.673 2150 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF23500.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\bbc68d42-c4fc-4218-a235-96fe9aceab8a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\e3e74727-e52c-4795-b81e-b0af4fd4a2f1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\e6e8c597-8933-49e9-be60-b30c67f92170.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.089198869826866
Encrypted:	false
SSDEEP:	96:stAqKbs14bDIQomXKaCvlPm8z8sY5eh6Cb7/x+6MhmuecmAeiBDfWCML/EJ:stAbsyomaNPmk8sY8bV+FiAjfWbLMJ
MD5:	F774157C56EC65D988AA29ED4BCD453E
SHA1:	E23EF94699D3C9CC16B880C50253DB6C5197E7BA
SHA-256:	8D582BAF5D922404E06792C34BDDC2AD8919AF5FB3BA1C4E57E90F21D550CF03
SHA-512:	8995F5CCFB6C062A6FD5470CE4722C0DBDA1D822E21B9C27A756EF2D364676CFEF05232C2C820EAD4A5ED07D1D985E4D1197924A5E52243A809517C82178E226
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249186060901","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369249186059367"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF250e5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.089198869826866
Encrypted:	false
SSDEEP:	96:stAqKbs14bDIQomXKaCvlPm8z8sY5eh6Cb7/x+6MhmuecmAeiBDfWCML/EJ:stAbsyomaNPmk8sY8bV+FiAjfWbLMJ
MD5:	F774157C56EC65D988AA29ED4BCD453E
SHA1:	E23EF94699D3C9CC16B880C50253DB6C5197E7BA
SHA-256:	8D582BAF5D922404E06792C34BDDC2AD8919AF5FB3BA1C4E57E90F21D550CF03
SHA-512:	8995F5CCFB6C062A6FD5470CE4722C0DBDA1D822E21B9C27A756EF2D364676CFEF05232C2C820EAD4A5ED07D1D985E4D1197924A5E52243A809517C82178E226
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249186060901","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369249186059367"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.5685834426886345
Encrypted:	false
SSDEEP:	768:KhgMetWPjuf+x8F1+UoAYDCx9Tuqh0VfUC9xbog/OVc15wIrwuwpbtuJ:KhgMetWPjuf+xu1ja5fwZu0t+
MD5:	6BEFF1EA54BB9EAA4C0EFD2A272FEC78
SHA1:	719BA6891838F1C91F256B5E6BEC6B45D9B6F2DB
SHA-256:	8D5720335DCA1B93F2975518B5655898E7140238AB367C9FE3E710D608E3C793
SHA-512:	225AD3A41D8CE64EDBDF988E4FDB3D920970C27929738FFA5CB520412A71CC87F089F37ABAD97FC3AF506654851D0509EECE020512633AF9368860F683427BAD
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369249185792756","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369249185792756","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	327
Entropy (8bit):	5.195939952231808
Encrypted:	false
SSDEEP:	6:N7ODTLcAVq2PcNwi23oH+TcwtrQMxIFUt887ODTL0LAgZmw+87ODTLyIkwOcNwiE:N7OnvLZYebCFUt887Ow/+87OZ54ZYebf
MD5:	C6E51662959DF094544F07819F0BFC5A
SHA1:	63F12DE36CEFBE6A9F3C9094BE0A8371B424583C
SHA-256:	D2B9EDEBF4600C6ED9B6838116E84E2DE6DA07F9C72868FEDEB4BB2B09A9F03F
SHA-512:	D009D5E3B3E4A2C722EE282AE9C660551E42A83BDF89257BC487A9D5A25FAC101FE811EFA311C38143CC3E08EDCAD623E43AB4C944179290F709691D262D4F92
Malicious:	false
Preview:	2024/08/27-12:19:46.660 f74 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/08/27-12:19:46.662 f74 Recovering log #3.2024/08/27-12:19:46.669 f74 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	327
Entropy (8bit):	5.195939952231808
Encrypted:	false
SSDEEP:	6:N7ODTLcAVq2PcNwi23oH+TcwtrQMxIFUt887ODTL0LAgZmw+87ODTLyIkwOcNwiE:N7OnvLZYebCFUt887Ow/+87OZ54ZYebf
MD5:	C6E51662959DF094544F07819F0BFC5A
SHA1:	63F12DE36CEFBE6A9F3C9094BE0A8371B424583C
SHA-256:	D2B9EDEBF4600C6ED9B6838116E84E2DE6DA07F9C72868FEDEB4BB2B09A9F03F
SHA-512:	D009D5E3B3E4A2C722EE282AE9C660551E42A83BDF89257BC487A9D5A25FAC101FE811EFA311C38143CC3E08EDCAD623E43AB4C944179290F709691D262D4F92
Malicious:	false
Preview:	2024/08/27-12:19:46.660 f74 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/08/27-12:19:46.662 f74 Recovering log #3.2024/08/27-12:19:46.669 f74 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.16675016774023
Encrypted:	false
SSDEEP:	6:N7ODBSQyq2PcNwi23oH+Tcwt7Uh2ghZIFUt887ODTL8XG1Zmw+87ODTLORSQRkwh:N7OdjyvLZYebIhHh2FUt887Oow/+87OO
MD5:	8EF4A8008C4075FA4682034B42E3FA7F
SHA1:	A6C58862A4E52A2E964E316C2719FD16B9659B31
SHA-256:	FBB13986A08953A6A204280DCB3DDDC9D9F97B6EB5178938B7A34C246994F4C9
SHA-512:	5AEF03224B58419C7240D6AB095DD8D0922386F5356007A8D0D42EB9419E289DFB9D88B60B7BE822D48BE022057ADFEFF1C741D93D81D54108905C74F3A9642E
Malicious:	false
Preview:	2024/08/27-12:19:45.974 22e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/27-12:19:46.023 22e4 Recovering log #3.2024/08/27-12:19:46.024 22e4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.16675016774023
Encrypted:	false
SSDEEP:	6:N7ODBSQyq2PcNwi23oH+Tcwt7Uh2ghZIFUt887ODTL8XG1Zmw+87ODTLORSQRkwh:N7OdjyvLZYebIhHh2FUt887Oow/+87OO
MD5:	8EF4A8008C4075FA4682034B42E3FA7F
SHA1:	A6C58862A4E52A2E964E316C2719FD16B9659B31
SHA-256:	FBB13986A08953A6A204280DCB3DDDC9D9F97B6EB5178938B7A34C246994F4C9
SHA-512:	5AEF03224B58419C7240D6AB095DD8D0922386F5356007A8D0D42EB9419E289DFB9D88B60B7BE822D48BE022057ADFEFF1C741D93D81D54108905C74F3A9642E
Malicious:	false
Preview:	2024/08/27-12:19:45.974 22e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/27-12:19:46.023 22e4 Recovering log #3.2024/08/27-12:19:46.024 22e4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF25097.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.16675016774023
Encrypted:	false
SSDEEP:	6:N7ODBSQyq2PcNwi23oH+Tcwt7Uh2ghZIFUt887ODTL8XG1Zmw+87ODTLORSQRkwh:N7OdjyvLZYebIhHh2FUt887Oow/+87OO
MD5:	8EF4A8008C4075FA4682034B42E3FA7F
SHA1:	A6C58862A4E52A2E964E316C2719FD16B9659B31
SHA-256:	FBB13986A08953A6A204280DCB3DDDC9D9F97B6EB5178938B7A34C246994F4C9
SHA-512:	5AEF03224B58419C7240D6AB095DD8D0922386F5356007A8D0D42EB9419E289DFB9D88B60B7BE822D48BE022057ADFEFF1C741D93D81D54108905C74F3A9642E
Malicious:	false
Preview:	2024/08/27-12:19:45.974 22e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/27-12:19:46.023 22e4 Recovering log #3.2024/08/27-12:19:46.024 22e4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	437
Entropy (8bit):	5.273255299955078
Encrypted:	false
SSDEEP:	12:N7OiLvLZYebvqBQFUt887Of/+87O054ZYebvqBvJ:NCiLlYebvZg88ClC+oYebvk
MD5:	A3F6813DBB8795229C0677CDD30831D6
SHA1:	1CE8BB2BD78DD6F5F08826F254A7F4CFF295C786
SHA-256:	8A1059BDDEDF0BD19475E4C3FDF98D8CFF623B30978D18BDB6E1A696E3099C1D
SHA-512:	FE7586D02FE4E99F11A29164BA5BDBAFD5C053904E19965674ACB3B501ADB140C410C1B6A8D5F436A25CF431CF2A422362DDE5C4ED2727EE795F0D1929DA2FD8
Malicious:	false
Preview:	2024/08/27-12:19:46.689 f74 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/08/27-12:19:46.690 f74 Recovering log #3.2024/08/27-12:19:46.693 f74 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	437
Entropy (8bit):	5.273255299955078
Encrypted:	false
SSDEEP:	12:N7OiLvLZYebvqBQFUt887Of/+87O054ZYebvqBvJ:NCiLlYebvZg88ClC+oYebvk
MD5:	A3F6813DBB8795229C0677CDD30831D6
SHA1:	1CE8BB2BD78DD6F5F08826F254A7F4CFF295C786
SHA-256:	8A1059BDDEDF0BD19475E4C3FDF98D8CFF623B30978D18BDB6E1A696E3099C1D
SHA-512:	FE7586D02FE4E99F11A29164BA5BDBAFD5C053904E19965674ACB3B501ADB140C410C1B6A8D5F436A25CF431CF2A422362DDE5C4ED2727EE795F0D1929DA2FD8
Malicious:	false
Preview:	2024/08/27-12:19:46.689 f74 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/08/27-12:19:46.690 f74 Recovering log #3.2024/08/27-12:19:46.693 f74 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\479bfa24-0133-4078-8d2d-b93c5249e36d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\f1378736-449e-4e71-ab69-99a86b5f6163.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	428
Entropy (8bit):	5.261027099524709
Encrypted:	false
SSDEEP:	12:N7OjvLZYebvqBZFUt887OR/+87ON54ZYebvqBaJ:NCjlYebvyg88CnCfoYebvL
MD5:	62BF891BD289E764E4F0BE462D412B2C
SHA1:	E64A93CB78EBEC38601F59F45A1C01BC9AD91041
SHA-256:	8CFCF36389CB1F2DE5E21C893F8D7B78176D6C971ED08B06177A951B07BDB592
SHA-512:	114944E8C68BEACE9671F802B139A4F2D41740332D858FECA7D7B46612BD3F3C119CD681EADD27ECD2EB1422BA0B502D29363F0B8D260BC8406DCF02ED0DE9E8
Malicious:	false
Preview:	2024/08/27-12:19:46.666 2144 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/08/27-12:19:46.670 2144 Recovering log #3.2024/08/27-12:19:46.676 2144 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	428
Entropy (8bit):	5.261027099524709
Encrypted:	false
SSDEEP:	12:N7OjvLZYebvqBZFUt887OR/+87ON54ZYebvqBaJ:NCjlYebvyg88CnCfoYebvL
MD5:	62BF891BD289E764E4F0BE462D412B2C
SHA1:	E64A93CB78EBEC38601F59F45A1C01BC9AD91041
SHA-256:	8CFCF36389CB1F2DE5E21C893F8D7B78176D6C971ED08B06177A951B07BDB592
SHA-512:	114944E8C68BEACE9671F802B139A4F2D41740332D858FECA7D7B46612BD3F3C119CD681EADD27ECD2EB1422BA0B502D29363F0B8D260BC8406DCF02ED0DE9E8
Malicious:	false
Preview:	2024/08/27-12:19:46.666 2144 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/08/27-12:19:46.670 2144 Recovering log #3.2024/08/27-12:19:46.676 2144 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.2343897113840026
Encrypted:	false
SSDEEP:	6:N7ODPAVq2PcNwi23oH+TcwtpIFUt887OD5eAgZmw+87OD5eAIkwOcNwi23oH+TcM:N7OkvLZYebmFUt887OC/+87Ou54ZYeb7
MD5:	21AB7AD899A7DD1F73258C6D0B986604
SHA1:	510120115518070D223EC45A267A7C0B50D88A1F
SHA-256:	52954591F67DD18943A01B769370A84301190886AE6A42A3BFDF23BB69744305
SHA-512:	1E8CC7608B403A9924389C5C156E0C8064A5C82E9336C785561A4CE319022C83B06705C4A8276636328A4F56860AB33F956B751E1D24C2764779D9C6A0FA6B11
Malicious:	false
Preview:	2024/08/27-12:19:45.798 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/27-12:19:45.799 22a0 Recovering log #3.2024/08/27-12:19:45.799 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.2343897113840026
Encrypted:	false
SSDEEP:	6:N7ODPAVq2PcNwi23oH+TcwtpIFUt887OD5eAgZmw+87OD5eAIkwOcNwi23oH+TcM:N7OkvLZYebmFUt887OC/+87Ou54ZYeb7
MD5:	21AB7AD899A7DD1F73258C6D0B986604
SHA1:	510120115518070D223EC45A267A7C0B50D88A1F
SHA-256:	52954591F67DD18943A01B769370A84301190886AE6A42A3BFDF23BB69744305
SHA-512:	1E8CC7608B403A9924389C5C156E0C8064A5C82E9336C785561A4CE319022C83B06705C4A8276636328A4F56860AB33F956B751E1D24C2764779D9C6A0FA6B11
Malicious:	false
Preview:	2024/08/27-12:19:45.798 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/27-12:19:45.799 22a0 Recovering log #3.2024/08/27-12:19:45.799 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF24ffa.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.2343897113840026
Encrypted:	false
SSDEEP:	6:N7ODPAVq2PcNwi23oH+TcwtpIFUt887OD5eAgZmw+87OD5eAIkwOcNwi23oH+TcM:N7OkvLZYebmFUt887OC/+87Ou54ZYeb7
MD5:	21AB7AD899A7DD1F73258C6D0B986604
SHA1:	510120115518070D223EC45A267A7C0B50D88A1F
SHA-256:	52954591F67DD18943A01B769370A84301190886AE6A42A3BFDF23BB69744305
SHA-512:	1E8CC7608B403A9924389C5C156E0C8064A5C82E9336C785561A4CE319022C83B06705C4A8276636328A4F56860AB33F956B751E1D24C2764779D9C6A0FA6B11
Malicious:	false
Preview:	2024/08/27-12:19:45.798 22a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/27-12:19:45.799 22a0 Recovering log #3.2024/08/27-12:19:45.799 22a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1224505428389744
Encrypted:	false
SSDEEP:	384:KdM2qOB1nxCkjSAELyKOMq+8HKkjucswRv8p3:Kvq+n0o9ELyKOMq+8HKkjuczRv89
MD5:	4DC0355FF9CC2B4A89635D3DAB6803B6
SHA1:	D78A13A005618CC34F417E8BC1BC86DA45340293
SHA-256:	8F7724888718E36BEFAD39F2CD7DC2D8C0DF4C7061E13EEEDC06E8C7DD870A64
SHA-512:	F639734E4B9145FBD15D36BE930767E2DC87EC0F34CEB3D32042C273A255D103016821E65F738F29522B3D61F035899B097058C9589EA67F17B7DCD6B987A575
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\d52b1beb-76eb-4624-9e4e-c87a9dd5c876.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\debd787e-b284-45f5-9b7a-8bbf2fae0907.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.089198869826866
Encrypted:	false
SSDEEP:	96:stAqKbs14bDIQomXKaCvlPm8z8sY5eh6Cb7/x+6MhmuecmAeiBDfWCML/EJ:stAbsyomaNPmk8sY8bV+FiAjfWbLMJ
MD5:	F774157C56EC65D988AA29ED4BCD453E
SHA1:	E23EF94699D3C9CC16B880C50253DB6C5197E7BA
SHA-256:	8D582BAF5D922404E06792C34BDDC2AD8919AF5FB3BA1C4E57E90F21D550CF03
SHA-512:	8995F5CCFB6C062A6FD5470CE4722C0DBDA1D822E21B9C27A756EF2D364676CFEF05232C2C820EAD4A5ED07D1D985E4D1197924A5E52243A809517C82178E226
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369249186060901","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369249186059367"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f5b9e436-81a8-4019-86cf-fb9df2cec0a6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\ff00549c-4ce9-40d6-b7cd-713d4e0c90cf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049853797302745535
Encrypted:	false
SSDEEP:	6:Gd0VmH0Vw/CL9XCChslotGLNl0ml/XoQDeX:zcU66pEjVl/XoQ
MD5:	B887C3B344F41AE8E5D1C87A1E69FE2E
SHA1:	6E825A7C70667BAAB4BADC6497C14B6A7DC60359
SHA-256:	1DF0A503295E7C7643FE77610E74DDB87EC0CB7C660C21716662AC62C67379FA
SHA-512:	8E7E3C572B88059C6F5EA32605712E87F93FEF85FA28AB0F1247C04B279B4DC0D1D338E6050568282915DE3B509CD957B20C065F77D2345206EA229AC6D60D9B
Malicious:	false
Preview:	..-.....................B..".q.43.-......~.~v}..-.....................B..".q.43.-......~.~v}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.192171277072408
Encrypted:	false
SSDEEP:	6:N7ODTLRq2PcNwi23oH+TcwtfrK+IFUt887ODTLMZmw+87ODTLk8kwOcNwi23oH+t:N7O1vLZYeb23FUt887OA/+87Ox54ZYet
MD5:	48634C6EF7C95CBA71A91BD8789B5664
SHA1:	58C0F5C6DFB063AF47F3687FA00A02C1E09F5894
SHA-256:	8708EFDBA5502263DB31D572F1C16EBB283FA8668B0AA2B5048E3768C8834B04
SHA-512:	8A1F550552C05F4E80AEB0613D8B64A4301BA8A41DB6272588E5033E31C2CB8A704164D3EED569D3CD013BD24CA5C125AC0E49B532A874AFBC3298FBDB917480
Malicious:	false
Preview:	2024/08/27-12:19:46.202 22e0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/27-12:19:46.202 22e0 Recovering log #3.2024/08/27-12:19:46.203 22e0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.192171277072408
Encrypted:	false
SSDEEP:	6:N7ODTLRq2PcNwi23oH+TcwtfrK+IFUt887ODTLMZmw+87ODTLk8kwOcNwi23oH+t:N7O1vLZYeb23FUt887OA/+87Ox54ZYet
MD5:	48634C6EF7C95CBA71A91BD8789B5664
SHA1:	58C0F5C6DFB063AF47F3687FA00A02C1E09F5894
SHA-256:	8708EFDBA5502263DB31D572F1C16EBB283FA8668B0AA2B5048E3768C8834B04
SHA-512:	8A1F550552C05F4E80AEB0613D8B64A4301BA8A41DB6272588E5033E31C2CB8A704164D3EED569D3CD013BD24CA5C125AC0E49B532A874AFBC3298FBDB917480
Malicious:	false
Preview:	2024/08/27-12:19:46.202 22e0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/27-12:19:46.202 22e0 Recovering log #3.2024/08/27-12:19:46.203 22e0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF250b6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.192171277072408
Encrypted:	false
SSDEEP:	6:N7ODTLRq2PcNwi23oH+TcwtfrK+IFUt887ODTLMZmw+87ODTLk8kwOcNwi23oH+t:N7O1vLZYeb23FUt887OA/+87Ox54ZYet
MD5:	48634C6EF7C95CBA71A91BD8789B5664
SHA1:	58C0F5C6DFB063AF47F3687FA00A02C1E09F5894
SHA-256:	8708EFDBA5502263DB31D572F1C16EBB283FA8668B0AA2B5048E3768C8834B04
SHA-512:	8A1F550552C05F4E80AEB0613D8B64A4301BA8A41DB6272588E5033E31C2CB8A704164D3EED569D3CD013BD24CA5C125AC0E49B532A874AFBC3298FBDB917480
Malicious:	false
Preview:	2024/08/27-12:19:46.202 22e0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/27-12:19:46.202 22e0 Recovering log #3.2024/08/27-12:19:46.203 22e0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	816
Entropy (8bit):	4.0647916882227655
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z32m5t/yVf9HqlIZfkBA//DtKhKg+rOyBrgxvB1ySxs:G0nYUtypD32m3yWlIZMBA5NgKIvB8Sxs
MD5:	3BE72D8D40752B3A97028FDB2931FABA
SHA1:	A27EA4726857A948F0A4B074062B674469A9A371
SHA-256:	3C18553C8C3F7E801855F3579AC57F3C156D783BBA27FB35C6D2FB6CB89BD902
SHA-512:	8EBD4D6980BB7796615217E72BC65953C920B68B9259341CD52858C1E889EC90339E2A304FE0C971D6C6EF9AFC4A00CFB3E5CC89C7B2DF8737A0C7EC241BDADC
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....X...................20_.....W.J+.................19_......qY.................18_.....'}2..................37_.......c..................38_......i...................39_.....Owa..................20_.....4.9..................20_.....B.I..................19_..........................18_.....2.1..................37_..........................38_......=.%.................39_.....p.j..................9_.....JJ...................9_.....\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... ......................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.255495578208162
Encrypted:	false
SSDEEP:	6:N7b+q2PcNwi23oH+TcwtfrzAdIFUt887qZmw+87GVkwOcNwi23oH+TcwtfrzILJ:N7b+vLZYeb9FUt887q/+87GV54ZYeb2J
MD5:	39D3EBB12E79A8CC307086887AD95CA7
SHA1:	02E46EAD893DDEDE7143536A3428C2503F2B388F
SHA-256:	9C6CEC69D2B737E622BAB4421D240491D92FEEC36A38559FC797F5993A54AA5C
SHA-512:	57501773CD54D677550C17553E08F1FAF89F4DCF1CB9293DEE67D26F090605E6E80C059F50D3E5A5C93177699BEF40868A58FA4A1E190BCC415BF9B1CEFA1886
Malicious:	false
Preview:	2024/08/27-13:28:05.997 234c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/27-13:28:05.998 234c Recovering log #3.2024/08/27-13:28:05.998 234c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.255495578208162
Encrypted:	false
SSDEEP:	6:N7b+q2PcNwi23oH+TcwtfrzAdIFUt887qZmw+87GVkwOcNwi23oH+TcwtfrzILJ:N7b+vLZYeb9FUt887q/+87GV54ZYeb2J
MD5:	39D3EBB12E79A8CC307086887AD95CA7
SHA1:	02E46EAD893DDEDE7143536A3428C2503F2B388F
SHA-256:	9C6CEC69D2B737E622BAB4421D240491D92FEEC36A38559FC797F5993A54AA5C
SHA-512:	57501773CD54D677550C17553E08F1FAF89F4DCF1CB9293DEE67D26F090605E6E80C059F50D3E5A5C93177699BEF40868A58FA4A1E190BCC415BF9B1CEFA1886
Malicious:	false
Preview:	2024/08/27-13:28:05.997 234c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/27-13:28:05.998 234c Recovering log #3.2024/08/27-13:28:05.998 234c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF250b6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.255495578208162
Encrypted:	false
SSDEEP:	6:N7b+q2PcNwi23oH+TcwtfrzAdIFUt887qZmw+87GVkwOcNwi23oH+TcwtfrzILJ:N7b+vLZYeb9FUt887q/+87GV54ZYeb2J
MD5:	39D3EBB12E79A8CC307086887AD95CA7
SHA1:	02E46EAD893DDEDE7143536A3428C2503F2B388F
SHA-256:	9C6CEC69D2B737E622BAB4421D240491D92FEEC36A38559FC797F5993A54AA5C
SHA-512:	57501773CD54D677550C17553E08F1FAF89F4DCF1CB9293DEE67D26F090605E6E80C059F50D3E5A5C93177699BEF40868A58FA4A1E190BCC415BF9B1CEFA1886
Malicious:	false
Preview:	2024/08/27-13:28:05.997 234c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/27-13:28:05.998 234c Recovering log #3.2024/08/27-13:28:05.998 234c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF2306c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF231b4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF232dd.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF250a6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF250d5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF250f4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44236
Entropy (8bit):	6.089501633028578
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kPTKKGf4OrtBF1OIlPsm7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yngt5b7VLyMV/YoskFoz
MD5:	6AF6406DE7B5593AA08A01381C72C392
SHA1:	65D0CC775A9DF106E56B2F9FBF971D1D146B9614
SHA-256:	EBBDA0AA4CB6DCF9B74324F142209C0B00F93383BE529DBF91687C6165B05AE7
SHA-512:	09A443490210EE1BA12043E333CE2524F8DCC02F4AC18C0ED2E651FABFCE5B42CD4E7F9F0DB467F355E3388DB312BD908D1C6650304349C80C5F665FE6718865
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEflTRVKll:/M/xT02zh
MD5:	2AC043FFC3FB1489EB37C88AD37E8FC9
SHA1:	F630FBEA845C4A7E82D9CF69129185867D9A804C
SHA-256:	7496563BC0997748A353EEAE2387BAE31553E79B298C47D12B6172C11C10AE47
SHA-512:	58EA541FBDE756B3488E0C9FD3740ECB9153B01CDA6DAA98C2DBDA82130A431A673E3B77006DDA8ABB58182600A5931713DA064F2A85793F96DD83E791191DA0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQp:YQ3Kq9X0dMgAEiLIj
MD5:	8549C255650427D618EF18B14DFD2B56
SHA1:	8272585186777B344DB3960DF62B00F570D247F6
SHA-256:	40395D9CA4B65D48DEAC792844A77D4F8051F1CEF30DF561DACFEEED3C3BAE13
SHA-512:	E5BB8A0AD338372635C3629E306604E3DC5A5C26FB5547A3DD7E404E5261630612C07326E7EBF5B47ABAFADE8E555965A1A59A1EECFC496DCDD5003048898A8C
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\aedf9a37-af3a-48cc-8a00-687c26839604.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44752
Entropy (8bit):	6.094958477114957
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xi+KKGf4Aq8G3FEEvAKN7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yO/N7VLyMV/YoskFoz
MD5:	AFDC2441AEB3E37534A8BC138CF20071
SHA1:	8C3823E834CAC8B4CF9E90E6EF089C4B00293F9F
SHA-256:	20052174B3D5265D3424DC76D6963200B0A8AC07CEC2782827B7F1C41CD1A7AD
SHA-512:	2B47BF3FB94CE40F368B691B8C19DDE2A2BD4AA32259382D0007C1814DA2C63C7CEE830F397A653FDC03A54AFCBB85A38122A743B2188F8996BA3F4A290262FD
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b1e8d6b5-f2c2-484e-8676-e02437cc7c42.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44752
Entropy (8bit):	6.095027845011346
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xi+KKGf4AIFGiMOPXzcF2N7DRo+yM/42cRaLMoskCiG:z/Ps+wsI7yOzN7VLyMV/YoskFoz
MD5:	59C628B64B0E16A48C92F2D52D73A2C4
SHA1:	21F0B3CCB517C2F6D691F6EBD58F21577F218A3C
SHA-256:	2807B57CC748EEA67D66666C0A550B51299A04B4F9E361A5DDDCDB943CF7206B
SHA-512:	0FB59F613143CEDB9F96E3AB1497A99B93F2A1944A8B2E51CD3C543F9A9709A1423102759E0DA390AB117A6F94D4DB62121B0C8092A1938E1DA4C38E5412BC3E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\cc8b3a08-74b1-4ab2-8095-7aed97edb755.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44752
Entropy (8bit):	6.095027845011346
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xi+KKGf4AIFGiMOPXzcF2N7DRo+yM/42cRaLMoskCiG:z/Ps+wsI7yOzN7VLyMV/YoskFoz
MD5:	59C628B64B0E16A48C92F2D52D73A2C4
SHA1:	21F0B3CCB517C2F6D691F6EBD58F21577F218A3C
SHA-256:	2807B57CC748EEA67D66666C0A550B51299A04B4F9E361A5DDDCDB943CF7206B
SHA-512:	0FB59F613143CEDB9F96E3AB1497A99B93F2A1944A8B2E51CD3C543F9A9709A1423102759E0DA390AB117A6F94D4DB62121B0C8092A1938E1DA4C38E5412BC3E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e6befef1-3b91-4f1b-a3c8-8ca1f3681353.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44752
Entropy (8bit):	6.094974105463212
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xi+KKGf4AqaG3FEEvAKN7DRo+yM/42cRaLMoskCioz:z/Ps+wsI7yOlN7VLyMV/YoskFoz
MD5:	EB24D7CDD4A4F953D916D542D25E4D55
SHA1:	857A8ADBE9B8D5C832238FA5872DC2FF33DDE024
SHA-256:	3B38C9EF406CE4B78260F11A699818C39A0F390D05C2E8B4C2CCFDB97EFBC33E
SHA-512:	84CD940DAC523B46B4603C0D581363E57C87186E95B16ED897AE303788B00D06A46CEA7E1F8286AC27FC155766C2AF342BF4A4C7BB2FF430C50F1EB0355ED94B
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.848456652320441
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxBxl9Il8uuoYkfaQ1Nfodlsp2Fl6d1rc:mUYbY6aQ1d6ldFr
MD5:	056AE70E2A260B7B8052CACFF63BF044
SHA1:	92FE0FCE147F1840C03B95F764F04AB7E9D83B90
SHA-256:	9E1D774412BA7F503EA73995D78D910674C1F86D23C5027D5963E3A6344E4FB6
SHA-512:	D451B86E90C21D199225D288AC9CB6EE5193E8276CC63268555FD11BD0E9417733F952C4F8229C8F659DFA471F27990180D8AEA97B7AFBB230BA6A82F712EA1D
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.L.2.u.R.q.X.4.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.f.b.O.N.D.b.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	3.994709033839187
Encrypted:	false
SSDEEP:	96:NYbYyCDYavz3zhF1tlZ6aQHElPibrFHznSw/5fBi4bfTRfj2LU:NMSDYiNkHElGr5PfB1fTt2A
MD5:	B3FE2C9DD6D0940DDED4F9C490260FE2
SHA1:	EB4516617207719446C24D5CD11A64C0D63F5B8B
SHA-256:	5D6ABA95BF57A40A1F505148659D7BDD0CD06E5E30AA54472D3C21453316C226
SHA-512:	E6B2F69C10C0DEEB439EF33053EAFEA8AC268D8DAB9716DEE3B791D260383674F09085B5A59EAEF28B07B9D90048B0A5064176B94C124D90CAFF5552FF2D6F8E
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".Q.N.b.K.L.J.3.4.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.f.b.O.N.D.b.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1190
Entropy (8bit):	5.3833961283806655
Encrypted:	false
SSDEEP:	24:YK0bl5r75riCe0qW+5Ua02EHP5IKL0jZ5JwbX/B+L0uiSUL0h:YK0bl5r75riN0qW+5Ua02sP5IKL0jZ5b
MD5:	3EA4FC57EFBB77F2AB9D17F7A98C4BD7
SHA1:	DFEB6D64E06C97B456A916A45221CFB41BE174AA
SHA-256:	CCAD4AB59AC3DA29B53E92A2630AC059E47C6964C6CA71B289D2718A5D6DF867
SHA-512:	BD9F06358E710CA099C239353657BA8DA65F3E2360776211BC86D352CBBC7308DBCB024841FCD6359A4C98B5055652D906E79908147EEE365989A9309C390610
Malicious:	false
Preview:	{"logTime": "1005/074019", "correlationVector":"Jzai6BfByv5amZ45/NBe5r","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"eO8FwRQNRwFtIUhPNa0yBN","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"DFCC0B139A2547CAA3433B33892C7FE6","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075031", "correlationVector":"bWXPYvVSVVANvrGBV6dHxn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075032", "correlationVector":"4CD8E3A1D096444AAB77DA6A690C4356","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075123", "correlationVector":"t3DmiSvoNTibe+/mLDIMfl","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075124", "correlationVector":"B2B504519464422FA5C6E610072CF270","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075313", "correlationVector":"/q9eTq3f/ZawbQrLDVWKju","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075314", "correlationVector":"138D0C7D

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.51020201718977
Encrypted:	false
SSDEEP:	48:pXEOc0dOBE89sJyrPzBdLXuH9kDpfX2ANT9dOBd9sJyrPzngdLXuH9k+21:j43udkDMrnIudkz
MD5:	CE106467497771045542108BE1387B36
SHA1:	AD105B8CE21F41CFE5954215011AE7F6557D7C35
SHA-256:	41E137185F1CBA5578C811580C7EBBC4E7B84799A8E65C2ECB0CD69F8ED4064E
SHA-512:	55F33816DA2E697A909E6F8AF77973759690329EC583E059661BB071B911BC5ECDAF147D6E26A22C4E85873C0D83A4A1F1EE3BA80F5EE81A6FE90581760D3041
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....QO.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.>..PROGRA~2.........O.IEW.>....................V.....esn.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Yo............................p..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW98...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Yn...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Yn.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............<......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J1RIMSGK7T5ZGY3TK978.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.51020201718977
Encrypted:	false
SSDEEP:	48:pXEOc0dOBE89sJyrPzBdLXuH9kDpfX2ANT9dOBd9sJyrPzngdLXuH9k+21:j43udkDMrnIudkz
MD5:	CE106467497771045542108BE1387B36
SHA1:	AD105B8CE21F41CFE5954215011AE7F6557D7C35
SHA-256:	41E137185F1CBA5578C811580C7EBBC4E7B84799A8E65C2ECB0CD69F8ED4064E
SHA-512:	55F33816DA2E697A909E6F8AF77973759690329EC583E059661BB071B911BC5ECDAF147D6E26A22C4E85873C0D83A4A1F1EE3BA80F5EE81A6FE90581760D3041
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....QO.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.>..PROGRA~2.........O.IEW.>....................V.....esn.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Yo............................p..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW98...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Yn...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Yn.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............<......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QNYKD9A8W21B2X1ELF1K.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5121278563939984
Encrypted:	false
SSDEEP:	48:pXENT9dOBd9sJyrPzBdLXuH9kDpfX2ANT9dOBd9sJyrPzngdLXuH9k+21:B3udkDMrnIudkz
MD5:	E277EC92AE31103CFDF80A6AAA3D9567
SHA1:	82C204E6D888DF70F9E72686F2916C6545099B9E
SHA-256:	73659C472C43D8A8B1E528632191370621EA3EB90AAD585FE4797BFA36F7FAC3
SHA-512:	5C0703DEA28A2E80DFE563E4663DAF3CF95A54B9108C455A502B1175FD68D36B921F841EBA277BB41D6A7C4062A664B39118BA29975DD48F920829265E1441C8
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....QO.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Yl...PROGRA~2.........O.I.Yl.....................V.......*.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Yo............................p..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Yq............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Yn...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Yn.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............<......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5121278563939984
Encrypted:	false
SSDEEP:	48:pXENT9dOBd9sJyrPzBdLXuH9kDpfX2ANT9dOBd9sJyrPzngdLXuH9k+21:B3udkDMrnIudkz
MD5:	E277EC92AE31103CFDF80A6AAA3D9567
SHA1:	82C204E6D888DF70F9E72686F2916C6545099B9E
SHA-256:	73659C472C43D8A8B1E528632191370621EA3EB90AAD585FE4797BFA36F7FAC3
SHA-512:	5C0703DEA28A2E80DFE563E4663DAF3CF95A54B9108C455A502B1175FD68D36B921F841EBA277BB41D6A7C4062A664B39118BA29975DD48F920829265E1441C8
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....QO.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Yl...PROGRA~2.........O.I.Yl.....................V.......*.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Yo............................p..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Yq............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Yn...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Yn.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............<......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579778521708372
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	e492ac6462163322873acd722cda21f6
SHA1:	a7a24e37488e35b22e8519c1122eee402df5926f
SHA256:	ef4ed3b3b8d21ca6b161f8f151ab3644876767c8c01d6472bf1a52c03d306978
SHA512:	093729448d93991469d3479a0c702ddd0f281c849473ab7cefc8824d8aa11ee28ae6098df5c9a5f8386c205b8a84ed0ba0de287d20abf6e27cbd5a26d417e21b
SSDEEP:	12288:jqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTe:jqDEvCTbMWu7rQYlBQcBiT6rprG8ase
TLSH:	D8159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CDF4E0 [Tue Aug 27 15:46:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F52C8522753h
jmp 00007F52C852205Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F52C852223Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F52C852220Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F52C8524DFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F52C8524E48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F52C8524E31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	6a1739a739cea7008a707654f1ede13c	False	0.286953125	data	5.166114373930087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 18:19:22.997297049 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:19:23.856718063 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:23.856759071 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:23.919274092 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:25.403528929 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:19:29.504415989 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:19:29.887695074 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:19:30.286092043 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:19:30.715806961 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:19:32.231537104 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:19:32.692579031 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:32.692606926 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:32.692698956 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:32.698704958 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:32.698719025 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.347312927 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.347373009 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.416344881 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.416362047 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.416687965 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.512300968 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.518815994 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:33.518857956 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:33.538870096 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:33.552512884 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.697935104 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.697989941 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.698072910 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.698163986 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.698185921 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.698234081 CEST	49710	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.698241949 CEST	443	49710	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.743906975 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.743937969 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.744015932 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.744369030 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:33.744385004 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:33.812819958 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:33.812851906 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:33.812968969 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:33.814564943 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:33.814579010 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:34.387655020 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.387746096 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:34.424525976 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:34.424546003 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.424823046 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.425792933 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:34.472496986 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.500582933 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:34.500617981 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:34.500691891 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:34.500858068 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:34.500871897 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:34.611701965 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:34.611803055 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:34.664659977 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.664731979 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.666208982 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:34.714118004 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:34.714149952 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:34.714221954 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:34.715023041 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.715068102 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:34.715117931 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.715627909 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.715636015 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:34.715712070 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.716267109 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.716276884 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:34.716324091 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.717456102 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.717466116 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:34.717592001 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.717605114 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:34.717688084 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:34.717696905 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:34.717819929 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:34.717828989 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:34.734693050 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:34.734709978 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:34.735125065 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:34.745359898 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:34.745377064 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.745421886 CEST	49716	443	192.168.2.7	184.28.90.27
Aug 27, 2024 18:19:34.745429039 CEST	443	49716	184.28.90.27	192.168.2.7
Aug 27, 2024 18:19:34.797543049 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:34.797561884 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:34.797657967 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:34.797846079 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:34.797856092 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:34.803900957 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:34.803932905 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:34.804033041 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:34.804760933 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:34.804776907 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:34.860881090 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:35.138355970 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.138605118 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.138624907 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.139653921 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.139718056 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.141078949 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.141159058 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.141352892 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.141352892 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.141365051 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.141505957 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.192367077 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.192651987 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.192673922 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.193742990 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.193797112 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.194941998 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.195005894 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.195220947 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.195228100 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.198419094 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.198633909 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.198646069 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.199736118 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.199789047 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.200671911 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.200735092 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.200833082 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.206872940 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.207079887 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.207101107 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.208112955 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.208173990 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.209120035 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.209177017 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.209289074 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.209299088 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.210170984 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.210360050 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.210371971 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.211477995 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.211534977 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.212436914 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.212523937 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.212618113 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.212625980 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.231314898 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:19:35.243134022 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.243154049 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.243171930 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.243215084 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.243226051 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.243236065 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.243268013 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.244508982 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.288156986 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.288382053 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.288403034 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.289421082 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.289482117 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.290440083 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.290509939 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.290581942 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.320265055 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.320317984 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.320467949 CEST	49722	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.320491076 CEST	443	49722	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.321259975 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.321301937 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.321434975 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.321441889 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.325741053 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.325758934 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.325824022 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.325834990 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.325956106 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.327330112 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.327347994 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.327424049 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.327438116 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.327531099 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.336494923 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.339423895 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.339474916 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.339637995 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:35.339651108 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:35.340770006 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.340806961 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.341342926 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.341347933 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.368736029 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.368753910 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.411659956 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.411679983 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.411780119 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.411780119 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.411791086 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.411832094 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.411892891 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.411952972 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.411959887 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.411972046 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.412028074 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.412497997 CEST	49720	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.412513018 CEST	443	49720	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.415290117 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.415340900 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.415482998 CEST	49729	443	192.168.2.7	172.64.41.3
Aug 27, 2024 18:19:35.415494919 CEST	443	49729	172.64.41.3	192.168.2.7
Aug 27, 2024 18:19:35.431806087 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.432159901 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.432178974 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.433401108 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.433465004 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.433826923 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.433903933 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.433960915 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.480499029 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:35.480506897 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.480592966 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:35.480787992 CEST	443	49717	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:35.480848074 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:35.480875015 CEST	49717	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:35.516783953 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.516803026 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.535979986 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.535995007 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536012888 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536020041 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536037922 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.536040068 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536046982 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536083937 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.536196947 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536242962 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.536283016 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.537189007 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.537204981 CEST	443	49727	13.107.246.60	192.168.2.7
Aug 27, 2024 18:19:35.537213087 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.537261009 CEST	49727	443	192.168.2.7	13.107.246.60
Aug 27, 2024 18:19:35.956331015 CEST	443	49699	104.98.116.138	192.168.2.7
Aug 27, 2024 18:19:35.956429005 CEST	49699	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:36.115820885 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:36.115848064 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:36.115915060 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:36.116892099 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:36.116904020 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:36.344280005 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.344310999 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.344419956 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.344912052 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.344919920 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.344996929 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.345304966 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.345319033 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.345412016 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.345417976 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.804624081 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.806772947 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.907501936 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:36.907583952 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:36.928622961 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.966660976 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.966670990 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.967065096 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.967075109 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.967247009 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.967535973 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.969167948 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.969257116 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.969589949 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.969679117 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.024472952 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.084002018 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.085335970 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.085393906 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.085468054 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.085475922 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.085522890 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.085556030 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.085942984 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.085958004 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.086334944 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.086345911 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.179194927 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.179215908 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.179574966 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.181226969 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.181370974 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.181399107 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.382575035 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.382610083 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.382718086 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.382848024 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.382857084 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.551465034 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.555399895 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.558650970 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.558677912 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.558948040 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.558955908 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.559113026 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.559175968 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.559353113 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.559422016 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.559906006 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.559959888 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.560097933 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.560147047 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.563975096 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.564060926 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.564090014 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.564157963 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.564301014 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.564306974 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.564476967 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.564487934 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.591996908 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.592077017 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.592215061 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.593514919 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.593533993 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.593545914 CEST	49734	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.593553066 CEST	443	49734	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.612689972 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.612715960 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.612819910 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.613040924 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.613053083 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.638525009 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.675391912 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.675421953 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.675484896 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.675734043 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:37.675749063 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:37.717622995 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.733633041 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.735140085 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.735233068 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.737149000 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.737756968 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.737812996 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.744250059 CEST	49737	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.744267941 CEST	443	49737	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.745104074 CEST	49738	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:37.745110989 CEST	443	49738	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:37.860230923 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.860966921 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.860980988 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.862104893 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.862180948 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.863728046 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.863817930 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.864120960 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.864126921 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.935856104 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.961067915 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961122990 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961219072 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.961234093 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961386919 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961460114 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961464882 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.961471081 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961498976 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.961505890 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961556911 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:37.961657047 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.962234974 CEST	49739	443	192.168.2.7	142.250.65.196
Aug 27, 2024 18:19:37.962251902 CEST	443	49739	142.250.65.196	192.168.2.7
Aug 27, 2024 18:19:38.061585903 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.061631918 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.061764956 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.061832905 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.061866999 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.061929941 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.062067032 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.062081099 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.062215090 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.062227011 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.393115997 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.393601894 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.393626928 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.403323889 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.403328896 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.403388023 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.403402090 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.462299109 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.462944984 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.462965965 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.464047909 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.464059114 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.464082003 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.464092016 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.523925066 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.524215937 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.524233103 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.524724960 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.524785042 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.525000095 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.525554895 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.525597095 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.525620937 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.525660992 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.525912046 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.525976896 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.526042938 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.526114941 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.526784897 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.526837111 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.527029037 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.527091026 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.675913095 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.676008940 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.676096916 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.676218987 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.676238060 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.676250935 CEST	49740	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:38.676258087 CEST	443	49740	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:38.723355055 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.723361969 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.723376036 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.723377943 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.828718901 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.828727961 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:39.946301937 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 27, 2024 18:19:40.614491940 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.614514112 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.614528894 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.614599943 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.614615917 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.614666939 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.615051031 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.615107059 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.615118027 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.615160942 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.615338087 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.615356922 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.615370035 CEST	49741	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.615376949 CEST	443	49741	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.879714966 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.879755020 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:40.879868984 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.880060911 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:40.880076885 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:41.184987068 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:19:41.668000937 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:41.668543100 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:41.668585062 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:41.669337988 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:41.669353008 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:41.669454098 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:41.669470072 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.416230917 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.416258097 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.416292906 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.416343927 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.416343927 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.416368008 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.416383982 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.416471004 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.417074919 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.417074919 CEST	49744	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.417090893 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.417095900 CEST	443	49744	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.466728926 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.466762066 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:42.466855049 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.467057943 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:42.467072010 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.271895885 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.272465944 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.272490978 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.273190022 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.273196936 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.273245096 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.273252010 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.686877012 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.686902046 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.686924934 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.686959982 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.686976910 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.686990023 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.687319994 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.687328100 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.687346935 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.687354088 CEST	49745	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.687371016 CEST	443	49745	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.779213905 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.779252052 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.779412985 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.781100035 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.781114101 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.807239056 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.807291985 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:43.807380915 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.807549953 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:43.807566881 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.136431932 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:44.136476040 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:44.136603117 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:44.140290022 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:44.140309095 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:44.456151009 CEST	49699	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:44.456764936 CEST	49749	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:44.456804037 CEST	443	49749	104.98.116.138	192.168.2.7
Aug 27, 2024 18:19:44.457016945 CEST	49749	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:44.458775997 CEST	49749	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:19:44.458789110 CEST	443	49749	104.98.116.138	192.168.2.7
Aug 27, 2024 18:19:44.460911989 CEST	443	49699	104.98.116.138	192.168.2.7
Aug 27, 2024 18:19:44.558135986 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.558240891 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.572371006 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.572386980 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.572813034 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.574163914 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.574163914 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.574203014 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.593863964 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.594912052 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.594939947 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.595782995 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.595793009 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.599339962 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.599358082 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.926403999 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:44.926508904 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:44.946986914 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:44.947014093 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:44.947360039 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:44.980196953 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.980209112 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.980278969 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.980281115 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.980346918 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.980576038 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.980603933 CEST	49746	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.980608940 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.980617046 CEST	443	49746	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.992091894 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.992125988 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.992183924 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.992224932 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.992244005 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.992280960 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.992420912 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.992487907 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.992825985 CEST	49747	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:44.992840052 CEST	443	49747	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:44.997328997 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.009460926 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:45.009490967 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:45.009659052 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:45.010014057 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:45.010029078 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:45.014928102 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.054748058 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:45.054776907 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:45.055022955 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:45.055258036 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:45.055265903 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:45.060504913 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285218954 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285243034 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285250902 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285260916 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285290956 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285319090 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.285326958 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285347939 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.285384893 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.285588980 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.285650969 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.285655022 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.286099911 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.286159992 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.296314955 CEST	49748	443	192.168.2.7	40.68.123.157
Aug 27, 2024 18:19:45.296329021 CEST	443	49748	40.68.123.157	192.168.2.7
Aug 27, 2024 18:19:45.781037092 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:45.789827108 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:45.789849043 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:45.790685892 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:45.790693998 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:45.790738106 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:45.790746927 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:45.849726915 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:45.849823952 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.145191908 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.145210981 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:46.145620108 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:46.161768913 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.161830902 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:46.162014008 CEST	443	49751	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:46.162081957 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.162081957 CEST	49751	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.371325016 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.371376038 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:46.371447086 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.371669054 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:46.371679068 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:46.433610916 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:46.433634043 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:46.433675051 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:46.433722973 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:46.433722973 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:46.433746099 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:46.434084892 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:46.434168100 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:46.460515022 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:46.460536003 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:46.460562944 CEST	49750	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:46.460570097 CEST	443	49750	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:47.190799952 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:47.190871000 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:47.223382950 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:47.223397017 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:47.223788977 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:47.225483894 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:47.225509882 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:47.225646019 CEST	443	49752	52.137.106.217	192.168.2.7
Aug 27, 2024 18:19:47.225696087 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:47.225719929 CEST	49752	443	192.168.2.7	52.137.106.217
Aug 27, 2024 18:19:47.611521959 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:47.611566067 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:47.611680031 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:47.633992910 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:47.634025097 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:47.703562021 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:47.703593969 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:47.703771114 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:47.704016924 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:47.704026937 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.431020021 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.431941032 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.431971073 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.457139969 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.457139969 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.457156897 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.457175970 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.499922037 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.499994040 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.528021097 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.528032064 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.528331995 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.544389009 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.544431925 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.544492006 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.651375055 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.651429892 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.651587009 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.651866913 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:48.651875973 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:48.808511972 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.808532953 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.808572054 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.808615923 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.808644056 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.808655977 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.808656931 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.808691025 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.809129000 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.809129000 CEST	49753	443	192.168.2.7	40.126.32.76
Aug 27, 2024 18:19:48.809149027 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:48.809158087 CEST	443	49753	40.126.32.76	192.168.2.7
Aug 27, 2024 18:19:49.454154968 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:49.454226017 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.455423117 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.455440044 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:49.455677986 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:49.456743002 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.456782103 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:49.456892014 CEST	443	49755	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:49.456922054 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.456945896 CEST	49755	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.865094900 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.865143061 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:49.865233898 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.865664959 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:49.865675926 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:50.664135933 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:50.664378881 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:50.665448904 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:50.665467024 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:50.665713072 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:50.669220924 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:50.669266939 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:50.669403076 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 27, 2024 18:19:50.669481039 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:50.669481039 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 27, 2024 18:19:51.715713024 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:51.715795994 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:51.715990067 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:51.718580008 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:51.718655109 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:51.718698978 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:53.090919971 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 27, 2024 18:20:11.412506104 CEST	49789	53	192.168.2.7	162.159.36.2
Aug 27, 2024 18:20:11.417362928 CEST	53	49789	162.159.36.2	192.168.2.7
Aug 27, 2024 18:20:11.417454004 CEST	49789	53	192.168.2.7	162.159.36.2
Aug 27, 2024 18:20:11.422281981 CEST	53	49789	162.159.36.2	192.168.2.7
Aug 27, 2024 18:20:11.888916969 CEST	49789	53	192.168.2.7	162.159.36.2
Aug 27, 2024 18:20:11.894279003 CEST	53	49789	162.159.36.2	192.168.2.7
Aug 27, 2024 18:20:11.894350052 CEST	49789	53	192.168.2.7	162.159.36.2
Aug 27, 2024 18:20:11.962371111 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:11.962405920 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:11.962466955 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:11.962867975 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:11.962882042 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:12.860357046 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:12.860476017 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:12.886779070 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:12.886796951 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:12.887051105 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:12.887989998 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:12.932498932 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.146425009 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.146444082 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.146457911 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.146533966 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.146549940 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.146589994 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.146610975 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.147486925 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.147550106 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.147562027 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.147600889 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.147610903 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.148165941 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.148231030 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.148853064 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.148865938 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:13.148902893 CEST	49791	443	192.168.2.7	13.85.23.86
Aug 27, 2024 18:20:13.148909092 CEST	443	49791	13.85.23.86	192.168.2.7
Aug 27, 2024 18:20:23.731961012 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:23.731987000 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:23.732026100 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:23.732048988 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:27.224970102 CEST	443	49749	104.98.116.138	192.168.2.7
Aug 27, 2024 18:20:27.225116014 CEST	49749	443	192.168.2.7	104.98.116.138
Aug 27, 2024 18:20:29.443178892 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.443218946 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.443321943 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.443402052 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.443444014 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.443500996 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.443672895 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.443691015 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.443811893 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.443833113 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.935343981 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.935875893 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.935904980 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.936219931 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.936527967 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.936589956 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.956672907 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.957045078 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.957073927 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.957386971 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.957741022 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.957807064 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.984308958 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:30.003809929 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984338045 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984366894 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:31.984426975 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984590054 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984597921 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:31.984643936 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984776974 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984793901 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:31.984894991 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984905958 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.456916094 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.458267927 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.458297014 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.458677053 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.460876942 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.460968018 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.479259968 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.479552984 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.479581118 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.479924917 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.482150078 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.482243061 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.513248920 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.529757023 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.559644938 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:32.559700012 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:32.559782028 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:32.560254097 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:32.560271025 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.073558092 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.073985100 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.074006081 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.074350119 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.074644089 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.074736118 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.074768066 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.116503000 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.122498035 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.211927891 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.211954117 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.212172985 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.212189913 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.212287903 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:33.212337971 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.215465069 CEST	49799	443	192.168.2.7	23.44.133.57
Aug 27, 2024 18:20:33.215481043 CEST	443	49799	23.44.133.57	192.168.2.7
Aug 27, 2024 18:20:36.738271952 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:36.738297939 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:36.844691038 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:36.844738960 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:44.834846973 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:44.834922075 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:44.834970951 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:44.851932049 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:44.852142096 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:44.852195978 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:47.372706890 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:47.372790098 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:47.372886896 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:47.383089066 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:47.383160114 CEST	443	49797	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:47.383213043 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:08.779439926 CEST	49742	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:21:08.779439926 CEST	49743	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:21:08.779469967 CEST	443	49742	142.251.40.206	192.168.2.7
Aug 27, 2024 18:21:08.779469967 CEST	443	49743	142.251.40.206	192.168.2.7
Aug 27, 2024 18:21:21.779462099 CEST	49735	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:21.779489040 CEST	443	49735	162.159.61.3	192.168.2.7
Aug 27, 2024 18:21:21.857605934 CEST	49736	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:21.857620955 CEST	443	49736	162.159.61.3	192.168.2.7
Aug 27, 2024 18:21:29.867651939 CEST	49794	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:29.867654085 CEST	49795	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:29.867682934 CEST	443	49795	162.159.61.3	192.168.2.7
Aug 27, 2024 18:21:29.867687941 CEST	443	49794	162.159.61.3	192.168.2.7
Aug 27, 2024 18:21:32.450933933 CEST	49798	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:32.450989008 CEST	443	49798	162.159.61.3	192.168.2.7
Aug 27, 2024 18:21:32.466703892 CEST	49797	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:21:32.466741085 CEST	443	49797	162.159.61.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 18:19:30.650867939 CEST	53	55578	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:31.934160948 CEST	65409	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:31.934294939 CEST	61068	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:33.400125027 CEST	53	63714	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:33.439176083 CEST	53	61791	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.320396900 CEST	123	123	192.168.2.7	20.101.57.9
Aug 27, 2024 18:19:34.691061020 CEST	65350	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.691546917 CEST	57273	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.692528009 CEST	51163	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.692748070 CEST	63431	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.693413019 CEST	55962	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.693634033 CEST	54483	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.695100069 CEST	59870	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.695424080 CEST	54964	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.698282003 CEST	53	65350	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.698303938 CEST	53	57273	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.699821949 CEST	53	51163	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.699834108 CEST	53	63431	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.700799942 CEST	53	54483	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.701586008 CEST	53	55962	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.701987982 CEST	53	59870	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.702820063 CEST	53	54964	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.796356916 CEST	53326	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.796502113 CEST	60368	53	192.168.2.7	1.1.1.1
Aug 27, 2024 18:19:34.803205013 CEST	53	53326	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.803524971 CEST	53	60368	1.1.1.1	192.168.2.7
Aug 27, 2024 18:19:34.844785929 CEST	123	123	20.101.57.9	192.168.2.7
Aug 27, 2024 18:19:35.933800936 CEST	123	123	192.168.2.7	20.101.57.9
Aug 27, 2024 18:19:36.030613899 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.104338884 CEST	123	123	20.101.57.9	192.168.2.7
Aug 27, 2024 18:19:36.343003988 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.475822926 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.476039886 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.476051092 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.476094007 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.476104975 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.476664066 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.483917952 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.488559008 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.489212036 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.491374969 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.492052078 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.583465099 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.583478928 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.583556890 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.583566904 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.583777905 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.588217974 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.590426922 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.590459108 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.590924025 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.591224909 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.610043049 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.685976028 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.904843092 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:36.965848923 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.978044033 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:36.978257895 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.074317932 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.075150967 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.075397015 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.084650993 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.280111074 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.280111074 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.376995087 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.381390095 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.381417990 CEST	443	63696	162.159.61.3	192.168.2.7
Aug 27, 2024 18:19:37.381997108 CEST	63696	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:19:37.747575998 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.061163902 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.192125082 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.192394972 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.199543953 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.199557066 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.199570894 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.199625969 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.218043089 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.218197107 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.219187975 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.237194061 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.237360001 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.237951994 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.237970114 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.255362034 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.331845999 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.332051039 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.332212925 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.332844019 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.350286007 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.350548029 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.410039902 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.410336018 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.414025068 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.429819107 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.430093050 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.431243896 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:38.466666937 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:38.525276899 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:46.107796907 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:46.228405952 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:46.308000088 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:46.311181068 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:19:46.333761930 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:46.374608994 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:19:46.452616930 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:07.062150955 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:07.062195063 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:07.309946060 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:07.776720047 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:07.777434111 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:07.811032057 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:07.852890015 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:07.854962111 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:07.918311119 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:08.018079996 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:08.059492111 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:08.515383005 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:08.873851061 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:08.921838999 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:08.922085047 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:08.923757076 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:08.923938036 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:09.018009901 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:09.018273115 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:09.019892931 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:09.020159960 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:09.022787094 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:09.103590012 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:09.104094982 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:09.104119062 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:09.104646921 CEST	62928	443	192.168.2.7	142.251.40.206
Aug 27, 2024 18:20:09.199734926 CEST	443	62928	142.251.40.206	192.168.2.7
Aug 27, 2024 18:20:11.412012100 CEST	53	54855	162.159.36.2	192.168.2.7
Aug 27, 2024 18:20:11.908257961 CEST	53	63720	1.1.1.1	192.168.2.7
Aug 27, 2024 18:20:29.442900896 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.756138086 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.901346922 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.901381016 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.906300068 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.906419039 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.906456947 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.906471014 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:29.906776905 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.908533096 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.908886909 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.909012079 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.909410000 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.909578085 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:29.912905931 CEST	138	138	192.168.2.7	192.168.2.255
Aug 27, 2024 18:20:30.018529892 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.018548965 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.018558025 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.018567085 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.018582106 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.018853903 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.019079924 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:30.019155025 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:30.019382000 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:30.124619961 CEST	443	63289	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:30.169776917 CEST	63289	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:31.984060049 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.297050953 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.449567080 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.449588060 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.449595928 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.449605942 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.449620008 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.451709032 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.453434944 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.454843998 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.455493927 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.456948996 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.457556963 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.550259113 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.550281048 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.550291061 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.550295115 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.551170111 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.553360939 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.553813934 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.554306030 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.554491997 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.556508064 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.557162046 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:32.649854898 CEST	443	52380	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:32.703840971 CEST	52380	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:38.862248898 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:38.862499952 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:38.862886906 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:38.863023043 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:38.892574072 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:38.892683029 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.309685946 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.310372114 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.342560053 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.404026031 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.404042959 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.404052019 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.404056072 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.404438019 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.404766083 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.498272896 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.498733044 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.599345922 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.601596117 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.601710081 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.602083921 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.602451086 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.602592945 CEST	443	58730	162.159.61.3	192.168.2.7
Aug 27, 2024 18:20:39.602917910 CEST	58730	443	192.168.2.7	162.159.61.3
Aug 27, 2024 18:20:39.605114937 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:39.605925083 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:39.608495951 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:39.608617067 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.061573029 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.062228918 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.062241077 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.062252045 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.062269926 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.063700914 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.064842939 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.068121910 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.069693089 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.072241068 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.072973967 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.074064016 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.074206114 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.074698925 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.075710058 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.075974941 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.076153994 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.089978933 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.170433044 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.170475006 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.174572945 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.177239895 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.181232929 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.181293011 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.181303978 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.181312084 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.181533098 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.218511105 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.218894958 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.219085932 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.220055103 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.220066071 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.221528053 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.222167969 CEST	55867	443	192.168.2.7	172.253.62.84
Aug 27, 2024 18:20:40.261239052 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.261416912 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.261428118 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.261648893 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.261719942 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.262154102 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:20:40.262433052 CEST	55265	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:20:40.348921061 CEST	443	55867	172.253.62.84	192.168.2.7
Aug 27, 2024 18:20:40.374162912 CEST	443	55265	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.423603058 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.423650026 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.883414984 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.883522987 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.884103060 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.884193897 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.884542942 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.884557962 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.884711981 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.900284052 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.984091043 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.984141111 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.984452963 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:09.984639883 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:09.984808922 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:10.019619942 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:10.061453104 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:10.061916113 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:10.062529087 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:10.062618971 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:10.062808037 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:10.065861940 CEST	443	59895	142.251.35.174	192.168.2.7
Aug 27, 2024 18:21:10.066039085 CEST	59895	443	192.168.2.7	142.251.35.174
Aug 27, 2024 18:21:10.161732912 CEST	443	59895	142.251.35.174	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 27, 2024 18:19:47.279079914 CEST	192.168.2.7	1.1.1.1	c214	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 27, 2024 18:19:31.934160948 CEST	192.168.2.7	1.1.1.1	0x797b	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:31.934294939 CEST	192.168.2.7	1.1.1.1	0x9639	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 27, 2024 18:19:34.691061020 CEST	192.168.2.7	1.1.1.1	0x3e4c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.691546917 CEST	192.168.2.7	1.1.1.1	0x140e	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 18:19:34.692528009 CEST	192.168.2.7	1.1.1.1	0x1d7d	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.692748070 CEST	192.168.2.7	1.1.1.1	0x9622	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 18:19:34.693413019 CEST	192.168.2.7	1.1.1.1	0x7c0f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.693634033 CEST	192.168.2.7	1.1.1.1	0x5502	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 18:19:34.695100069 CEST	192.168.2.7	1.1.1.1	0x771	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.695424080 CEST	192.168.2.7	1.1.1.1	0x89b2	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 18:19:34.796356916 CEST	192.168.2.7	1.1.1.1	0x4e69	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.796502113 CEST	192.168.2.7	1.1.1.1	0x9199	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 27, 2024 18:19:31.941734076 CEST	1.1.1.1	192.168.2.7	0x797b	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 18:19:31.944160938 CEST	1.1.1.1	192.168.2.7	0x9639	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 18:19:34.498918056 CEST	1.1.1.1	192.168.2.7	0xf917	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 18:19:34.498918056 CEST	1.1.1.1	192.168.2.7	0xf917	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.698282003 CEST	1.1.1.1	192.168.2.7	0x3e4c	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.698282003 CEST	1.1.1.1	192.168.2.7	0x3e4c	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.698303938 CEST	1.1.1.1	192.168.2.7	0x140e	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 18:19:34.699821949 CEST	1.1.1.1	192.168.2.7	0x1d7d	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.699821949 CEST	1.1.1.1	192.168.2.7	0x1d7d	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.699834108 CEST	1.1.1.1	192.168.2.7	0x9622	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 18:19:34.700799942 CEST	1.1.1.1	192.168.2.7	0x5502	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 18:19:34.701586008 CEST	1.1.1.1	192.168.2.7	0x7c0f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.701586008 CEST	1.1.1.1	192.168.2.7	0x7c0f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.701987982 CEST	1.1.1.1	192.168.2.7	0x771	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.701987982 CEST	1.1.1.1	192.168.2.7	0x771	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.702820063 CEST	1.1.1.1	192.168.2.7	0x89b2	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 18:19:34.803205013 CEST	1.1.1.1	192.168.2.7	0x4e69	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.803205013 CEST	1.1.1.1	192.168.2.7	0x4e69	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 18:19:34.803524971 CEST	1.1.1.1	192.168.2.7	0x9199	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

https:

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49710	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:33 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-27 16:19:33 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF17) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=84053 Date: Tue, 27 Aug 2024 16:19:33 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49716	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:34 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-27 16:19:34 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=87966 Date: Tue, 27 Aug 2024 16:19:34 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-27 16:19:34 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49720	13.107.246.60	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 16:19:35 UTC	562	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 14c701d7-e01e-0029-02e8-f61e45000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240827T161935Z-15c77d89844x4cv6tct3vbzssn0000000gtg000000003w3m Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-08-27 16:19:35 UTC	15822	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-27 16:19:35 UTC	16384	IN	Data Raw: 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 29 8b 4d 52 3a c4 97 c1 d0 1d 5d d0 58 b3 51 22 09 e8 37 c0 b1 Data Ascii: 0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49-lx53Bu;hQ-]bU%+/M!eC8Y1)MR:]XQ"7
2024-08-27 16:19:35 UTC	16384	IN	Data Raw: 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 f5 72 cd 6b 58 b5 9b 70 5a 19 73 3e 85 d2 c6 f8 80 22 71 cd f5 Data Ascii: M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|crkXpZs>"q
2024-08-27 16:19:35 UTC	16384	IN	Data Raw: d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 3b 35 42 38 50 3b bc 9c d4 76 22 35 66 3f 5d d9 fb 8e 7d 65 84 Data Ascii: .7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`;5B8P;v"5f?]}e
2024-08-27 16:19:35 UTC	5233	IN	Data Raw: 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 cf 54 85 de 92 34 2e 26 d2 d8 ca 80 2c 56 f9 34 27 86 21 28 e6 Data Ascii: yVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDYT4.&,V4'!(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49722	162.159.61.3	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 16:19:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 16:19:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9d62517ea842c0-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 16:19:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 d0 00 04 8e fa 41 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49724	162.159.61.3	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 16:19:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 16:19:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9d62517ad543c9-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 16:19:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 a2 00 04 8e fa 41 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49723	162.159.61.3	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 16:19:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 16:19:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9d625188787277-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 16:19:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 0c 00 04 ac d9 a5 83 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49721	172.64.41.3	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 16:19:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 16:19:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9d62518d560f3a-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 16:19:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 0e 00 04 8e fa 41 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49729	172.64.41.3	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 16:19:35 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 16:19:35 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9d62520a6e8cda-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 16:19:35 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 ae 00 04 ac d9 a5 83 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49727	13.107.246.60	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:35 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 16:19:35 UTC	559	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 16:19:35 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 95d786f7-901e-0026-728f-f8f3b3000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240827T161935Z-15c77d89844x4cv6tct3vbzssn0000000gt000000000fg3e Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-27 16:19:35 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49734	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:37 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-27 16:19:37 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:37 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:37 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: 39219efb-06df-4efd-9ea5-db9dcd4bda63 PPServer: PPV: 30 H: PH1PEPF00011F9B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:36 GMT Connection: close Content-Length: 1276
2024-08-27 16:19:37 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49737	142.251.40.206	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:37 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-27 16:19:37 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 27 Aug 2024 16:19:37 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49738	142.251.40.206	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:37 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-27 16:19:37 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 27 Aug 2024 16:19:37 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49739	142.250.65.196	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:37 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-27 16:19:37 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 27 Aug 2024 15:47:54 GMT Expires: Wed, 04 Sep 2024 15:47:54 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 1903 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-27 16:19:37 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-27 16:19:37 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-27 16:19:37 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-27 16:19:37 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-27 16:19:37 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49740	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:38 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-27 16:19:38 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:38 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:38 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BL2 x-ms-request-id: 9caadb05-7603-4c94-831b-3653ab2fd671 PPServer: PPV: 30 H: BL02EPF00027906 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:38 GMT Connection: close Content-Length: 1276
2024-08-27 16:19:38 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49741	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:38 UTC	446	OUT	POST /ppsecure/deviceaddcredential.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 7642 Host: login.live.com
2024-08-27 16:19:38 UTC	7642	OUT	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 75 6c 62 71 72 62 69 79 62 7a 68 76 78 63 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 55 2d 45 24 2e 79 64 65 64 44 74 36 7e 72 63 60 4b 6f 24 75 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 71 74 6c 74 6e 74 63 62 72 65 71 75 61 6a 3c 2f 4f 6c 64 4d Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02ulbqrbiybzhvxc</Membername><Password>U-E$.ydedDt6~rc`Ko$u</Password></Authentication><OldMembername>02qtltntcbrequaj</OldM
2024-08-27 16:19:40 UTC	542	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/xml Expires: Tue, 27 Aug 2024 16:18:38 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C526_SN1 x-ms-request-id: c8320284-773b-4e9f-b3d4-72b12460fba2 PPServer: PPV: 30 H: SN1PEPF0002F01F V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:40 GMT Connection: close Content-Length: 17166
2024-08-27 16:19:40 UTC	15842	IN	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 43 30 30 45 31 43 35 43 46 35 37 41 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 36 66 36 38 63 31 37 37 2d 34 31 33 30 2d 34 62 36 33 2d 61 65 31 61 2d 65 37 62 63 37 63 34 64 65 36 30 35 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>0018C00E1C5CF57A</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="6f68c177-4130-4b63-ae1a-e7bc7c4de605" LicenseID="3252b20c-d425-4711
2024-08-27 16:19:40 UTC	1324	IN	Data Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66 Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49744	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:41 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-27 16:19:41 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:42 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:42 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30324.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C502_SN1 x-ms-request-id: da4e6789-5807-4196-bfce-9a9075e71935 PPServer: PPV: 30 H: SN1PEPF0002F016 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:41 GMT Connection: close Content-Length: 11389
2024-08-27 16:19:42 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49745	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:43 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-27 16:19:43 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:43 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:43 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C502_SN1 x-ms-request-id: 5eb25ca7-8ba8-4bb7-ac94-64a19f302cf1 PPServer: PPV: 30 H: SN1PEPF0002F09E V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:42 GMT Connection: close Content-Length: 11389
2024-08-27 16:19:43 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49746	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:44 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-27 16:19:44 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:44 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:44 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: bda2a717-5d54-45fc-91ac-b6eb3ecbaed7 PPServer: PPV: 30 H: PH1PEPF00011D9B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:44 GMT Connection: close Content-Length: 1918
2024-08-27 16:19:44 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49747	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:44 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4710 Host: login.live.com
2024-08-27 16:19:44 UTC	4710	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:44 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:44 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C502_SN1 x-ms-request-id: 2349198e-cc69-47f5-869c-2120145ef1fe PPServer: PPV: 30 H: SN1PEPF0002F012 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:44 GMT Connection: close Content-Length: 10173
2024-08-27 16:19:44 UTC	10173	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49748	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:45 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bc6CtTpXTMAAZX4&MD=+7Vvyzgs HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-27 16:19:45 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 7249a5a6-ef53-49e1-a5a9-bd3c6cc7ffee MS-RequestId: 5d1cab8e-ae58-44d7-890f-4e558e2d4171 MS-CV: BfGU137fNUyT0X2I.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 27 Aug 2024 16:19:44 GMT Connection: close Content-Length: 24490
2024-08-27 16:19:45 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-27 16:19:45 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49750	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:45 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-27 16:19:45 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:46 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:45 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C502_SN1 x-ms-request-id: acb6ec69-eb37-482b-8612-93d3c3e3aabe PPServer: PPV: 30 H: SN1PEPF0003F952 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:46 GMT Connection: close Content-Length: 11389
2024-08-27 16:19:46 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49753	40.126.32.76	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:19:48 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-27 16:19:48 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-27 16:19:48 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Tue, 27 Aug 2024 16:18:48 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C502_BL2 x-ms-request-id: cd15d677-d1df-45a7-8a17-2325daf25699 PPServer: PPV: 30 H: BL02EPF0001D86A V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Tue, 27 Aug 2024 16:19:47 GMT Connection: close Content-Length: 11389
2024-08-27 16:19:48 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49791	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:20:12 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bc6CtTpXTMAAZX4&MD=+7Vvyzgs HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-27 16:20:13 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: a71f754a-e0fa-4892-b794-b3cfc7633255 MS-RequestId: 0443d9c5-c7f2-42e9-966c-6177591e6f5e MS-CV: /PGPw6CMEUa3HfiH.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 27 Aug 2024 16:20:12 GMT Connection: close Content-Length: 30005
2024-08-27 16:20:13 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-27 16:20:13 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49799	23.44.133.57	443	3820	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 16:20:33 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 16:20:33 UTC	351	IN	HTTP/1.1 403 Forbidden Content-Length: 2342 Content-Type: text/html Date: Tue, 27 Aug 2024 16:20:33 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.39862c17.1724775633.9473799 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *
2024-08-27 16:20:33 UTC	1938	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 20 41 70 70 20 2d 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 23 66 65 61 74 75 72 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 36 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 39 35 Data Ascii: <!DOCTYPE html><html><head> <title>Web App - Unavailable</title> <style type="text/css"> html { height: 100%; width: 100%; } #feature { width: 960px; margin: 95
2024-08-27 16:20:33 UTC	404	IN	Data Raw: 74 20 61 67 61 69 6e 20 73 6f 6f 6e 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 69 64 3d 22 74 6f 41 64 6d 69 6e 22 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 77 65 62 20 61 70 70 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 2c 20 70 6c 65 61 73 65 20 66 69 6e 64 20 74 68 65 20 63 6f 6d 6d 6f 6e 20 34 30 33 20 65 72 72 6f 72 20 73 63 65 6e 61 72 69 6f 73 20 61 6e 64 20 72 65 73 6f 6c 75 74 69 6f 6e 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 6c 69 6e 6b 69 64 3d 32 30 39 35 30 30 37 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 68 65 72 65 3c 2f 61 3e 2e 20 46 6f 72 20 66 75 72 74 68 65 72 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 Data Ascii: t again soon.</p> <p id="toAdmin">If you are the web app administrator, please find the common 403 error scenarios and resolution <a href="https://go.microsoft.com/fwlink/?linkid=2095007" target="_blank">here</a>. For further troubleshoot

Target ID:	0
Start time:	12:19:26
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf30000
File size:	917'504 bytes
MD5 hash:	E492AC6462163322873ACD722CDA21F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:19:26
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:19:26
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=2064,i,16296085406379612282,8535261573425614236,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:19:27
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:19:27
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:19:32
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7156 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:19:32
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7136 --field-trial-handle=2068,i,17149242411796452322,744322777038130786,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:19:45
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:19:46
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2972 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:19:46
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1828 --field-trial-handle=2480,i,4861291250405216549,5259202044739056824,262144 /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:28:05
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:28:06
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:28:06
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1496 --field-trial-handle=2640,i,10792355068707998730,14061555149236825571,262144 /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1339
Total number of Limit Nodes:	35

Executed Functions

Function 00F4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8F474
IsIconic.USER32(00000000), ref: 00F8F47D
ShowWindow.USER32(00000000,00000009), ref: 00F8F48A
SetForegroundWindow.USER32(00000000), ref: 00F8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8F4AA
GetCurrentThreadId.KERNEL32 ref: 00F8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F8F4DE
SetForegroundWindow.USER32(00000000), ref: 00F8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F4F6
keybd_event.USER32(00000012,00000000), ref: 00F8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F50B
keybd_event.USER32(00000012,00000000), ref: 00F8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F519
keybd_event.USER32(00000012,00000000), ref: 00F8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8F528
keybd_event.USER32(00000012,00000000), ref: 00F8F52D
SetForegroundWindow.USER32(00000000), ref: 00F8F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F8F557

Strings

Shell_TrayWnd, xrefs: 00F8F46F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 913ed849ed511c916dcac2ccfa4d350b5baa2547c7d3b5e7240978a1439ad566
Instruction ID: 66b94b354b41e1a1a33ae42bf411182ef4e4d23600a58afc0fbb8b98ad124024
Opcode Fuzzy Hash: 913ed849ed511c916dcac2ccfa4d350b5baa2547c7d3b5e7240978a1439ad566
Instruction Fuzzy Hash: B8315071A4021CBEEB206BB55D4AFBF7E6CEB44B50F140426FA09EB1D1C6B15900BBA0

Function 00F342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F3430D

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

GetCurrentProcess.KERNEL32(?,00FCCB64,00000000,?,?), ref: 00F34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F344A0

Strings

|O, xrefs: 00F736F8
GetNativeSystemInfo, xrefs: 00F34460
kernel32.dll, xrefs: 00F3444F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0a5a52d796d63c77a1e206cec95601a674d7ab1e1deb44d5a01dfb9f425ef548
Instruction ID: add7625ddb78165541183081c440a07b09569081b8cbdc3b62eb43e7702d08f5
Opcode Fuzzy Hash: 0a5a52d796d63c77a1e206cec95601a674d7ab1e1deb44d5a01dfb9f425ef548
Instruction Fuzzy Hash: 3DA1B772D0E2C0DFC737C769B4816957FA47B26314F08D4A9E4C5A3A0AD23AD505FBA2

Function 00F342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F350AA,?,?,00000000,00000000), ref: 00F342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F350AA,?,?,00000000,00000000), ref: 00F342C9
LoadResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735BE
SizeofResource.KERNEL32(?,00000000,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20), ref: 00F735D3
LockResource.KERNEL32(00F350AA,?,?,00F350AA,?,?,00000000,00000000,?,?,?,?,?,?,00F34F20,?), ref: 00F735E6

Strings

SCRIPT, xrefs: 00F342BF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a0aadf03291d813e491f98e1fee12d2a54ac37171b742750b0b338bd98b5822a
Instruction ID: b320c983f3fdf10c8e5d0c333f4145b5b0024f30103527a569e19fde8130fe7f
Opcode Fuzzy Hash: a0aadf03291d813e491f98e1fee12d2a54ac37171b742750b0b338bd98b5822a
Instruction Fuzzy Hash: 4811AC70600305BFD7218BA6DD49F677BBDEBC6B61F148169F41696290DB71EC00AA70

Function 00F72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F32B6B

Part of subcall function 00F33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01001418,?,00F32E7F,?,?,?,00000000), ref: 00F33A78

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00FF2224), ref: 00F72C10
ShellExecuteW.SHELL32(00000000,?,?,00FF2224), ref: 00F72C17

Strings

runas, xrefs: 00F72C0B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 80276cee786bc301873ce2308637bf16ffc75dd56ff136ed551a0adfcadce6bd
Instruction ID: 06dc227dbbce5af65847008605180aeaa04927a10a6eac253831f96ecb3b425c
Opcode Fuzzy Hash: 80276cee786bc301873ce2308637bf16ffc75dd56ff136ed551a0adfcadce6bd
Instruction Fuzzy Hash: 8511EE316083456AC719FF60DC429BEBBA4AFD1370F44542DF286030A2CFB98A0AF712

Function 00F9DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00F75222), ref: 00F9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00F9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00F9DBEE
FindClose.KERNEL32(00000000), ref: 00F9DBFA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 75fffdaff9b0ad083fba0081a6501b32186d731eaa8d14ec11aadfb397bc611d
Instruction ID: 8d47973c52c62b1c523973df89bb50420c6e60a374bc1d33ebbc8db4de432834
Opcode Fuzzy Hash: 75fffdaff9b0ad083fba0081a6501b32186d731eaa8d14ec11aadfb397bc611d
Instruction Fuzzy Hash: 2BF0E531810918579B206F7CEE0ECAA776C9E01334B244702F83AC30F0EBB05D55EAD5

Function 00FBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB1D4
_wcslen.LIBCMT ref: 00FBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FBB236
_wcslen.LIBCMT ref: 00FBB332

Part of subcall function 00FA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FA05C6

_wcslen.LIBCMT ref: 00FBB34B
_wcslen.LIBCMT ref: 00FBB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FBB3B6
GetLastError.KERNEL32(00000000), ref: 00FBB407
CloseHandle.KERNEL32(?), ref: 00FBB439
CloseHandle.KERNEL32(00000000), ref: 00FBB44A
CloseHandle.KERNEL32(00000000), ref: 00FBB45C
CloseHandle.KERNEL32(00000000), ref: 00FBB46E
CloseHandle.KERNEL32(?), ref: 00FBB4E3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 1dd2417d2ea9de6b56db0d7d48280f087c25b0ba98c8189cf6ce00eb4a916bf3
Instruction ID: 6ab12c387c357484ad5410bcbe329366d93a58aa8c4e0962813b340e5e65857e
Opcode Fuzzy Hash: 1dd2417d2ea9de6b56db0d7d48280f087c25b0ba98c8189cf6ce00eb4a916bf3
Instruction Fuzzy Hash: 10F19F719083409FC714EF25C891B6EBBE1AF85324F18855DF8998B2A2CB75EC44EF52

Function 00F3D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F3D807
timeGetTime.WINMM ref: 00F3DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3DB28
TranslateMessage.USER32(?), ref: 00F3DB7B
DispatchMessageW.USER32(?), ref: 00F3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3DB9F
Sleep.KERNELBASE(0000000A), ref: 00F3DBB1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 496a7cfbcc5f61ed3c21782591674f98001d947fe8b47cc42cead18521f14a05
Instruction ID: aaacc5dfc895d87314675e65a416cc66ea18f6ea4d85b9c53e1aab06f82718de
Opcode Fuzzy Hash: 496a7cfbcc5f61ed3c21782591674f98001d947fe8b47cc42cead18521f14a05
Instruction Fuzzy Hash: F4421231A08341DFD729DF24D884BAABBE0FF85324F14465DE89687291D779E844FB82

Function 00F32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F32D07
RegisterClassExW.USER32(00000030), ref: 00F32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F32D42
InitCommonControlsEx.COMCTL32(?), ref: 00F32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F32D6F
LoadIconW.USER32(000000A9), ref: 00F32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F32D94

Strings

AutoIt v3 GUI, xrefs: 00F32D23
TaskbarCreated, xrefs: 00F32D37
0, xrefs: 00F32CE9
+, xrefs: 00F32CF0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 802c25cefd9cdd853e79b0c48f254e529e5763393423b15a69e23185a39db160
Instruction ID: bc9cf779ac6d22711aeb623701922bf92e7c203ce22372a7fcb07c0e9c706fdd
Opcode Fuzzy Hash: 802c25cefd9cdd853e79b0c48f254e529e5763393423b15a69e23185a39db160
Instruction Fuzzy Hash: DB21EFB1D41308AFDB11DFA4E98AB9DBBB4FB08700F00811AFA55A7290D7BA85449F91

Function 00F7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F70704,?,?,00000000,?,00F70704,00000000,0000000C), ref: 00F703B7

GetLastError.KERNEL32 ref: 00F7076F
__dosmaperr.LIBCMT ref: 00F70776
GetFileType.KERNELBASE(00000000), ref: 00F70782
GetLastError.KERNEL32 ref: 00F7078C
__dosmaperr.LIBCMT ref: 00F70795
CloseHandle.KERNEL32(00000000), ref: 00F707B5
CloseHandle.KERNEL32(?), ref: 00F708FF
GetLastError.KERNEL32 ref: 00F70931
__dosmaperr.LIBCMT ref: 00F70938

Strings

H, xrefs: 00F708BD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fcc1eeb2a9753278cf998d619bf9290162a5f14c621780bbcee1e98cde91ff4b
Instruction ID: 4aec7dbcd386d61b678fe6049ff4b85c65e0f7bdc02ccffec7d745c14f64a1d0
Opcode Fuzzy Hash: fcc1eeb2a9753278cf998d619bf9290162a5f14c621780bbcee1e98cde91ff4b
Instruction Fuzzy Hash: 15A12732A101488FDF19AF68DC51BAD3BA0AF46320F14815EF8599B391DB359C17EB92

Function 00F3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01001418,?,00F32E7F,?,?,?,00000000), ref: 00F33A78

Part of subcall function 00F33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F731CE
RegCloseKey.ADVAPI32(?), ref: 00F73210
_wcslen.LIBCMT ref: 00F73277
_wcslen.LIBCMT ref: 00F73286

Strings

Include, xrefs: 00F73184, 00F731C5
Software\AutoIt v3\AutoIt, xrefs: 00F33560
\, xrefs: 00F7328C
\Include\, xrefs: 00F33527

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ffc142775f3302023cfc752b60728745ca165eaba312c8c2a48751562c78aa5f
Instruction ID: 815a572f4d887de613ad4c38b979fc2d12872018d7f32451026ac883e5606527
Opcode Fuzzy Hash: ffc142775f3302023cfc752b60728745ca165eaba312c8c2a48751562c78aa5f
Instruction Fuzzy Hash: 3171E3714083019EC315EF25DC86D5BBBE8FF84350F40882EF589D31A5EB799A48EB52

Function 00F32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F32B9D
LoadIconW.USER32(00000063), ref: 00F32BB3
LoadIconW.USER32(000000A4), ref: 00F32BC5
LoadIconW.USER32(000000A2), ref: 00F32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F32BEF
RegisterClassExW.USER32(?), ref: 00F32C40

Part of subcall function 00F32CD4: GetSysColorBrush.USER32(0000000F), ref: 00F32D07
Part of subcall function 00F32CD4: RegisterClassExW.USER32(00000030), ref: 00F32D31
Part of subcall function 00F32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F32D42
Part of subcall function 00F32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F32D5F
Part of subcall function 00F32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F32D6F
Part of subcall function 00F32CD4: LoadIconW.USER32(000000A9), ref: 00F32D85
Part of subcall function 00F32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F32D94

Strings

0, xrefs: 00F32C0F
AutoIt v3, xrefs: 00F32C2F
#, xrefs: 00F32C16

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 81bfc708a1ed330c6bf990dc081238a5c50aa820fac619a40720dbfe4399ca15
Instruction ID: 01c68936d0e0e64f103438c93bb2f37c41aa85e246aa7d053951dd92085c4737
Opcode Fuzzy Hash: 81bfc708a1ed330c6bf990dc081238a5c50aa820fac619a40720dbfe4399ca15
Instruction Fuzzy Hash: 75214970E00318ABDB229FA5ED49BA97FF5FB48B50F04801AF644A7694D7BA8540DF90

Function 00F33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F3316A,?,?), ref: 00F331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F3316A,?,?), ref: 00F33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F3316A,?,?), ref: 00F33232
CreatePopupMenu.USER32 ref: 00F33246
PostQuitMessage.USER32(00000000), ref: 00F33267

Strings

TaskbarCreated, xrefs: 00F3322D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 066e3e37f2198a7a96a836d426dd54a02ad526769760243800317e0af69f25bd
Instruction ID: c5f0ff3d44bf6a227ba1601ebb7119335279ea7b3fd5110b2a4c083569cbd2c5
Opcode Fuzzy Hash: 066e3e37f2198a7a96a836d426dd54a02ad526769760243800317e0af69f25bd
Instruction Fuzzy Hash: 48412C32E44204ABEB25AB78DD0EB7A3755FB05370F044119F54AC62D1CB79CE40B7A1

Function 00F32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F31CAD,?), ref: 00F32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F31CAD,?), ref: 00F32CCF

Strings

AutoIt v3, xrefs: 00F32C89, 00F32C8E, 00F32C8F
edit, xrefs: 00F32CAC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 743494b336d9ed288f5c775bc16d447da13ae7af1139d9014825c01b9ba89c9a
Instruction ID: b58460a7cbc9aef68230e081788b9d6b156555e26e332d7a2c44d0d173499371
Opcode Fuzzy Hash: 743494b336d9ed288f5c775bc16d447da13ae7af1139d9014825c01b9ba89c9a
Instruction Fuzzy Hash: 6BF0F4755403947AEB320713AC09E673FBDD7C6F50F00801AF904A3594C67A8840EAB0

Function 00F9E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00F9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00F9E9A5
Sleep.KERNEL32(00000000), ref: 00F9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00F9E9B7
Sleep.KERNELBASE ref: 00F9E9F3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3379186f8ff7d9c7e46b555e0c5617e71f1af2e083b339d5e5f754311263474e
Instruction ID: 2641d4df9c4d97a53ed404f92dc43e34f3308e9198874dc92532920ec800d6bb
Opcode Fuzzy Hash: 3379186f8ff7d9c7e46b555e0c5617e71f1af2e083b339d5e5f754311263474e
Instruction Fuzzy Hash: E0015731C0162DDBDF40EBE6DD5AAEDBB78FB08310F050946E502B2241CB309950ABA1

Function 00F33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F33B0F,SwapMouseButtons,00000004,?), ref: 00F33B83

Strings

Control Panel\Mouse, xrefs: 00F33B3E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: dbfccbd7bb190fe72e55d26ab593666458a59fcfaa1b1fac2a756e657481d8aa
Instruction ID: 47edc4b4aca99d0688dca13a0d45693a358ac06bd91461119ad2a9b55d091165
Opcode Fuzzy Hash: dbfccbd7bb190fe72e55d26ab593666458a59fcfaa1b1fac2a756e657481d8aa
Instruction Fuzzy Hash: 94112AB5910208FFDB20CFA5DC45EAEBBB8EF44764F104459E805D7110D2319E40A7A0

Function 00F33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F733A2

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F33A04

Strings

Line: , xrefs: 00F733EB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: df795f09f5ae5b05a43109a4548aff78c8edac5a1d32b563a38ab60df604e62b
Instruction ID: e58e82c0a93e1d15113e30aaebaba8316aac6513067529aec5390da507c601bb
Opcode Fuzzy Hash: df795f09f5ae5b05a43109a4548aff78c8edac5a1d32b563a38ab60df604e62b
Instruction Fuzzy Hash: 0631A171809304AAD725EB20DC46BEBB7D8AB40734F00852EF5D993195EF789A49E7C2

Function 00F4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F50668

Part of subcall function 00F532A4: RaiseException.KERNEL32(?,?,?,00F5068A,?,01001444,?,?,?,?,?,?,00F5068A,00F31129,00FF8738,00F31129), ref: 00F53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F50685

Strings

Unknown exception, xrefs: 00F50692

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 80441571289f3d7e1c6975dff51b947a22e28b31bbfcaeaa57c5f6a66a0daa32
Instruction ID: d9fb1766352749563eaaffeda941ace99746cba2c94947fb9640f5312614cc91
Opcode Fuzzy Hash: 80441571289f3d7e1c6975dff51b947a22e28b31bbfcaeaa57c5f6a66a0daa32
Instruction Fuzzy Hash: 07F0FF20D0020D738B00BAA8DC46D9E7B6C5E00361B604430BE18924A2EF75EA6EE991

Function 00F310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F31BF4
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F31BFC
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F31C07
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F31C12
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F31C1A
Part of subcall function 00F31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F31C22

Part of subcall function 00F31B4A: RegisterWindowMessageW.USER32(00000004,?,00F312C4), ref: 00F31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F3136A
OleInitialize.OLE32 ref: 00F31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00F724AB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3dc149384d17bf620085ccf7039fdef0f371f66758d1ed4d5c99b495565b45b4
Instruction ID: 81a72c640c90879aec6effd2fd86dccd6b513776203e2938ce6acf4b1a36e93c
Opcode Fuzzy Hash: 3dc149384d17bf620085ccf7039fdef0f371f66758d1ed4d5c99b495565b45b4
Instruction Fuzzy Hash: 5071BDB4905201CFD3A6DF79E9456553AE0BB48352F58822EE0CADB299EB3BC601DF41

Function 00F9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F9C259
KillTimer.USER32(?,00000001,?,?), ref: 00F9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9C270

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 67660d976181a47bbb4b6814d84d60b334618420d92e5f33747a27ac084b69be
Instruction ID: c3196a8fa1dc1d2094baca33cb9b2cbf763911a9584cd0ecff6c69912aab492d
Opcode Fuzzy Hash: 67660d976181a47bbb4b6814d84d60b334618420d92e5f33747a27ac084b69be
Instruction Fuzzy Hash: BB31B171904384AFFF32CF648855BE6BBEC9F06708F00449AD6DE93241C3745A84DB91

Function 00F686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F685CC,?,00FF8CC8,0000000C), ref: 00F68704
GetLastError.KERNEL32(?,00F685CC,?,00FF8CC8,0000000C), ref: 00F6870E
__dosmaperr.LIBCMT ref: 00F68739

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: ae6c34b2ab1d96a6af72425d3ae1c45e694899c2026521aa74062b41aac3b9ec
Instruction ID: 8e632763ae69413c292c10be25699593f16ae07c272cf332e6a3810d8ed8946a
Opcode Fuzzy Hash: ae6c34b2ab1d96a6af72425d3ae1c45e694899c2026521aa74062b41aac3b9ec
Instruction Fuzzy Hash: 17012B33E0566016D6356234EC46B7E775A4B81FF4F39031DF9589B1D2DEA68C83B290

Function 00F3DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F3DB7B
DispatchMessageW.USER32(?), ref: 00F3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3DB9F
Sleep.KERNELBASE(0000000A), ref: 00F3DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00F81CC9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: aa2f1693adabdb89abd8692b95dd8f3391ffaeb56c8e1a05e10def19344a1fac
Instruction ID: fb387f863d892dc310fef3ca8dd739ac643ebc079780d2bd04fbdffac928ba22
Opcode Fuzzy Hash: aa2f1693adabdb89abd8692b95dd8f3391ffaeb56c8e1a05e10def19344a1fac
Instruction Fuzzy Hash: 02F0FE31A443449BE730DB60DD8AFEA77BCFF85320F104A19E65A930C0DB34A549EB55

Function 00F41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F417F6

Strings

CALL, xrefs: 00F417C6

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 14a490ab8507fd75c605a3ee0001ddc6d6b49ab1e7a08b78b571fa07bcde8a76
Instruction ID: 80d2b4b44797fbb8d0bcedbd3c31efa181f4132a16dd3bf9a4ab7ef42954fc0b
Opcode Fuzzy Hash: 14a490ab8507fd75c605a3ee0001ddc6d6b49ab1e7a08b78b571fa07bcde8a76
Instruction Fuzzy Hash: A5229D70A083019FC714DF14C894B6ABBF1BF85314F18891DF89A8B3A1D775E885EB92

Function 00F32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00F72C8C

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F32DC4

Strings

X, xrefs: 00F72C5A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 863cb8aaea7b5bf0f6d10b248a8bb5d159ddda94a66d77e3397f2e01e58f8844
Instruction ID: f463f45a483bca0cf551e467205d2ee05d116a16dc0aabe6437f73c1fe522bfb
Opcode Fuzzy Hash: 863cb8aaea7b5bf0f6d10b248a8bb5d159ddda94a66d77e3397f2e01e58f8844
Instruction Fuzzy Hash: F2219671A0025C9BCB41EF94CC45BEE7BF8AF49324F00805AE505E7241DBB855899FA1

Function 00F33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F33908

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 94f9ae23708f68211df26f09975abe23c9fc523eddfcd5c97098700491d5b570
Instruction ID: e8bd2233c130f8bd63353a330dd5aad0015a9c5f13a37dc633a250dd8d97b386
Opcode Fuzzy Hash: 94f9ae23708f68211df26f09975abe23c9fc523eddfcd5c97098700491d5b570
Instruction Fuzzy Hash: A331D271904300DFD721DF24D88579BBBE8FB49329F00092EF5D983280E775AA44DB92

Function 00F4F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F4F661

Part of subcall function 00F3D730: GetInputState.USER32 ref: 00F3D807

Sleep.KERNEL32(00000000), ref: 00F8F2DE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 85ba767a3d773fa35b37b4772ab4ca552567e4e75de9e39f478604b2eb3afd0a
Instruction ID: 486d441f7cbffee5a2a903d14b0c267356eb6a8ffccddc99f4477b95fef9fcba
Opcode Fuzzy Hash: 85ba767a3d773fa35b37b4772ab4ca552567e4e75de9e39f478604b2eb3afd0a
Instruction Fuzzy Hash: EAF08C312402099FD350EF69D95AF6ABBE8EF45760F000029E95DC7261DB70A800EB90

Function 00F3B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F3BB4E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 36205e0c5dde3aeb79b0575e136a12e8982e52d26f649af4f1c834486f744d33
Instruction ID: 48ae8c3da0003a9da02a363342660632a55d129c0add9a41fbb4353a09707a3c
Opcode Fuzzy Hash: 36205e0c5dde3aeb79b0575e136a12e8982e52d26f649af4f1c834486f744d33
Instruction Fuzzy Hash: D532FD31E00209DFDB24DF54C8A8BBEB7B5EF44320F548059EA45AB251CB78ED45EB90

Function 00FC2598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 00FC2649

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4f2003dafa64fcc39b4aa83ee9e91dfc77607cbb2c93de6242553bec2d0cf802
Instruction ID: f45798592247a5e30135daec2586a6a83dd1989f6146c83435197edbab6e41c6
Opcode Fuzzy Hash: 4f2003dafa64fcc39b4aa83ee9e91dfc77607cbb2c93de6242553bec2d0cf802
Instruction Fuzzy Hash: 7F21D375200216AFD790DF24CDD1E36B799EB44368B14845CE8568B392CB35ED41EBA0

Function 00FC13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00FC1420

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: f247f93b9bd6f46891c84ec5ce7071f94be0c9d4062a29ecd3dc692ab1e3b617
Instruction ID: 1300f83386350a93e90e2981d70d9e99befc1076d2a6ab896c360b84dfa54239
Opcode Fuzzy Hash: f247f93b9bd6f46891c84ec5ce7071f94be0c9d4062a29ecd3dc692ab1e3b617
Instruction Fuzzy Hash: 0D317131604203AFD718DF25C996F69B7A2FF46324F14816CE8164B292DB35EC55DBD0

Function 00F34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E9C
Part of subcall function 00F34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F34EAE
Part of subcall function 00F34E90: FreeLibrary.KERNEL32(00000000,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EFD

Part of subcall function 00F34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E62
Part of subcall function 00F34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F34E74
Part of subcall function 00F34E59: FreeLibrary.KERNEL32(00000000,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E87

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 4dc47cfc9dfb025ca06bad3d9a1aa29f5d62b23b873076de0ef040d45e8df871
Instruction ID: 68660fb62f2bf9f7d39708997c0d09d5d1ff3b1832b52bb15a7fc5746620a706
Opcode Fuzzy Hash: 4dc47cfc9dfb025ca06bad3d9a1aa29f5d62b23b873076de0ef040d45e8df871
Instruction Fuzzy Hash: 7A11E732600205AACB14BB74DD12FAD77A59F40B21F14842EF546AB1C1EE78FA45BB50

Function 00F68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00F68440

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f9bc575c94c84168df9a0bd83cccc896ef699e35affb92aece2257d3fb434347
Instruction ID: 5c0fea0aca42c7e61c827e34b9f0990598741de2daf00f78a963b6f8c5584909
Opcode Fuzzy Hash: f9bc575c94c84168df9a0bd83cccc896ef699e35affb92aece2257d3fb434347
Instruction Fuzzy Hash: A311487190410AAFCB05DF58E940ADA7BF4EF48310F104199F808AB302DA31DA22DBA5

Function 00F65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F64C7D: RtlAllocateHeap.NTDLL(00000008,00F31129,00000000,?,00F62E29,00000001,00000364,?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?), ref: 00F64CBE

_free.LIBCMT ref: 00F6506C

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 04d33c3adbb5d6006091d65ce312ddcb2a3ab86f8bf3ae03c7dd3bbcc804fca6
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 520126726047056BE3218F69DC81A5AFBE8FB89370F25051DE18493280EA30A805D6B4

Function 00FC29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,00FC14B5,?), ref: 00FC2A01

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 384880630f5f517a020a590a2a4ec0f22db28046f64c4f419f3414d435fde25f
Instruction ID: 24c88165127d1961184a15140f5ebb5918d396510b3a7c8000f6310533f01329
Opcode Fuzzy Hash: 384880630f5f517a020a590a2a4ec0f22db28046f64c4f419f3414d435fde25f
Instruction Fuzzy Hash: C301B9367006439FD364CA2DC656F213792EBC5314F29845CC04B8B251D736EC42E790

Function 00F5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 718d14819423378520daf09ab3ee4d0d422975cd17a89ab21a341648368bc2e1
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 21F02D32921E149AC7353A69CC05B5A37999F523B3F100715FE21931D1CB78D90AB9A5

Function 00FC149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 00FC14EB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: e37e1ac67519407ced334502cb1175278bb5de1a0d873edf38cea9a90dff97a6
Instruction ID: 6b78c2637ffc12e44248a45beff89b104781d5dab9373f6966ff3301a7f8e169
Opcode Fuzzy Hash: e37e1ac67519407ced334502cb1175278bb5de1a0d873edf38cea9a90dff97a6
Instruction Fuzzy Hash: 8301D4357046469F9328DF69C942E26BB95FF86324754805DE84A8B743D632DD82DBC0

Function 00F64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F31129,00000000,?,00F62E29,00000001,00000364,?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?), ref: 00F64CBE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e9a81fc45117cf31e5a9ce07e9a4e22a2a0e623ca2af1dda1ec4006fdc17fe8
Instruction ID: b90b32f8c55102fe128cbab768761ead743bfc05cfcab3cedee7cb8e336cab72
Opcode Fuzzy Hash: 1e9a81fc45117cf31e5a9ce07e9a4e22a2a0e623ca2af1dda1ec4006fdc17fe8
Instruction Fuzzy Hash: D2F0B432A0222467DB217F669C09B5A3798AF817B1B144111BD19E7781CA34F801B6E0

Function 00F63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24842ec7ea6a4e9afa30148df44c0524b4cd87d4be9698ba5e3d336ec35b58aa
Instruction ID: dc6557735bf64e6eb3b4105e41d3d008fa7eb09b7bd8ec4a657f5b3868883ed3
Opcode Fuzzy Hash: 24842ec7ea6a4e9afa30148df44c0524b4cd87d4be9698ba5e3d336ec35b58aa
Instruction Fuzzy Hash: 7FE0653390122456E63126779D05BDA3749AB427B1F190121BD5597581DB25ED01B3E1

Function 00F34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34F6D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 33a25b4b502a7275b2753ffae7623dec6568a4dc57d40ac17a102c82aba33ecc
Instruction ID: 3b33e3b2d7e9857f41b6cdf2e404f08509f960df77ed4508c4183fc80664881e
Opcode Fuzzy Hash: 33a25b4b502a7275b2753ffae7623dec6568a4dc57d40ac17a102c82aba33ecc
Instruction Fuzzy Hash: DDF01C71505751CFDB349F75D490912B7E4AF1433971889AEE1EA83611C731B844EF50

Function 00FC2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FC2A66

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: d55a18783e5ab1b5e9e9519c159f259366b6f3be4e26b31b1b6054b16ab42b6d
Instruction ID: 3a520af7125baa2871b9879eaa9a16a2a6bdb8999a267821f7deeb08a3cacda0
Opcode Fuzzy Hash: d55a18783e5ab1b5e9e9519c159f259366b6f3be4e26b31b1b6054b16ab42b6d
Instruction Fuzzy Hash: E5E0DF32750116AADB54EB34DD81EFA735CEB10390B00403AEC1AC2100DF389981B2E0

Function 00F32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F32DC4

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 1160767055506a78d41c8c47cadf9a53feee97ca3879741c0aa2bdbc8cb5e7f1
Instruction ID: 0bb9ea6d82c86d7bfa876251b671c2465bbcfd7f0818c69e262a37bd64e93781
Opcode Fuzzy Hash: 1160767055506a78d41c8c47cadf9a53feee97ca3879741c0aa2bdbc8cb5e7f1
Instruction Fuzzy Hash: 8CE0CD72A001245BC71092589C06FDA77DDDFC8790F054071FD0DD7248D964AD849691

Function 00F32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F33908

Part of subcall function 00F3D730: GetInputState.USER32 ref: 00F3D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F32B6B

Part of subcall function 00F330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F3314E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1f62e31d81db47a8d91f5059d422b7beb109b7a036742b453551ad23918e1dcf
Instruction ID: 7cba9fef76d9419a4c8eab5d41ce282b3e859ba8708b8b23bb77ac5f91907e7d
Opcode Fuzzy Hash: 1f62e31d81db47a8d91f5059d422b7beb109b7a036742b453551ad23918e1dcf
Instruction Fuzzy Hash: 54E0C23270824807CA09FB74AC529BDF7599BD5375F40153EF286831A3CF7D8A49A352

Function 00F93D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F93D18

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 381d1518e621187e53acf593f9101609eec66682806d6392fa5f9c6c77e30f20
Instruction ID: b5e538e517610d7797bf02e7ce5ecd22128b126e446208d40cbd5d2de12962e7
Opcode Fuzzy Hash: 381d1518e621187e53acf593f9101609eec66682806d6392fa5f9c6c77e30f20
Instruction Fuzzy Hash: 1BD012E0AA03087EFB0083728E0BEBB329CC316A85F004BA4BA02D64C1D9A0DE081270

Function 00F7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00F70704,?,?,00000000,?,00F70704,00000000,0000000C), ref: 00F703B7

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7066e603521015cc981bc968a756a9999dd613e4e7d51e9b01758365827cb4c8
Instruction ID: db1040b6e8ae096eb3fe68a5d86efb09314944d89bf253344ea7627a283d06ff
Opcode Fuzzy Hash: 7066e603521015cc981bc968a756a9999dd613e4e7d51e9b01758365827cb4c8
Instruction Fuzzy Hash: EDD06C3204010DBBDF028F85DD06EDA3BAAFB48714F014000FE1856020C732E821AB90

Function 00F31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F31CBC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 767ddd735556f1ac4fefac3ff07a24db44879abf47c7fa3025a9c78a82407216
Instruction ID: 2c2704f0bd9474643d1bd0323a23434cc4b21109299ad972a0468de871746e72
Opcode Fuzzy Hash: 767ddd735556f1ac4fefac3ff07a24db44879abf47c7fa3025a9c78a82407216
Instruction Fuzzy Hash: D2C09236280308EFF3268B80BD4FF107765A348B01F088401F68EAA5D7C7B76861EB94

Non-executed Functions

Function 00FC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FC96C9
SendMessageW.USER32 ref: 00FC96F2
GetKeyState.USER32(00000011), ref: 00FC978B
GetKeyState.USER32(00000009), ref: 00FC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FC97AE
GetKeyState.USER32(00000010), ref: 00FC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FC97E9
SendMessageW.USER32 ref: 00FC9810
SendMessageW.USER32(?,00001030,?,00FC7E95), ref: 00FC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FC9941
SetCapture.USER32(?), ref: 00FC994A
ClientToScreen.USER32(?,?), ref: 00FC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC99D6
ReleaseCapture.USER32 ref: 00FC99E1
GetCursorPos.USER32(?), ref: 00FC9A19
ScreenToClient.USER32(?,?), ref: 00FC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FC9A80
SendMessageW.USER32 ref: 00FC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FC9AEB
SendMessageW.USER32 ref: 00FC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FC9B4A
GetCursorPos.USER32(?), ref: 00FC9B68
ScreenToClient.USER32(?,?), ref: 00FC9B75
GetParent.USER32(?), ref: 00FC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FC9BFA
SendMessageW.USER32 ref: 00FC9C2B
ClientToScreen.USER32(?,?), ref: 00FC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FC9CDE
SendMessageW.USER32 ref: 00FC9D01
ClientToScreen.USER32(?,?), ref: 00FC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FC9D82

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

GetWindowLongW.USER32(?,000000F0), ref: 00FC9E05

Strings

F, xrefs: 00FC9D07
@GUI_DRAGID, xrefs: 00FC997D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 569893073e6c0fda8e2cafa74a96301abfa8b215389fbe9f03484840085997dc
Instruction ID: 03699eae7e643aabda349c6524a332903ed8f156269aaa4dd5dd64aa9a1c6343
Opcode Fuzzy Hash: 569893073e6c0fda8e2cafa74a96301abfa8b215389fbe9f03484840085997dc
Instruction Fuzzy Hash: 32428D31608206AFD725CF24CE4AFAABBE5FF48320F14061DF599872A1D7B1D950EB91

Function 00FC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FC4A7E
IsMenu.USER32(?), ref: 00FC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00FC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FC4C82
wsprintfW.USER32 ref: 00FC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00FC4D5A

Strings

%d/%02d/%02d, xrefs: 00FC4CA8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 9f53d4f26d484504f965768c1ae74358dfb389e2167df0dd9e98961417d5b4a3
Instruction ID: 569443d7e3f5b33a97ad315d7ecbf2645168d6d58de6cf60d25f3de2bf60de2f
Opcode Fuzzy Hash: 9f53d4f26d484504f965768c1ae74358dfb389e2167df0dd9e98961417d5b4a3
Instruction Fuzzy Hash: A512257190021AABEB248F24CE5AFAE7BF8EF45720F10411DF51ADB2E1D774A940EB50

Function 00F91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00F916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
Part of subcall function 00F916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
Part of subcall function 00F916C3: GetLastError.KERNEL32 ref: 00F9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F912A8
CloseHandle.KERNEL32(?), ref: 00F912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F912D1
GetProcessWindowStation.USER32 ref: 00F912EA
SetProcessWindowStation.USER32(00000000), ref: 00F912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F91310

Part of subcall function 00F910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F911FC), ref: 00F910D4
Part of subcall function 00F910BF: CloseHandle.KERNEL32(?,?,00F911FC), ref: 00F910E9

Strings

, xrefs: 00F9125A
default, xrefs: 00F9130B
winsta0, xrefs: 00F912CC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 5f256af5d3f8c59bd486e58db27121f9d057b9e0f0195947be02d678f77e5b08
Instruction ID: 534511dd67dbfaed8130fe2ad68ad1bc4081947cfdb4c9fe9fcdc7bfa6173b78
Opcode Fuzzy Hash: 5f256af5d3f8c59bd486e58db27121f9d057b9e0f0195947be02d678f77e5b08
Instruction Fuzzy Hash: 98819E71D0020AABEF10DFA8DD49FEE7BB9FF09714F044129FA14A61A0C7358954EB60

Function 00F90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
Part of subcall function 00F910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
Part of subcall function 00F910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
Part of subcall function 00F910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F90C00
GetLengthSid.ADVAPI32(?), ref: 00F90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00F90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F90C6D
GetLengthSid.ADVAPI32(?), ref: 00F90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F90C8C
HeapAlloc.KERNEL32(00000000), ref: 00F90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F90CB4
CopySid.ADVAPI32(00000000), ref: 00F90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D45
HeapFree.KERNEL32(00000000), ref: 00F90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D55
HeapFree.KERNEL32(00000000), ref: 00F90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90D65
HeapFree.KERNEL32(00000000), ref: 00F90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F90D78
HeapFree.KERNEL32(00000000), ref: 00F90D7F

Part of subcall function 00F91193: GetProcessHeap.KERNEL32(00000008,00F90BB1,?,00000000,?,00F90BB1,?), ref: 00F911A1
Part of subcall function 00F91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F90BB1,?), ref: 00F911A8
Part of subcall function 00F91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F90BB1,?), ref: 00F911B7

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fdc5efa5f37bb8cbe081b1409070b53ebbfce131e8420d66f424ef408294f2b0
Instruction ID: 2c5628d3e8a78c255399cba5f805be21554b4a02120895d2eb56ef3fe84ed4ca
Opcode Fuzzy Hash: fdc5efa5f37bb8cbe081b1409070b53ebbfce131e8420d66f424ef408294f2b0
Instruction Fuzzy Hash: 96715972D0020AAFEF109FA5DD45FAEBBBCBF04314F044515E918E7291DB75A905EBA0

Function 00FAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00FCCC08), ref: 00FAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FAEB37
GetClipboardData.USER32(0000000D), ref: 00FAEB43
CloseClipboard.USER32 ref: 00FAEB4F
GlobalLock.KERNEL32(00000000), ref: 00FAEB87
CloseClipboard.USER32 ref: 00FAEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00FAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FAEBC9
GetClipboardData.USER32(00000001), ref: 00FAEBD1
GlobalLock.KERNEL32(00000000), ref: 00FAEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00FAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FAEC38
GetClipboardData.USER32(0000000F), ref: 00FAEC44
GlobalLock.KERNEL32(00000000), ref: 00FAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FAECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00FAECF3
CountClipboardFormats.USER32 ref: 00FAED14
CloseClipboard.USER32 ref: 00FAED59

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 7ad2b238354473658119414eda9b9f1fbcc78891afb35a3d2ef01ef6013c0353
Instruction ID: 401867b89ef2be3a35334e9ce4f8fbcb2032bcdd99ec595356ace42521f577a0
Opcode Fuzzy Hash: 7ad2b238354473658119414eda9b9f1fbcc78891afb35a3d2ef01ef6013c0353
Instruction Fuzzy Hash: 50610175204306AFD300EF20CD89F6AB7A4AF85764F14441DF85A872A2CB71DD06EBA2

Function 00FA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA69BE
FindClose.KERNEL32(00000000), ref: 00FA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FA6A75

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FA6ADF

Strings

%4d, xrefs: 00FA6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00FA6B6A
%03d, xrefs: 00FA6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FA6B32
%02d, xrefs: 00FA6C00, 00FA6C0A, 00FA6C5A, 00FA6CAA, 00FA6CFA, 00FA6D4A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 108612fb7c021735c0400c8c0b04df359be105cbc1a2cb29f6fbbf66184f9aad
Instruction ID: a4512fbb2d151209966a2b84d20d6ab7dc2a81c7b0999f1288b4cb6ef4112b2d
Opcode Fuzzy Hash: 108612fb7c021735c0400c8c0b04df359be105cbc1a2cb29f6fbbf66184f9aad
Instruction Fuzzy Hash: FFD185B2508304AFC314EBA0CD85EABB7ECAF89714F44491DF589D7151EB78DA04DB62

Function 00FA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00FA9663
GetFileAttributesW.KERNEL32(?), ref: 00FA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FA96D3
FindClose.KERNEL32(00000000), ref: 00FA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA974A
SetCurrentDirectoryW.KERNEL32(00FF6B7C), ref: 00FA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA9772
FindClose.KERNEL32(00000000), ref: 00FA977F
FindClose.KERNEL32(00000000), ref: 00FA978F

Strings

*.*, xrefs: 00FA96F5

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fddc28b1b18f32b89e12057ec3f86f788145ae9278b4ee576d12a2d21aea8d3a
Instruction ID: 3e724c934f26e5c69ba7210438ba08ebd6a2ff2254e9da7aaadeaf3062dc6fe3
Opcode Fuzzy Hash: fddc28b1b18f32b89e12057ec3f86f788145ae9278b4ee576d12a2d21aea8d3a
Instruction Fuzzy Hash: 7E31E27290420D6ADF10EFB4ED09EEE77AC9F4A320F1040A5FA18E31A0DB74D944AE60

Function 00FA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00FA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FA9819
FindClose.KERNEL32(00000000), ref: 00FA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA9890
SetCurrentDirectoryW.KERNEL32(00FF6B7C), ref: 00FA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FA98B8
FindClose.KERNEL32(00000000), ref: 00FA98C5
FindClose.KERNEL32(00000000), ref: 00FA98D5

Part of subcall function 00F9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F9DB00

Strings

*.*, xrefs: 00FA983B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b729705b0e19e12b443814714582942f4bc860658ee7b18565003aafd9071aed
Instruction ID: 683f03b214e84b412490dfbb79b6152c1d8145e5db5689572f755bff1fff1463
Opcode Fuzzy Hash: b729705b0e19e12b443814714582942f4bc860658ee7b18565003aafd9071aed
Instruction Fuzzy Hash: 2F31C37290421D6ADB10EFB4EC49EEE77AC9F47330F5041A5E914E30A0DBB8D945EB60

Function 00FBBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FBBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00FBBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FBC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FBC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FBC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FBC382
RegCloseKey.ADVAPI32(00000000), ref: 00FBC38F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 6e68334c180b8f60cee0a7e4e5bf4053bbc1dfc917975283c3eef8e03d5ee7fb
Instruction ID: caeb6d2617d56eca89b4920ffa1d8d5e41bc986afe137168bd7eac8f28405e05
Opcode Fuzzy Hash: 6e68334c180b8f60cee0a7e4e5bf4053bbc1dfc917975283c3eef8e03d5ee7fb
Instruction Fuzzy Hash: D5025B71604200AFC714DF29C891E6ABBE5AF89318F58849DF84ADB2A2D731EC45DF91

Function 00FA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8395

Strings

*.*, xrefs: 00FA839B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 37825269ef1e855fba01f60e208668ee6d289bf34000b041fbaee4c4ec31ebad
Instruction ID: bf71991163eede01e58258ccf49e5ef5aa8fc3107ad5d29bcac5c57266d25b20
Opcode Fuzzy Hash: 37825269ef1e855fba01f60e208668ee6d289bf34000b041fbaee4c4ec31ebad
Instruction Fuzzy Hash: BD618DB25083059FCB10EF60C841AAEB3E8FF89360F04491EF989D7251DB75E946DB92

Function 00F9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F9D1DD
MoveFileW.KERNEL32(?,?), ref: 00F9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F9D237

Part of subcall function 00F9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F9D21C,?,?), ref: 00F9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00F9D253
FindClose.KERNEL32(00000000), ref: 00F9D264

Strings

\*.*, xrefs: 00F9D0CD, 00F9D0D6, 00F9D0EB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 93cedabef000a39a38fe3a00d352f22c9982e6571aec1978d63f8750e059673a
Instruction ID: 895fff2caea2a56d673fd1de845b39729cbbdb5c94e15afb2e793249bd0fd341
Opcode Fuzzy Hash: 93cedabef000a39a38fe3a00d352f22c9982e6571aec1978d63f8750e059673a
Instruction Fuzzy Hash: AB617C31C0510DAADF05EBE0CE929EDB7B5AF54320F704065E442B71A1EB78AF09EB60

Function 00FAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FAED91
EmptyClipboard.USER32 ref: 00FAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FAEDAC
CloseClipboard.USER32 ref: 00FAEEA3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f936661ce0d9d7d87428582a5f07f749d5c323930f3530bacf1f55a2be0a2600
Instruction ID: 6b87a5878e411813d747dbac8365415b5949abe794322030a38a804b69c15d87
Opcode Fuzzy Hash: f936661ce0d9d7d87428582a5f07f749d5c323930f3530bacf1f55a2be0a2600
Instruction Fuzzy Hash: 2941EC75604211AFE320CF25D989F19BBE0EF05329F05C09DE4198B662C735EC42EBD0

Function 00F9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
Part of subcall function 00F916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
Part of subcall function 00F916C3: GetLastError.KERNEL32 ref: 00F9174A

ExitWindowsEx.USER32(?,00000000), ref: 00F9E932

Strings

SeShutdownPrivilege, xrefs: 00F9E902
, xrefs: 00F9E920
, xrefs: 00F9E95C
@, xrefs: 00F9E925

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 8b2c127e45420fd496b25820c647ee7f388b6e2327181da1bf35342dbd00b877
Instruction ID: b1410a36289ed5971e17b6e3aee559f1343b4637550da814c13f20a0bf600ccb
Opcode Fuzzy Hash: 8b2c127e45420fd496b25820c647ee7f388b6e2327181da1bf35342dbd00b877
Instruction Fuzzy Hash: 6101D673E10215ABFF64A6B49D86FBB726CAB14760F150821FD03E31D1D9A55C40B1D0

Function 00FB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FB1276
WSAGetLastError.WSOCK32 ref: 00FB1283
bind.WSOCK32(00000000,?,00000010), ref: 00FB12BA
WSAGetLastError.WSOCK32 ref: 00FB12C5
closesocket.WSOCK32(00000000), ref: 00FB12F4
listen.WSOCK32(00000000,00000005), ref: 00FB1303
WSAGetLastError.WSOCK32 ref: 00FB130D
closesocket.WSOCK32(00000000), ref: 00FB133C

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 69b3b0daaa46edfc03d0bbd8a1bf990f09bb794ba62f828967c76ad39a539a54
Instruction ID: 8edb029f9820aa30f8cadd1204946c8129908ad36132d78382e1f93b45b9d465
Opcode Fuzzy Hash: 69b3b0daaa46edfc03d0bbd8a1bf990f09bb794ba62f828967c76ad39a539a54
Instruction Fuzzy Hash: 8641D131A001009FD710DF25C999B6ABBE5BF46328F588088E85A8F2D2C731EC81DFE0

Function 00F6B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F6B9D4
_free.LIBCMT ref: 00F6B9F8
_free.LIBCMT ref: 00F6BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FD3700), ref: 00F6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0100121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01001270,000000FF,?,0000003F,00000000,?), ref: 00F6BC36
_free.LIBCMT ref: 00F6BD4B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: c968522fc32de1074dfaae5d1c62ae8b94d11e8011ed2bb035524010526c5edf
Instruction ID: 4e4835fbaff68487cadf4a438c5823ced94d988e3e61becd841e7fa021d6ea0d
Opcode Fuzzy Hash: c968522fc32de1074dfaae5d1c62ae8b94d11e8011ed2bb035524010526c5edf
Instruction Fuzzy Hash: F7C12872E04208AFDB21DF78CC41BAA7BB9EF41320F14419AE894D7242E7349E81E750

Function 00F9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00F9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F9D481
FindClose.KERNEL32(00000000), ref: 00F9D498
FindClose.KERNEL32(00000000), ref: 00F9D4A1

Strings

\*.*, xrefs: 00F9D3F2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 16e5b4b157de8dd438049e9870f68b1f3f672f519cb3ae38a8c2e48c2a9a8f59
Instruction ID: 4684b7dbbdf799868627d98a0aab3a09d11fa2b9e2a0d0ee3be0098cea873a51
Opcode Fuzzy Hash: 16e5b4b157de8dd438049e9870f68b1f3f672f519cb3ae38a8c2e48c2a9a8f59
Instruction Fuzzy Hash: 5331AE3140C3459BC704EF64DD929AFB7A8AE91324F504A1DF4D5931A1EB34EA09EBA3

Function 00F6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F6E645

Strings

1#QNAN, xrefs: 00F6F84B
1#INF, xrefs: 00F6F852
1#SNAN, xrefs: 00F6F844
1#IND, xrefs: 00F6F83D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fc7635dacc55c666b1f99923e768132e3c4a565d0d225f4c840f9764bec82cb6
Instruction ID: 6e9f9d183786c1314d3eefc0c32bea864f6d68523aef12fb186d5ec723408137
Opcode Fuzzy Hash: fc7635dacc55c666b1f99923e768132e3c4a565d0d225f4c840f9764bec82cb6
Instruction Fuzzy Hash: 60C25D72E046288FDB25CF28DD407EAB7B5EB45315F1441EAD80EE7241E778AE85AF40

Function 00FA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FA64DC
CoInitialize.OLE32(00000000), ref: 00FA6639
CoCreateInstance.OLE32(00FCFCF8,00000000,00000001,00FCFB68,?), ref: 00FA6650
CoUninitialize.OLE32 ref: 00FA68D4

Strings

.lnk, xrefs: 00FA64BA, 00FA6524, 00FA65E0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: a807a3e25635b64fe1b65b468b9535fb546300655e68038722060574964c9747
Instruction ID: 260c9c6e996505db9fbd9bde3f07dab6cb9d67b1c0d06f697b0399aaa6066e53
Opcode Fuzzy Hash: a807a3e25635b64fe1b65b468b9535fb546300655e68038722060574964c9747
Instruction Fuzzy Hash: A8D149B1508301AFC314EF24C881A6BB7E8FF99714F04496DF595CB2A1EB74E909DB92

Function 00FB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FB22E8

Part of subcall function 00FAE4EC: GetWindowRect.USER32(?,?), ref: 00FAE504

GetDesktopWindow.USER32 ref: 00FB2312
GetWindowRect.USER32(00000000), ref: 00FB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FB2355
GetCursorPos.USER32(?), ref: 00FB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FB23DF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: aad7723ee13e3d58d944f99abba09778a27765021cc4fe1b118b30a039d7a425
Instruction ID: d313c1f98dbfdf9dcb920968b91fd3a18ff19216bc8e56dbaaba6f8340e1f867
Opcode Fuzzy Hash: aad7723ee13e3d58d944f99abba09778a27765021cc4fe1b118b30a039d7a425
Instruction Fuzzy Hash: 6531BE72504319ABDB20DF55CC49F9BB7E9FF88310F040919F98997191DB34E909DB92

Function 00FA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FA9C8B

Part of subcall function 00FA3874: GetInputState.USER32 ref: 00FA38CB
Part of subcall function 00FA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FA9C75

Strings

*.*, xrefs: 00FA9B5D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9dd74fb6eae7ee452db06a2875d77958681f175b8d1732b0ac1d5901921ca754
Instruction ID: 2bf99127ac93f0e4897ea5a521d6af9ba03f46a13c2d1ff7eeb493589ee77eb2
Opcode Fuzzy Hash: 9dd74fb6eae7ee452db06a2875d77958681f175b8d1732b0ac1d5901921ca754
Instruction Fuzzy Hash: 1641B3B1D0860A9FCF14DFA4CD45AEE7BB4EF46320F104065E915A3191DB709E44EF60

Function 00F4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F49A4E
GetSysColor.USER32(0000000F), ref: 00F49B23
SetBkColor.GDI32(?,00000000), ref: 00F49B36

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: db31dd9fc1accd064f11d40895757f1db21b6ef810f5592c50597c01dbad6590
Instruction ID: 339451f0320c5facff4b5e6b4148a86d8d17b4cee7d2b723625e697445a7cd91
Opcode Fuzzy Hash: db31dd9fc1accd064f11d40895757f1db21b6ef810f5592c50597c01dbad6590
Instruction Fuzzy Hash: 99A1D67170C554AEE725BA288C49FBF3E9DDB82360F240209F902C6595CAADDE41F371

Function 00FB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
Part of subcall function 00FB304E: _wcslen.LIBCMT ref: 00FB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FB185D
WSAGetLastError.WSOCK32 ref: 00FB1884
bind.WSOCK32(00000000,?,00000010), ref: 00FB18DB
WSAGetLastError.WSOCK32 ref: 00FB18E6
closesocket.WSOCK32(00000000), ref: 00FB1915

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: fcc3d2ae6d6b87370b0ba4f01ea0bc22a9fedf2ee5207b2adc48c8d90dfe25c1
Instruction ID: 24c6fd9b955d982b44c1d9fbaa13e3269262d48b75391c13e7f73230532a0965
Opcode Fuzzy Hash: fcc3d2ae6d6b87370b0ba4f01ea0bc22a9fedf2ee5207b2adc48c8d90dfe25c1
Instruction Fuzzy Hash: F351A375A00200AFDB10EF24C896F6A77E5AB44728F488458FA09AF3D3D775ED419BE1

Function 00FC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FC1CC0
IsWindowEnabled.USER32 ref: 00FC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00FC1CDB
IsIconic.USER32 ref: 00FC1CE9
IsZoomed.USER32 ref: 00FC1CF7

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a59143e37d0c8fd0cfc15cfe6223944787a3df94b60a78ce50f825ceae471380
Instruction ID: 1640b8f4fd94a481fbd33643fd6fc65a1982e3c68eb92eb268071997955093bf
Opcode Fuzzy Hash: a59143e37d0c8fd0cfc15cfe6223944787a3df94b60a78ce50f825ceae471380
Instruction Fuzzy Hash: AB219131B402125FD720CF2AC986F667BA5FF86325F19805CE84A8B252C775D852EB90

Function 00F38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00F3813C
VUUU, xrefs: 00F3843C
VUUU, xrefs: 00F383E8
VUUU, xrefs: 00F75DF0
VUUU, xrefs: 00F383FA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: ee52fa150b0d321bfdb7a40187e847aa1df6fa56cd09dbe25d69c2a65509f32b
Instruction ID: ccb206e368d3a2de535de7a2017c52432a152b50cb44cab20740162e0ee78aa5
Opcode Fuzzy Hash: ee52fa150b0d321bfdb7a40187e847aa1df6fa56cd09dbe25d69c2a65509f32b
Instruction Fuzzy Hash: 2BA29371E0061ACBDF24CF58C8417ADB7B1BF44760F2481AAE819A7385DB749D82EF91

Function 00FBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FBA6BA

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FBA79C
CloseHandle.KERNEL32(00000000), ref: 00FBA7AB

Part of subcall function 00F4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F73303,?), ref: 00F4CE8A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 49ae371e25f898ce007b0d3759d814f94281cf949d693d600b6fcd77d93bcc72
Instruction ID: e952985726c4c6164ac70ecce323637fe16b94d1d9661649b42a205d0cfb413f
Opcode Fuzzy Hash: 49ae371e25f898ce007b0d3759d814f94281cf949d693d600b6fcd77d93bcc72
Instruction Fuzzy Hash: 55514A71508300AFD710EF25CC86A6BBBE8FF89764F40891DF98997261EB74D904DB92

Function 00F9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F9AAAC
SetKeyboardState.USER32(00000080), ref: 00F9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F9AB88

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f5d18c84b19043642d570f376c1c0d9fa022b954b63eff00ee03375952a034cf
Instruction ID: 84b26512794eea4bbef3bfcd3afc16b8fcbea11d98860e4f2d26e1f7e0b090a1
Opcode Fuzzy Hash: f5d18c84b19043642d570f376c1c0d9fa022b954b63eff00ee03375952a034cf
Instruction Fuzzy Hash: 59312430E40608AFFF358F698C05BFA7BA6AB84324F04421AF185921D1D7798981F7E2

Function 00FACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FACE89
GetLastError.KERNEL32(?,00000000), ref: 00FACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FACEFE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 4fdcdeada9c955c20d6ce8d5213ac447a6dc19ecd271715da858741cb98082b5
Instruction ID: b600487fd7936f17155f0743db1ac62cf8d19f33793b144bb68377d82d91f49a
Opcode Fuzzy Hash: 4fdcdeada9c955c20d6ce8d5213ac447a6dc19ecd271715da858741cb98082b5
Instruction Fuzzy Hash: 43219DB1900305AFEB20DF65C989BA677F8EF41364F10442EE646D2151EB74EE08EBE0

Function 00F98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F982AA

Strings

(, xrefs: 00F982F0
|, xrefs: 00F982DA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 25180d7439e4d51d554d68ec3962593f1305081ef00b64fea1d7723eb5289f43
Instruction ID: 0cdc97bb4d5d29443912151404a34bf28db9f072396bfb275a3c25cc152b1610
Opcode Fuzzy Hash: 25180d7439e4d51d554d68ec3962593f1305081ef00b64fea1d7723eb5289f43
Instruction Fuzzy Hash: E6324575A007059FDB28CF59C480A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB40

Function 00FA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FA5D17
FindClose.KERNEL32(?), ref: 00FA5D5F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ecb704bafbf10ad635824e8f082d231a8a333c6e577a9ceadff19d42659c8934
Instruction ID: f02920a7837386bc3212e0bf5300015ba264873835c4f688e01561c97bd87b0b
Opcode Fuzzy Hash: ecb704bafbf10ad635824e8f082d231a8a333c6e577a9ceadff19d42659c8934
Instruction Fuzzy Hash: A6519AB5A046019FC714CF28C894E96B7E4FF4A324F14855DE99A8B3A2CB30ED05DF91

Function 00F62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00F6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00F62731

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cdf737d026b92135263f75efab4f4f6bcc9c507a7eb3e68a87698a4ad58b6377
Instruction ID: aa50f0e8ea0ae37ae49c27ff518e97c8f8771975117eb63e6f47ee331c601a5f
Opcode Fuzzy Hash: cdf737d026b92135263f75efab4f4f6bcc9c507a7eb3e68a87698a4ad58b6377
Instruction Fuzzy Hash: A131C474D0121C9BCB61DF64DD89BD8B7B8AF08310F5041EAE80CA7260EB349F859F84

Function 00FA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FA5238
SetErrorMode.KERNEL32(00000000), ref: 00FA52A1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6359fc18905a1f505a57147ead1fffdae33d494a7169f398c26ac87118af7034
Instruction ID: 25308d00f9d389e5db33958872251870396adf2caadd8542dde3d59c72c643cc
Opcode Fuzzy Hash: 6359fc18905a1f505a57147ead1fffdae33d494a7169f398c26ac87118af7034
Instruction Fuzzy Hash: E5313A75A00518DFDB00DF55D884EADBBB4FF49318F088099E809AB362DB35E856DBA0

Function 00F916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F50668
Part of subcall function 00F4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F9173A
GetLastError.KERNEL32 ref: 00F9174A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 68c88d44bd8c519b8a6c4dd5d41d3ac4a6631e6c9c07142a9019b492131f5a83
Instruction ID: 1d73f5e0a609695443ed52554b5a6938f32c067dc32830fb674ef069f4d237cc
Opcode Fuzzy Hash: 68c88d44bd8c519b8a6c4dd5d41d3ac4a6631e6c9c07142a9019b492131f5a83
Instruction Fuzzy Hash: 4011C4B2800309AFE7189F54DC86D6ABBB9FF44714B24852EE45A53241EB70BC419A60

Function 00F9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F9D650

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1fa91a21925db4634610c38ed7c7f2d9a9150e5d9e9e3b1ef4d52b183993a902
Instruction ID: 82710b4f6cba75c2fae74ca30833235fc0d938af2c221553868c2f7bda83094f
Opcode Fuzzy Hash: 1fa91a21925db4634610c38ed7c7f2d9a9150e5d9e9e3b1ef4d52b183993a902
Instruction Fuzzy Hash: 66115E75E05228BFEB108F95ED45FAFBBBCEB45B60F108115F908E7290D6704A059BE1

Function 00F91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F916A1
FreeSid.ADVAPI32(?), ref: 00F916B1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0529607bfb9d72f8595a7e4e500431417560792c2ffd438632801ec39053edff
Instruction ID: 203dfa4fc99da7a89ff49698e5287be191b9e1af6ca1893c29c269716ebed428
Opcode Fuzzy Hash: 0529607bfb9d72f8595a7e4e500431417560792c2ffd438632801ec39053edff
Instruction Fuzzy Hash: 19F0F471D9030DFBEF00DFE49D8AEAEBBBCFB08604F504565E901E2181E774AA449A94

Function 00F54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000,?,00F628E9), ref: 00F54D09
TerminateProcess.KERNEL32(00000000,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000,?,00F628E9), ref: 00F54D10
ExitProcess.KERNEL32 ref: 00F54D22

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 570357bd04352184225b5c1956ea6cc634ad48091d85f4c342d496ede00e59a4
Instruction ID: 8eed791bf6e56a8e43d58c724d6483611a38a1c6b5fa293ec39c1b3ceaf7f569
Opcode Fuzzy Hash: 570357bd04352184225b5c1956ea6cc634ad48091d85f4c342d496ede00e59a4
Instruction Fuzzy Hash: EFE0B631800148ABCF11AF54EE0AE583B79FB41796B144018FD098B122CB3AED86EA90

Function 00F6C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00F6C36C

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 6883756e43f17e5e6c99336da93b45efee14e4941871a577a5e8c7f87f014cac
Instruction ID: 66f71ef6834eeac5aed99a8aaa233a35d450e0dda62cc4ee3f0c67d30228740a
Opcode Fuzzy Hash: 6883756e43f17e5e6c99336da93b45efee14e4941871a577a5e8c7f87f014cac
Instruction Fuzzy Hash: E9413B729006196FCB24DFB9DC49EBB7778EB84314F504269F985D7280E6709D41DB90

Function 00F8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F8D28C

Strings

X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 3fa63bfafea569ae8f68cd65697c7dec05111c013a0c5c4c7c9d7ecfd28ccd59
Instruction ID: 8affc8792f5aa33faeba8ff73963a464c8ab88c62b45b373dcb90dfedea52fe6
Opcode Fuzzy Hash: 3fa63bfafea569ae8f68cd65697c7dec05111c013a0c5c4c7c9d7ecfd28ccd59
Instruction Fuzzy Hash: 36D0CAB680112DEACB94DBA0EC89EDAB7BCBB04305F100292F50AE2040DB309648AF20

Function 00F5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 53e11532cc5bffaa92608796a89bfb0d3eefd482cd5f151d3e5ad8e2eeb07810
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 92022D71E002199FDF14CFA9C8806ADBBF1EF48325F25816AD91AE7380D731AA45DBD0

Function 00FA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FA6918
FindClose.KERNEL32(00000000), ref: 00FA6961

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6e5a2ea2020aa0e1fa7b3ca92c6fd3114713f3c41d38b0dbf2c762599cf29d6f
Instruction ID: b440da97c987798acfe0d4217469125397ef1408ad72631ca1f5205f208f438f
Opcode Fuzzy Hash: 6e5a2ea2020aa0e1fa7b3ca92c6fd3114713f3c41d38b0dbf2c762599cf29d6f
Instruction Fuzzy Hash: 391190756042009FC710DF29D889A16BBE5FF89328F19C699E4698F6A2CB34EC05DBD1

Function 00FA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FB4891,?,?,00000035,?), ref: 00FA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FB4891,?,?,00000035,?), ref: 00FA37F4

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e6fb443bbc6874027ea47ee164e6835f36383902ed750b087bc5e83f9d6b0f50
Instruction ID: 186bd173f8de30a037d8943a0a617b0de1436a2dbe76103e62f59a3658dbee96
Opcode Fuzzy Hash: e6fb443bbc6874027ea47ee164e6835f36383902ed750b087bc5e83f9d6b0f50
Instruction Fuzzy Hash: 2AF0E5B16083292AE72057669C4DFEB3AAEEFC5771F000165F50DD3281D9A09904D6F0

Function 00F910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F911FC), ref: 00F910D4
CloseHandle.KERNEL32(?,?,00F911FC), ref: 00F910E9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 28eb333c6ad9da0fdb0a236b14d6f2d25be47bde77bdd9891a30592eeb5fb016
Instruction ID: 94ef9995e96c1322fdc4169d3f848e2dc2477998fda235c94d9ee14a8570df20
Opcode Fuzzy Hash: 28eb333c6ad9da0fdb0a236b14d6f2d25be47bde77bdd9891a30592eeb5fb016
Instruction Fuzzy Hash: 3FE04F32404600AEF7252B11FD06E737BA9FB04320B14882DF8AA814B1DB626C90FB50

Function 00F3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00F80C40

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: c64a42e21da7425b6f2a72f372ec775cb123cdb9daa9e67017c787c0c79eb0e3
Instruction ID: 085123a96a1dbe96973f7ed86b3b036869eb82dbd4223379f0519aae45861312
Opcode Fuzzy Hash: c64a42e21da7425b6f2a72f372ec775cb123cdb9daa9e67017c787c0c79eb0e3
Instruction Fuzzy Hash: B832BE35D00218DBCF14EF94C885BEDB7B5BF05324F548059E806BB292DB79AD49EBA0

Function 00F6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F66766,?,?,00000008,?,?,00F6FEFE,00000000), ref: 00F66998

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 59df2218c0b081d387816f73ea2a629e1059bff8c75c314c7d54a755f44f353c
Instruction ID: 00b12ad79de2b50be961b6d601fee8a84e142033f36bbb95643e2300e9ddfcd6
Opcode Fuzzy Hash: 59df2218c0b081d387816f73ea2a629e1059bff8c75c314c7d54a755f44f353c
Instruction Fuzzy Hash: 14B12B32A10609DFD719CF28C48AB657BE0FF45364F298658E899CF2A2C735E991DB40

Function 00F4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00F8851F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 270566680d017628e8b518a002b3efb9227ba676a96b725a6ba5dfd5d088e012
Instruction ID: fb80c71abb233f13bcbf9e7b15aaaec826656c41d927b7e4368a4d5a816650f7
Opcode Fuzzy Hash: 270566680d017628e8b518a002b3efb9227ba676a96b725a6ba5dfd5d088e012
Instruction Fuzzy Hash: B8126071D002299BDB14DF58C8817EEBBB5FF48710F54819AE849EB252DB349E81EB90

Function 00FAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FAEABD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fef0bc0a11e18e4d4922d2d1ba156fe79f57e3f94747abed20775f4fcd4e0406
Instruction ID: a11397f7d31d0ebb43f08428c9c3635026f12abedef3f44a0f0e21c70bb6e7b2
Opcode Fuzzy Hash: fef0bc0a11e18e4d4922d2d1ba156fe79f57e3f94747abed20775f4fcd4e0406
Instruction Fuzzy Hash: 59E04F762002049FC710EF69D805E9AF7E9AF99770F00841AFD49DB351DB74EC40ABA0

Function 00F509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F503EE), ref: 00F509DA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 5157a7beacb02eb715061046f38e2089e4fe336aa7a375b2a62594e3bcb19a7e
Instruction ID: fada75bd749f0a14cee2ba4346b6865cfc1e244b74d9559c94e70a1662f1b379
Opcode Fuzzy Hash: 5157a7beacb02eb715061046f38e2089e4fe336aa7a375b2a62594e3bcb19a7e
Instruction Fuzzy Hash:

Function 00F5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F5798B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 7ca8006ddbb72bebf824a7218cef32f4ebfdd5efc998caa8230a32d7101dde20
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 68516A72E0CB055BDB387528A85D7BF63859B12363F280509DF82D7692C619DE0EF361

Function 00F66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7a73798764c0114fbf470992fa2e2ad1ec736c6baf2f5ad112361ec32afb16
Instruction ID: 9ce41943db2bb6b3d906f9ecbe0288824c9628d047b7a2ade852174bd5917f8d
Opcode Fuzzy Hash: 4b7a73798764c0114fbf470992fa2e2ad1ec736c6baf2f5ad112361ec32afb16
Instruction Fuzzy Hash: 88324622D2AF414DD723A634CC22335634AAFB73D9F14C737F81AB59A5EB29C4836140

Function 00F4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c02b9e24f49f6ad4655dc17f9fad17ea7c3f4830a75a66fb7b8cf8e57729b02
Instruction ID: 753009225e8c38a4174f339edfc0fc9569c3eb96040b52d9fb67618baa161ac5
Opcode Fuzzy Hash: 4c02b9e24f49f6ad4655dc17f9fad17ea7c3f4830a75a66fb7b8cf8e57729b02
Instruction Fuzzy Hash: 7D320832E001558BDF28EF29C4D46FD7BA1EF45320F28856ADA599B291D234DD81FBE0

Function 00F37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8af0a48ba8500c53a787801d233bdbb6ecea89c15691ca09d1dab4ba39defc
Instruction ID: e6a708b933df47b1ada736e8f6e7ce9b65109f61f0685da2893a61080ac4c913
Opcode Fuzzy Hash: 0e8af0a48ba8500c53a787801d233bdbb6ecea89c15691ca09d1dab4ba39defc
Instruction Fuzzy Hash: CF22E2B0E0460ADFDF14DF64C841BAEB7B5FF44320F208129E816A7291EB79AD14EB51

Function 00F391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712209e190bb022b8f8c043d4dcd127443fe80b0b85526416c540c4147cc70d7
Instruction ID: 5feda049f2ab20929efd7eed60457e27b45a77e5447ca5741f2b497885658801
Opcode Fuzzy Hash: 712209e190bb022b8f8c043d4dcd127443fe80b0b85526416c540c4147cc70d7
Instruction Fuzzy Hash: E302C9B1E00109EBDF05DF54D841AAEBBB5FF48310F10816AE81A9B291EB75ED14EB91

Function 00F69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183b1a66db54233ae572f645c5f14f8257c2ede333676d8de1ca35153c6a171a
Instruction ID: c8d02267ac7aa0af9556d7be5a6ae5c0a6aa267f864302ac815fdca454af1fee
Opcode Fuzzy Hash: 183b1a66db54233ae572f645c5f14f8257c2ede333676d8de1ca35153c6a171a
Instruction Fuzzy Hash: 25B11120E2AF444DD32396398931336B75DAFBB2D5F92D31BFC2674D22EB2286835141

Function 00F51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8cab826f732e3b511f41c46b7e0c8a15c8c6172b9a10cb92c4d75a7c111c9462
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A29177339080A34ADB294639853567EFFF16A523B371A079DDDF2CA1C1EE10A95CF620

Function 00F519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 9a22468c55fccbea025610127bad335e4c079c62c04e1f49bf4afe5371d5a7ea
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 759177736090A349DB2E427A857427DFFE16A923B331A079DD9F2CA1C1FD14A55CF620

Function 00F57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0caf91f67bcedb3ed14278e37c6a83261d41d4c8386aaa09e8710d298fe3e2
Instruction ID: a1a9275cb07d36afcc7641ca0b947f7ffcdc2762c2cbdbc294570726c008b332
Opcode Fuzzy Hash: fb0caf91f67bcedb3ed14278e37c6a83261d41d4c8386aaa09e8710d298fe3e2
Instruction Fuzzy Hash: 45617831A0870966DA34B928BC99BBE3384DF81363F140919EF43DB295DA199E4FB315

Function 00F57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbaa452d3aaa45e5720b6d1cc5760d33cddaecc180d5e0053b8748e02df844c
Instruction ID: f5d9c42dea02fc2af633262cefb09e8eb07d5e54e33c8bb89093d969778b7b00
Opcode Fuzzy Hash: dbbaa452d3aaa45e5720b6d1cc5760d33cddaecc180d5e0053b8748e02df844c
Instruction Fuzzy Hash: 88619B31E0870957DA3879287C56BBF33A89F41763F100959EF43DB281EA16AD4FB251

Function 00F51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 52ced95e8dffbc645951d4de2489d1e0430ec2f7b9a9ebba00e7f7988bb47f9d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D48156739090A309DB69423D853467EFFE17A923B371A079DD9F2CA1C1EE14A55CF620

Function 00FA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0f79772ac88e6f2a3c1afb829d6d1061d357a38b5b19be355ecb2ba845e236
Instruction ID: 96f9727f363dc6c91deba2dc8c13041258782de077c4565a6ccaca3bdb7c763c
Opcode Fuzzy Hash: 4d0f79772ac88e6f2a3c1afb829d6d1061d357a38b5b19be355ecb2ba845e236
Instruction Fuzzy Hash: 6621B7727206118BD728CF79C92367E73E5AB54320F15862EE4A7C37C5DE7AA904DB80

Function 00FB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FB2B30
DeleteObject.GDI32(00000000), ref: 00FB2B43
DestroyWindow.USER32 ref: 00FB2B52
GetDesktopWindow.USER32 ref: 00FB2B6D
GetWindowRect.USER32(00000000), ref: 00FB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2CF8
GetClientRect.USER32(00000000,?), ref: 00FB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DA8
GlobalFree.KERNEL32(00000000), ref: 00FB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FCFC38,00000000), ref: 00FB2DDB
GlobalFree.KERNEL32(00000000), ref: 00FB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FB303F

Strings

, xrefs: 00FB2FC5
AutoIt v3, xrefs: 00FB2CF2
static, xrefs: 00FB2D3A, 00FB2E91
DISPLAY, xrefs: 00FB2EA2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 10556a92cca5b9ff756b9c5180eb3d51d234f9f5011ae7c713ead71d3e318f4d
Instruction ID: e1cdc61f8c6ca3d39b99cba0674b06e384a9396d30d75ffe4e17439e92ca3be4
Opcode Fuzzy Hash: 10556a92cca5b9ff756b9c5180eb3d51d234f9f5011ae7c713ead71d3e318f4d
Instruction Fuzzy Hash: A2025071900209AFDB14DF65CD89EAE7BB9EF48720F048558F919AB2A1CB74DD01EF60

Function 00FC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FC712F
GetSysColorBrush.USER32(0000000F), ref: 00FC7160
GetSysColor.USER32(0000000F), ref: 00FC716C
SetBkColor.GDI32(?,000000FF), ref: 00FC7186
SelectObject.GDI32(?,?), ref: 00FC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00FC71C0
GetSysColor.USER32(00000010), ref: 00FC71C8
CreateSolidBrush.GDI32(00000000), ref: 00FC71CF
FrameRect.USER32(?,?,00000000), ref: 00FC71DE
DeleteObject.GDI32(00000000), ref: 00FC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00FC7230
FillRect.USER32(?,?,?), ref: 00FC7262
GetWindowLongW.USER32(?,000000F0), ref: 00FC7284

Part of subcall function 00FC73E8: GetSysColor.USER32(00000012), ref: 00FC7421
Part of subcall function 00FC73E8: SetTextColor.GDI32(?,?), ref: 00FC7425
Part of subcall function 00FC73E8: GetSysColorBrush.USER32(0000000F), ref: 00FC743B
Part of subcall function 00FC73E8: GetSysColor.USER32(0000000F), ref: 00FC7446
Part of subcall function 00FC73E8: GetSysColor.USER32(00000011), ref: 00FC7463
Part of subcall function 00FC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FC7471
Part of subcall function 00FC73E8: SelectObject.GDI32(?,00000000), ref: 00FC7482
Part of subcall function 00FC73E8: SetBkColor.GDI32(?,00000000), ref: 00FC748B
Part of subcall function 00FC73E8: SelectObject.GDI32(?,?), ref: 00FC7498
Part of subcall function 00FC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FC74B7
Part of subcall function 00FC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FC74CE
Part of subcall function 00FC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FC74DB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: bb08421c1d8e95a2fa0d2c6c6f1e9116f097efd3eceb5b5924a7f1ff2d6edfaa
Instruction ID: e55dcfcc280f93c5d21d12e0eeacc1eedb1c538e374d915b2179c4cbf6ad0353
Opcode Fuzzy Hash: bb08421c1d8e95a2fa0d2c6c6f1e9116f097efd3eceb5b5924a7f1ff2d6edfaa
Instruction Fuzzy Hash: ACA1AE72408306AFD700AF60DE4AF5B7BA9FB89320F140A19F966971E1D731E944EF91

Function 00F48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F86F43

Part of subcall function 00F48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F48BE8,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48FC5

SendMessageW.USER32(?,00001053), ref: 00F86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00F86FB7

Strings

0, xrefs: 00F86DCF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 534747d57075996d70dd1c6811cf67376ff5a4a82158f9f6b5e361a8fc5d032b
Instruction ID: feb7b183bce0b994a37ca0324ea98b18cc397280fc53e756ba12c4c4774e179e
Opcode Fuzzy Hash: 534747d57075996d70dd1c6811cf67376ff5a4a82158f9f6b5e361a8fc5d032b
Instruction Fuzzy Hash: 4912AD31A00201EFDB25EF14C945BEABBE5FB45320F144469F999CB251CB36EC92EB91

Function 00FB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FB2900
GetClientRect.USER32(00000000,?), ref: 00FB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FB2964
GetStockObject.GDI32(00000011), ref: 00FB2974
SelectObject.GDI32(00000000,00000000), ref: 00FB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB2991
DeleteDC.GDI32(00000000), ref: 00FB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FB2A77
GetStockObject.GDI32(00000011), ref: 00FB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FB2A97

Strings

AutoIt v3, xrefs: 00FB28F8
static, xrefs: 00FB294F, 00FB2A71
msctls_progress32, xrefs: 00FB2A13
DISPLAY, xrefs: 00FB295A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a19e29bf816f70cb41ff88a3ea916a11489904107cca888bc437343128d78804
Instruction ID: e1c11f037eb9c8d5df01b31244f52ecb49b458781bd7aaed6b9c39d3f5754524
Opcode Fuzzy Hash: a19e29bf816f70cb41ff88a3ea916a11489904107cca888bc437343128d78804
Instruction Fuzzy Hash: 21B16FB1A00209AFEB24DF69CD4AFAE7BA9EB48710F148115F914E72D0DB74ED40DB94

Function 00FA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA4AED
GetDriveTypeW.KERNEL32(?,00FCCB68,?,\\.\,00FCCC08), ref: 00FA4BCA
SetErrorMode.KERNEL32(00000000,00FCCB68,?,\\.\,00FCCC08), ref: 00FA4D36

Strings

SAS, xrefs: 00FA4CC9
RAMDisk, xrefs: 00FA4BF4
ATA, xrefs: 00FA4C98
SATA, xrefs: 00FA4CD0
USB, xrefs: 00FA4CB4
Network, xrefs: 00FA4C02
ATAPI, xrefs: 00FA4C91
SSD, xrefs: 00FA4C4A
Fixed, xrefs: 00FA4C09
\\.\, xrefs: 00FA4B3F
Fibre, xrefs: 00FA4CAD
PhysicalDrive, xrefs: 00FA4B76
1394, xrefs: 00FA4C9F
Unknown, xrefs: 00FA4BED, 00FA4C83
CDROM, xrefs: 00FA4BFB
FileBackedVirtual, xrefs: 00FA4CEC
SSA, xrefs: 00FA4CA6
SCSI, xrefs: 00FA4C8A
Virtual, xrefs: 00FA4CE5
Removable, xrefs: 00FA4C10, 00FA4C15
MMC, xrefs: 00FA4CDE
iSCSI, xrefs: 00FA4CC2
RAID, xrefs: 00FA4CBB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ec71fc57c768452d7dbef71e11587e7680cdf96e33d4e9b3882fed144ccbd1c0
Instruction ID: cb75527d09e51b625944fd92ccccae06e69da24c196a3c73379e7f64bd76f09f
Opcode Fuzzy Hash: ec71fc57c768452d7dbef71e11587e7680cdf96e33d4e9b3882fed144ccbd1c0
Instruction Fuzzy Hash: 8B61A7B160520A9BCB04DF14CA81A7C77B0AF86760B244415F90AEB6A1DFF5FD41FB52

Function 00FC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FC7421
SetTextColor.GDI32(?,?), ref: 00FC7425
GetSysColorBrush.USER32(0000000F), ref: 00FC743B
GetSysColor.USER32(0000000F), ref: 00FC7446
CreateSolidBrush.GDI32(?), ref: 00FC744B
GetSysColor.USER32(00000011), ref: 00FC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FC7471
SelectObject.GDI32(?,00000000), ref: 00FC7482
SetBkColor.GDI32(?,00000000), ref: 00FC748B
SelectObject.GDI32(?,?), ref: 00FC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00FC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00FC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00FC7572
DrawFocusRect.USER32(?,?), ref: 00FC757D
GetSysColor.USER32(00000011), ref: 00FC758E
SetTextColor.GDI32(?,00000000), ref: 00FC7596
DrawTextW.USER32(?,00FC70F5,000000FF,?,00000000), ref: 00FC75A8
SelectObject.GDI32(?,?), ref: 00FC75BF
DeleteObject.GDI32(?), ref: 00FC75CA
SelectObject.GDI32(?,?), ref: 00FC75D0
DeleteObject.GDI32(?), ref: 00FC75D5
SetTextColor.GDI32(?,?), ref: 00FC75DB
SetBkColor.GDI32(?,?), ref: 00FC75E5

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 932cd6b77026b315c68e1d7a664bfed89f7ddf9d6c60809801254fb9c50f57c5
Instruction ID: e908876455d3fc1e72ba01ed9b9b6e6050f07d05821e18987fedec8a2a1730a6
Opcode Fuzzy Hash: 932cd6b77026b315c68e1d7a664bfed89f7ddf9d6c60809801254fb9c50f57c5
Instruction Fuzzy Hash: AC617D72D00219AFDF009FA4DD4AEEEBFB9EB08320F144515F919AB2A1D7719940EF90

Function 00FC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FC1128
GetDesktopWindow.USER32 ref: 00FC113D
GetWindowRect.USER32(00000000), ref: 00FC1144
GetWindowLongW.USER32(?,000000F0), ref: 00FC1199
DestroyWindow.USER32(?), ref: 00FC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00FC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FC1245
IsWindowVisible.USER32(00000000), ref: 00FC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FC12D0
GetWindowRect.USER32(00000000,?), ref: 00FC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00FC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00FC1328
CopyRect.USER32(?,?), ref: 00FC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00FC13AA

Strings

tooltips_class32, xrefs: 00FC11E6
(, xrefs: 00FC131B
0, xrefs: 00FC10D3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a4f9cdc81bda229b62aa4df36acd3fa0a26d646c16bde4ecd2eba6672ba65050
Instruction ID: 8d3d0e814b6086cbe759c3f6f430da6540a252a9311d5c9846af09a7c2a4031d
Opcode Fuzzy Hash: a4f9cdc81bda229b62aa4df36acd3fa0a26d646c16bde4ecd2eba6672ba65050
Instruction Fuzzy Hash: C6B1AE71A08341AFD700DF64CA86F6ABBE4FF85314F00891CF9999B262C771E854EB91

Function 00FC0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC02E5
_wcslen.LIBCMT ref: 00FC031F
_wcslen.LIBCMT ref: 00FC0389
_wcslen.LIBCMT ref: 00FC03F1
_wcslen.LIBCMT ref: 00FC0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FC04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FC0504

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

Part of subcall function 00F9223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F92258
Part of subcall function 00F9223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F9228A

Strings

GETITEMCOUNT, xrefs: 00FC0316, 00FC0337
SELECTCLEAR, xrefs: 00FC052D
GETTEXT, xrefs: 00FC03EC, 00FC0407
GETSUBITEMCOUNT, xrefs: 00FC0384, 00FC039F
VIEWCHANGE, xrefs: 00FC0675
GETSELECTED, xrefs: 00FC05E1
DESELECT, xrefs: 00FC059C
SELECTINVERT, xrefs: 00FC057E
FINDITEM, xrefs: 00FC0627
GETSELECTEDCOUNT, xrefs: 00FC0470, 00FC048B
SELECTALL, xrefs: 00FC0515
ISSELECTED, xrefs: 00FC04DD
SELECT, xrefs: 00FC0548

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 900ce60f0df08c8473fa2818d8654438fb84af4b8314b2486984c18891e4bab9
Instruction ID: e34901f884af73775bf8d2aa44d16970c76820ee47961d8c9da8684aba18c317
Opcode Fuzzy Hash: 900ce60f0df08c8473fa2818d8654438fb84af4b8314b2486984c18891e4bab9
Instruction Fuzzy Hash: F4E1BF31608302DBC718DF24CA52E2AB3E5BF88324F14495CF9969B2A5DB34ED46EB51

Function 00F48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F48968
GetSystemMetrics.USER32(00000007), ref: 00F48970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F4899B
GetSystemMetrics.USER32(00000008), ref: 00F489A3
GetSystemMetrics.USER32(00000004), ref: 00F489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F48A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F48A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F48A5A
GetStockObject.GDI32(00000011), ref: 00F48A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F48A81

Part of subcall function 00F4912D: GetCursorPos.USER32(?), ref: 00F49141
Part of subcall function 00F4912D: ScreenToClient.USER32(00000000,?), ref: 00F4915E
Part of subcall function 00F4912D: GetAsyncKeyState.USER32(00000001), ref: 00F49183
Part of subcall function 00F4912D: GetAsyncKeyState.USER32(00000002), ref: 00F4919D

SetTimer.USER32(00000000,00000000,00000028,00F490FC), ref: 00F48AA8

Strings

AutoIt v3 GUI, xrefs: 00F48A20

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f625af98441df7f7e3641b0b4e19cc6a093f09ec8f9164f8b85b23dfb80f9945
Instruction ID: d5c0e65200ed7f1685416f8eb3243582e57b7ac08bcb8c487cef77a1fd711aeb
Opcode Fuzzy Hash: f625af98441df7f7e3641b0b4e19cc6a093f09ec8f9164f8b85b23dfb80f9945
Instruction Fuzzy Hash: 29B17B31A0020AAFDB14DFA8DD45FAE3BB5FB48714F104219FA19E7290DB74E941EB91

Function 00F90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
Part of subcall function 00F910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
Part of subcall function 00F910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
Part of subcall function 00F910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
Part of subcall function 00F910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F90E29
GetLengthSid.ADVAPI32(?), ref: 00F90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00F90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F90E96
GetLengthSid.ADVAPI32(?), ref: 00F90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F90EB5
HeapAlloc.KERNEL32(00000000), ref: 00F90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F90EDD
CopySid.ADVAPI32(00000000), ref: 00F90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F6E
HeapFree.KERNEL32(00000000), ref: 00F90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F7E
HeapFree.KERNEL32(00000000), ref: 00F90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F90F8E
HeapFree.KERNEL32(00000000), ref: 00F90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00F90FA1
HeapFree.KERNEL32(00000000), ref: 00F90FA8

Part of subcall function 00F91193: GetProcessHeap.KERNEL32(00000008,00F90BB1,?,00000000,?,00F90BB1,?), ref: 00F911A1
Part of subcall function 00F91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F90BB1,?), ref: 00F911A8
Part of subcall function 00F91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F90BB1,?), ref: 00F911B7

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9eb9af8f8a8ade3411cb128ef6c4ce60af3fd81f638c43bb7b7f3c399ce58ce7
Instruction ID: a3fc36f41eb12a3c7a06c85312fe3eab98b7e6b9081018f0dc024f2268bb5177
Opcode Fuzzy Hash: 9eb9af8f8a8ade3411cb128ef6c4ce60af3fd81f638c43bb7b7f3c399ce58ce7
Instruction Fuzzy Hash: 6D714B7290020AAFEF209FA5DD45FAEBBB8FF04314F044125F919E7191DB319A05EBA0

Function 00FBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FCCC08,00000000,?,00000000,?,?), ref: 00FBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FBC5A4
_wcslen.LIBCMT ref: 00FBC5F4
_wcslen.LIBCMT ref: 00FBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FBC84D
RegCloseKey.ADVAPI32(?), ref: 00FBC881
RegCloseKey.ADVAPI32(00000000), ref: 00FBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FBC960

Strings

REG_QWORD, xrefs: 00FBC8C3
REG_BINARY, xrefs: 00FBC913
REG_DWORD, xrefs: 00FBC804
REG_MULTI_SZ, xrefs: 00FBC6F5
REG_SZ, xrefs: 00FBC644
REG_EXPAND_SZ, xrefs: 00FBC5CD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 6f071788d331d08b5ff3e46bb184386d0a3b7ba11cf3d4d7d94ab01bcc476485
Instruction ID: cbaabcb3d7b0f250eef16801d0df621c554b431f794cc139e4fc665506da5669
Opcode Fuzzy Hash: 6f071788d331d08b5ff3e46bb184386d0a3b7ba11cf3d4d7d94ab01bcc476485
Instruction Fuzzy Hash: FD126B756042019FDB14DF15C881A6AB7E5EF88724F18885CF88A9B3A2DB35FD41EF81

Function 00FC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC09C6
_wcslen.LIBCMT ref: 00FC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC0A54
_wcslen.LIBCMT ref: 00FC0A8A
_wcslen.LIBCMT ref: 00FC0B06
_wcslen.LIBCMT ref: 00FC0B81

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

Part of subcall function 00F92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F92BFA

Strings

UNCHECK, xrefs: 00FC0D3E
GETITEMCOUNT, xrefs: 00FC0C1E
GETTEXT, xrefs: 00FC0C97
CHECK, xrefs: 00FC0A85, 00FC0AA0
ISCHECKED, xrefs: 00FC0CE1
GETTOTALCOUNT, xrefs: 00FC09F2, 00FC0A17
GETSELECTED, xrefs: 00FC0C4E
EXPAND, xrefs: 00FC0BF8
COLLAPSE, xrefs: 00FC0B01, 00FC0B1C
SELECT, xrefs: 00FC0D11
EXISTS, xrefs: 00FC0B7C, 00FC0B97

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b507728c92a0df4dec8a9752b92f6054985f83a105e5eb2f11d4e3963b9509a6
Instruction ID: d6c15008b1e6e7a526085bd417a93c92bfcce61d72bb9921094873e5e486ca1a
Opcode Fuzzy Hash: b507728c92a0df4dec8a9752b92f6054985f83a105e5eb2f11d4e3963b9509a6
Instruction Fuzzy Hash: 2FE18E36608302DFCB14EF24C951A2AB7E1BF94324F14495CF89697362DB35ED46EB81

Function 00FBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
_wcslen.LIBCMT ref: 00FBC9F1
_wcslen.LIBCMT ref: 00FBCA68
_wcslen.LIBCMT ref: 00FBCA9E
_wcslen.LIBCMT ref: 00FBCAF9
_wcslen.LIBCMT ref: 00FBCB2F
_wcslen.LIBCMT ref: 00FBCB7F

Strings

HKEY_CLASSES_ROOT, xrefs: 00FBCAF3, 00FBCAF8
HKCC, xrefs: 00FBCBAC
HKLM, xrefs: 00FBCA98, 00FBCA9D
HKEY_LOCAL_MACHINE, xrefs: 00FBCA62, 00FBCA67
HKU, xrefs: 00FBCBF0
HKEY_CURRENT_CONFIG, xrefs: 00FBCB79, 00FBCB7E
HKEY_USERS, xrefs: 00FBCBDF
HKEY_CURRENT_USER, xrefs: 00FBCBBD
HKCU, xrefs: 00FBCBCE
HKCR, xrefs: 00FBCB29, 00FBCB2E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 3e560894d8cf7475ee522e759cb1c04aceef3457eace07187ae319e30fe60b87
Instruction ID: 9cb8c3907a784f9755f8d602f05838abea83baee2ba9340d4f213dfc1b599ed6
Opcode Fuzzy Hash: 3e560894d8cf7475ee522e759cb1c04aceef3457eace07187ae319e30fe60b87
Instruction Fuzzy Hash: 85710533A0016A8BCB20EE2ACC516FF37959FA0774B214128FC559B295E638CD44BBE0

Function 00FC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FC835A
_wcslen.LIBCMT ref: 00FC836E
_wcslen.LIBCMT ref: 00FC8391
_wcslen.LIBCMT ref: 00FC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FC5BF2), ref: 00FC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FC8501
FreeLibrary.KERNEL32(?), ref: 00FC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FC851D
DestroyIcon.USER32(?,?,?,?,?,00FC5BF2), ref: 00FC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FC8555

Strings

.icl, xrefs: 00FC8368
.exe, xrefs: 00FC8388
.dll, xrefs: 00FC83AB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: dc9cdc1252d02316bd7191c25e36761a1ebc75c1c6325182a25932f5d8d9a501
Instruction ID: 380161ba1c99d7085f43142495bf64f78b0e59c7a85f9f97196aeb4be1537fe6
Opcode Fuzzy Hash: dc9cdc1252d02316bd7191c25e36761a1ebc75c1c6325182a25932f5d8d9a501
Instruction Fuzzy Hash: 6A61D17194021ABAEB18DF64CD42FFE77A8BF04761F10450AF915D70D1DBB4A981EBA0

Function 00F37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 00F3785F, 00F378B1
#ce, xrefs: 00F378ED
Cannot parse #include, xrefs: 00F75279
#cs, xrefs: 00F37873, 00F378C5
', xrefs: 00F75169
Unterminated group of comments, xrefs: 00F7528C
", xrefs: 00F75153
#pragma compile, xrefs: 00F377D3
Bad directive syntax error, xrefs: 00F7519A
#notrayicon, xrefs: 00F377E7
#comments-end, xrefs: 00F378D9
#include-once, xrefs: 00F3782F
#OnAutoItStartRegister, xrefs: 00F37817
#requireadmin, xrefs: 00F377FF
#include, xrefs: 00F37847

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 07544cfd68641fd6d5d38e525923591bef869ab314bb9274e3d23ae4023fc80a
Instruction ID: a84ec6fc7c7f0fe7d6a197115242a1aa9e2640a9afead965ab15f28e706ab996
Opcode Fuzzy Hash: 07544cfd68641fd6d5d38e525923591bef869ab314bb9274e3d23ae4023fc80a
Instruction Fuzzy Hash: E481F8B1A04305BBDB20BF60CC43FAE7BA4AF14760F044025FD09AA192EBB4D915F792

Function 00FA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FA3EF8
_wcslen.LIBCMT ref: 00FA3F03
_wcslen.LIBCMT ref: 00FA3F5A
_wcslen.LIBCMT ref: 00FA3F98
GetDriveTypeW.KERNEL32(?), ref: 00FA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FA4087

Strings

close cd wait, xrefs: 00FA4072
close, xrefs: 00FA3EFE, 00FA3F18
type cdaudio alias cd wait, xrefs: 00FA4001
open, xrefs: 00FA3F54, 00FA3F59
open , xrefs: 00FA3FE5
wait, xrefs: 00FA4044
closed, xrefs: 00FA3F08, 00FA3F2D, 00FA3F46, 00FA3F7E, 00FA3F97
set cd door , xrefs: 00FA4028

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6defe51fbd53e519bb3fdb4e5f63c059c12814f394984a62d3d35c73ed84c1e8
Instruction ID: c1e972f4b3355ca5a41505009d972899e98cad9da24b62c9972ac018f5b6740f
Opcode Fuzzy Hash: 6defe51fbd53e519bb3fdb4e5f63c059c12814f394984a62d3d35c73ed84c1e8
Instruction Fuzzy Hash: 2771F1B2A042059FC310EF34C88186AB7F4EF95768F10892DF996D7261EB34ED45EB91

Function 00F95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F95A40
SetWindowTextW.USER32(?,?), ref: 00F95A57
GetDlgItem.USER32(?,000003EA), ref: 00F95A6C
SetWindowTextW.USER32(00000000,?), ref: 00F95A72
GetDlgItem.USER32(?,000003E9), ref: 00F95A82
SetWindowTextW.USER32(00000000,?), ref: 00F95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F95AC3
GetWindowRect.USER32(?,?), ref: 00F95ACC
_wcslen.LIBCMT ref: 00F95B33
SetWindowTextW.USER32(?,?), ref: 00F95B6F
GetDesktopWindow.USER32 ref: 00F95B75
GetWindowRect.USER32(00000000), ref: 00F95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F95BD3
GetClientRect.USER32(?,?), ref: 00F95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00F95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F95C2F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: bd7d5e7c448d1f2d2df73926b493b9dafa9c9a56abdd9347780085d896dad067
Instruction ID: be1150821d3602bda9881e389f3f206f8de8891c4aad724cbc3feafdc4c5ba96
Opcode Fuzzy Hash: bd7d5e7c448d1f2d2df73926b493b9dafa9c9a56abdd9347780085d896dad067
Instruction Fuzzy Hash: AB717D31900A099FEB21DFA8CE86E6EBBF5FF48B14F104518E586A35A0D775E940EB50

Function 00FAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FAFECC
GetCursorInfo.USER32(?), ref: 00FAFEDC
GetLastError.KERNEL32 ref: 00FAFF1E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 505ed4a2adf25ca910e8f29a05ddae1dac348ad8dac4d39909af35960b9684eb
Instruction ID: e8e5c6ac02071980a931e482eeb162708c007547ec666296f0dfbfd7e29a6485
Opcode Fuzzy Hash: 505ed4a2adf25ca910e8f29a05ddae1dac348ad8dac4d39909af35960b9684eb
Instruction Fuzzy Hash: 0A4153B0D043196FDB109FBA8C85C5EBFE8FF05364B50462AE11DEB281DB7899019F91

Function 00F500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F500C6

Part of subcall function 00F500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0100070C,00000FA0,96AC8434,?,?,?,?,00F723B3,000000FF), ref: 00F5011C
Part of subcall function 00F500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F723B3,000000FF), ref: 00F50127
Part of subcall function 00F500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F723B3,000000FF), ref: 00F50138
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F5014E
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F5015C
Part of subcall function 00F500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F5016A
Part of subcall function 00F500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F50195
Part of subcall function 00F500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F501A0

___scrt_fastfail.LIBCMT ref: 00F500E7

Part of subcall function 00F500A3: __onexit.LIBCMT ref: 00F500A9

Strings

InitializeConditionVariable, xrefs: 00F50148
kernel32.dll, xrefs: 00F50133
WakeAllConditionVariable, xrefs: 00F50162
SleepConditionVariableCS, xrefs: 00F50154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F50122

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 4acd2b02cc7a8bb834b82a4c6a113fc258165372590a0722b089bb0c404f1184
Instruction ID: d0c265db2c2697ad45573fbd77fc5cff02eba1a9d7faa3c91d59fd085d86330f
Opcode Fuzzy Hash: 4acd2b02cc7a8bb834b82a4c6a113fc258165372590a0722b089bb0c404f1184
Instruction Fuzzy Hash: 54212932E40B156BE7215B64AD07F6A7794EB04B62F04013AFD0A972C1DF788808BAD2

Function 00F930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9318D
_wcslen.LIBCMT ref: 00F931F8

Strings

NAME, xrefs: 00F93335, 00F93346
INSTANCE, xrefs: 00F93453
CLASS, xrefs: 00F93188, 00F931A5
REGEXPCLASS, xrefs: 00F93255, 00F93266
TEXT, xrefs: 00F9347C
CLASSNN, xrefs: 00F931F3, 00F93204

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 213b8210681e746af9b23e2ccd1a06c955995ec56b88f0f262deb1af20cf1307
Instruction ID: 2fde87fc10329123395a966cb27b32b83a89e27edbe8fc7a558f10eb5729715f
Opcode Fuzzy Hash: 213b8210681e746af9b23e2ccd1a06c955995ec56b88f0f262deb1af20cf1307
Instruction Fuzzy Hash: F1E1E532E00516ABDF18DFA8C841BFDBBB0BF44720F558119E956E7250DB30AE89B790

Function 00FA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00FCCC08), ref: 00FA4527
_wcslen.LIBCMT ref: 00FA453B
_wcslen.LIBCMT ref: 00FA4599
_wcslen.LIBCMT ref: 00FA45F4
_wcslen.LIBCMT ref: 00FA463F
_wcslen.LIBCMT ref: 00FA46A7

Part of subcall function 00F4F9F2: _wcslen.LIBCMT ref: 00F4F9FD

GetDriveTypeW.KERNEL32(?,00FF6BF0,00000061), ref: 00FA4743

Strings

cdrom, xrefs: 00FA458F, 00FA4594
ramdisk, xrefs: 00FA46F1
fixed, xrefs: 00FA4635, 00FA463A
network, xrefs: 00FA469D, 00FA46A2
all, xrefs: 00FA4531, 00FA4536
removable, xrefs: 00FA45EA, 00FA45EF
unknown, xrefs: 00FA4708

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1e8c691230f5e28235f2dbe1093497a327eac7fd65c8cb68caf52e857a148589
Instruction ID: 8debabd50ec9d430ac24d090e94d07a30bd45bf3e8f557fd2b3600ef20f4a8a9
Opcode Fuzzy Hash: 1e8c691230f5e28235f2dbe1093497a327eac7fd65c8cb68caf52e857a148589
Instruction Fuzzy Hash: DEB1F3B1A083029FC710DF28C891A6AB7E5AFD6720F50491DF596C7291D7B4E844EB52

Function 00FB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00FCCC08), ref: 00FB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FCCC08), ref: 00FB40F2
FreeLibrary.KERNEL32(00000000,?,00FCCC08), ref: 00FB413E
StringFromGUID2.OLE32(?,?,00000028,?,00FCCC08), ref: 00FB41A8
SysFreeString.OLEAUT32(00000009), ref: 00FB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FB42C8
SysFreeString.OLEAUT32(?), ref: 00FB42F2

Strings

GetModuleHandleExW, xrefs: 00FB40C7
kernel32.dll, xrefs: 00FB40B6

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 497ef0101a77e3297b6811868fce23313b6cc535d0c727b527dad5ec2af79d09
Instruction ID: 59587c4ee8c120b881d554fde51683c10f44e456e8ae9788f19254292173befd
Opcode Fuzzy Hash: 497ef0101a77e3297b6811868fce23313b6cc535d0c727b527dad5ec2af79d09
Instruction Fuzzy Hash: F7125A75A00109EFDB14DF95C984EAEBBB5FF45314F288098E9099B252C731ED42EFA0

Function 00F3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01001990), ref: 00F72F8D
GetMenuItemCount.USER32(01001990), ref: 00F7303D
GetCursorPos.USER32(?), ref: 00F73081
SetForegroundWindow.USER32(00000000), ref: 00F7308A
TrackPopupMenuEx.USER32(01001990,00000000,?,00000000,00000000,00000000), ref: 00F7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F730A9

Strings

0, xrefs: 00F3327D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 43a558747d1c2ee681dc8f5b95c07c3af6e9b92d28e4f3c8e645572bf0f688b4
Instruction ID: 75e578a325d3afbe5ae1d335def2b58f5f5d15f71d4a771b4a82e8a5a66d1752
Opcode Fuzzy Hash: 43a558747d1c2ee681dc8f5b95c07c3af6e9b92d28e4f3c8e645572bf0f688b4
Instruction Fuzzy Hash: 9A71F831A44205BEFB218F24DD49F9ABF64FF05374F248216F5186A1D0C7B1A910FB92

Function 00FC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00FC6DEB

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC6E94
DestroyWindow.USER32(?), ref: 00FC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F30000,00000000), ref: 00FC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FC6EFD
GetDesktopWindow.USER32 ref: 00FC6F16
GetWindowRect.USER32(00000000), ref: 00FC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FC6F4D

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

Strings

0, xrefs: 00FC6D98
tooltips_class32, xrefs: 00FC6E58, 00FC6EDD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 801f489f7bb0161b933c6e35af0360377dc7ffe417e39a74dcba22fc91282842
Instruction ID: 1ac532e1532bc993db52865d9d0ed51d7e739ddfafeaaee443c12884164b1ae3
Opcode Fuzzy Hash: 801f489f7bb0161b933c6e35af0360377dc7ffe417e39a74dcba22fc91282842
Instruction Fuzzy Hash: C5718870908245AFDB21CF18DA49FAABBE9FF88314F04041EF989C7261D775E906EB15

Function 00FC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

DragQueryPoint.SHELL32(?,?), ref: 00FC9147

Part of subcall function 00FC7674: ClientToScreen.USER32(?,?), ref: 00FC769A
Part of subcall function 00FC7674: GetWindowRect.USER32(?,?), ref: 00FC7710
Part of subcall function 00FC7674: PtInRect.USER32(?,?,00FC8B89), ref: 00FC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00FC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00FC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00FC9277
DragFinish.SHELL32(?), ref: 00FC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FC9371

Strings

@GUI_DRAGID, xrefs: 00FC92E9
@GUI_DRAGFILE, xrefs: 00FC9320
@GUI_DROPID, xrefs: 00FC929E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 8fbd0b3f14f5deb6153dc172c0242e2202049d0c90da3aedc42f3116ca0b279b
Instruction ID: 254f8717566e425b96ba3570ad7bf024f611cacf55ecc7d044f58885e51eeb45
Opcode Fuzzy Hash: 8fbd0b3f14f5deb6153dc172c0242e2202049d0c90da3aedc42f3116ca0b279b
Instruction Fuzzy Hash: 4B616D71108305AFD701DF64DD86EAFBBE8EF88760F00091DF595931A0DBB49A49EB92

Function 00FAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FAC5F0
InternetCloseHandle.WININET(00000000), ref: 00FAC5FB

Strings

, xrefs: 00FAC575

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f389247796b208d338d8cb5a91ce61f60fb8aab64bfa0c6a07ec65cf1b21406
Instruction ID: f917366a960b87665276e6bcbc479fd0cdd8e82de3894f9f853ddb018840593b
Opcode Fuzzy Hash: 4f389247796b208d338d8cb5a91ce61f60fb8aab64bfa0c6a07ec65cf1b21406
Instruction Fuzzy Hash: 45513AB1900609BFDB219F64C989AAA7BFCEF09754F044419F94A97610DB34E944ABE0

Function 00FC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00FC8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FC85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00FCFC38,?), ref: 00FC8611
GlobalFree.KERNEL32(00000000), ref: 00FC8621
GetObjectW.GDI32(?,00000018,?), ref: 00FC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FC8671
DeleteObject.GDI32(?), ref: 00FC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FC86AF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 3e87838f3414c94749df61304f5d79f6060fe3c669c4ea693d5b6d5ae0f2d35c
Instruction ID: bbf36b35a1350d7c7cb4fc6188b693d26294457e46557b364a2204e984bc4f06
Opcode Fuzzy Hash: 3e87838f3414c94749df61304f5d79f6060fe3c669c4ea693d5b6d5ae0f2d35c
Instruction Fuzzy Hash: 5A414C71600209AFDB11CFA5CE4AEAA7BB8FF89761F14405CF909E7260DB709D01EB60

Function 00FA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FA1502
VariantCopy.OLEAUT32(?,?), ref: 00FA150B
VariantClear.OLEAUT32(?), ref: 00FA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FA1657
VariantInit.OLEAUT32(?), ref: 00FA1708
SysFreeString.OLEAUT32(?), ref: 00FA178C
VariantClear.OLEAUT32(?), ref: 00FA17D8
VariantClear.OLEAUT32(?), ref: 00FA17E7
VariantInit.OLEAUT32(00000000), ref: 00FA1823

Strings

Default, xrefs: 00FA16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00FA1625

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 08175971e3eddb8c40077de06d83599298f636467c970381c103aef223e1d47d
Instruction ID: 6acd70143e4e90f734995a71b2826e453f5a1f2977e7f9b6ca71089110e48e83
Opcode Fuzzy Hash: 08175971e3eddb8c40077de06d83599298f636467c970381c103aef223e1d47d
Instruction Fuzzy Hash: 70D121B2E00505DFDB00DFA5D895B79B7B0BF46710F1A805AE84AAB180DB34DC04FBA1

Function 00FBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FBB80A
RegCloseKey.ADVAPI32(?), ref: 00FBB87E
RegCloseKey.ADVAPI32(?), ref: 00FBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FBB922
FreeLibrary.KERNEL32(00000000), ref: 00FBB983
RegCloseKey.ADVAPI32(00000000), ref: 00FBB994

Strings

advapi32.dll, xrefs: 00FBB8ED
RegDeleteKeyExW, xrefs: 00FBB8FE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 5c5784204634ac1aade661c74f33eff46d759cb9faf3be0c6ec681ae171ed315
Instruction ID: af39a60c11e986a985d3903d6effe1b6a1b964355b1b74d5088338a1c740f40c
Opcode Fuzzy Hash: 5c5784204634ac1aade661c74f33eff46d759cb9faf3be0c6ec681ae171ed315
Instruction Fuzzy Hash: 6EC19E35608201AFD710DF15C895F6ABBE1FF84328F14845CE49A8B2A2CBB5EC45EF91

Function 00FB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FB25E8
CreateCompatibleDC.GDI32(?), ref: 00FB25F4
SelectObject.GDI32(00000000,?), ref: 00FB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FB26D0
SelectObject.GDI32(?,?), ref: 00FB26D8
DeleteObject.GDI32(?), ref: 00FB26E1
DeleteDC.GDI32(?), ref: 00FB26E8
ReleaseDC.USER32(00000000,?), ref: 00FB26F3

Strings

(, xrefs: 00FB268D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9b1197c55663269a47f7be80f8a6cec26b9d10553d09f75a69f3c342f242b9d8
Instruction ID: eb68bea57e184fe44dd51f09d2220d1630d1022774bc6c07dec81793a3c52cc9
Opcode Fuzzy Hash: 9b1197c55663269a47f7be80f8a6cec26b9d10553d09f75a69f3c342f242b9d8
Instruction Fuzzy Hash: 696101B5D00219EFCF04CFA9C985EAEBBB6FF48310F248529E959A7250D734A941DF90

Function 00F6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F6DAA1

Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D659
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D66B
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D67D
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D68F
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6A1
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6B3
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6C5
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6D7
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6E9
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D6FB
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D70D
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D71F
Part of subcall function 00F6D63C: _free.LIBCMT ref: 00F6D731

_free.LIBCMT ref: 00F6DA96

Part of subcall function 00F629C8: HeapFree.KERNEL32(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6DAB8
_free.LIBCMT ref: 00F6DACD
_free.LIBCMT ref: 00F6DAD8
_free.LIBCMT ref: 00F6DAFA
_free.LIBCMT ref: 00F6DB0D
_free.LIBCMT ref: 00F6DB1B
_free.LIBCMT ref: 00F6DB26
_free.LIBCMT ref: 00F6DB5E
_free.LIBCMT ref: 00F6DB65
_free.LIBCMT ref: 00F6DB82
_free.LIBCMT ref: 00F6DB9A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 78c0c0fe0a2a59f2e4f4b39e4dd74ce4d560f06dc434dfc6e657a4835ae38283
Instruction ID: 149657d1e4e543c7087c729544c4d2274dfc451570661603e17bf4def5e265cd
Opcode Fuzzy Hash: 78c0c0fe0a2a59f2e4f4b39e4dd74ce4d560f06dc434dfc6e657a4835ae38283
Instruction Fuzzy Hash: F7317831F046049FEB25AA78EC41B6AB7F9FF80360F154529E048D7192DB38AC80FB20

Function 00F9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F9369C
_wcslen.LIBCMT ref: 00F936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F93797
GetClassNameW.USER32(?,?,00000400), ref: 00F9380C
GetDlgCtrlID.USER32(?), ref: 00F9385D
GetWindowRect.USER32(?,?), ref: 00F93882
GetParent.USER32(?), ref: 00F938A0
ScreenToClient.USER32(00000000), ref: 00F938A7
GetClassNameW.USER32(?,?,00000100), ref: 00F93921
GetWindowTextW.USER32(?,?,00000400), ref: 00F9395D

Strings

%s%u, xrefs: 00F93734

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 350f32c68f281133a9fc180abf8ab1b370edeffdf0b0947acf7958bc67352964
Instruction ID: 4eec8736a8089507d306a7dc9e624f13af24040caa394f733c4756bfdd595125
Opcode Fuzzy Hash: 350f32c68f281133a9fc180abf8ab1b370edeffdf0b0947acf7958bc67352964
Instruction Fuzzy Hash: 5D910671604306AFEB19DF64C885FAAF7A9FF44350F004529F999C2190DB34EA49EBD1

Function 00F94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00F94994
GetWindowTextW.USER32(?,?,00000400), ref: 00F949DA
_wcslen.LIBCMT ref: 00F949EB
CharUpperBuffW.USER32(?,00000000), ref: 00F949F7
_wcsstr.LIBVCRUNTIME ref: 00F94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00F94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00F94B20
GetWindowRect.USER32(?,?), ref: 00F94B8B

Strings

ThumbnailClass, xrefs: 00F94A6F, 00F94AF1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a2cadb11b4b01b3b6542ec490fc612561f9a86c37a8c721be4e29aa7f47dc50f
Instruction ID: fa9a739ea90c5a9bf6338f18c58e6ce1b5fa3ec96dba76236b3040a5e5ccdead
Opcode Fuzzy Hash: a2cadb11b4b01b3b6542ec490fc612561f9a86c37a8c721be4e29aa7f47dc50f
Instruction Fuzzy Hash: B491B1714082099FEF04CF14C981FAA77E8FF94324F048469FD899A196DB34ED46EBA1

Function 00FC8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FC8D5A
GetFocus.USER32 ref: 00FC8D6A
GetDlgCtrlID.USER32(00000000), ref: 00FC8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00FC8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FC8ECF
GetMenuItemCount.USER32(?), ref: 00FC8EEC
GetMenuItemID.USER32(?,00000000), ref: 00FC8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FC8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FC8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FC8FA1

Strings

0, xrefs: 00FC8E9F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: ea8468c454c7205976338c6da49b7a4d1f550d8607e2f2e134e5403e598de80d
Instruction ID: 1688f9f5b2ab493688f81c2282e83f826ef868f8183ec2340af3dc6f1e2adcca
Opcode Fuzzy Hash: ea8468c454c7205976338c6da49b7a4d1f550d8607e2f2e134e5403e598de80d
Instruction Fuzzy Hash: D681B4719043069FD710CF14CA86FAB7BE9FB883A4F04091DF98597291DB74D906EBA1

Function 00F9DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F9DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F9DC46
_wcslen.LIBCMT ref: 00F9DC50
_wcsstr.LIBVCRUNTIME ref: 00F9DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F9DCBC

Strings

\VarFileInfo\Translation, xrefs: 00F9DCB4
DefaultLangCodepage, xrefs: 00F9DD1F
StringFileInfo\, xrefs: 00F9DC8F
04090000, xrefs: 00F9DCF2
%u.%u.%u.%u, xrefs: 00F9DD9A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b39c9fedb98e4d9a1dd4df0276adc141d7b2f366d19b6130616cd63ded8a5db9
Instruction ID: 3d206b226d6c0b92e8519774a94a08b770a54ebb44852ffd7f1bceeeeae6d47b
Opcode Fuzzy Hash: b39c9fedb98e4d9a1dd4df0276adc141d7b2f366d19b6130616cd63ded8a5db9
Instruction Fuzzy Hash: A14127329402057AEB14AB74DC07EBF776CDF41761F20006AFE04E6192EB79D905B7A5

Function 00FBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FBCD48

Part of subcall function 00FBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FBCCAA
Part of subcall function 00FBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FBCCBD
Part of subcall function 00FBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FBCCCF
Part of subcall function 00FBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FBCD05
Part of subcall function 00FBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FBCCF3

Strings

advapi32.dll, xrefs: 00FBCCB8
RegDeleteKeyExW, xrefs: 00FBCCC9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3a6be05363cd40b892ce73a6cce3aede31eeeaf6237daa19828a6d860ae7a155
Instruction ID: c04407a8eb1e671e596d15bc7a804c4a72e70d178c1dc79ace12d29e72ec2033
Opcode Fuzzy Hash: 3a6be05363cd40b892ce73a6cce3aede31eeeaf6237daa19828a6d860ae7a155
Instruction Fuzzy Hash: 49318BB5D0112DBBDB208B52DC89EFFBB7CEF55750F000165E909E3200DA309A45BAE0

Function 00FA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FA3D40
_wcslen.LIBCMT ref: 00FA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FA3E55
CloseHandle.KERNEL32(00000000), ref: 00FA3E60
CloseHandle.KERNEL32(00000000), ref: 00FA3E6B

Strings

:, xrefs: 00FA3D82
\, xrefs: 00FA3D77
\??\%s, xrefs: 00FA3D5B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1f8cf21eb2fdd0d3c2e5b6459728ecd50cb8fc9b451cc6169a34cd7e8b28ca2a
Instruction ID: 31576d08b160e98a608794492a132caece0a75883f14cd6dc2508215c0837392
Opcode Fuzzy Hash: 1f8cf21eb2fdd0d3c2e5b6459728ecd50cb8fc9b451cc6169a34cd7e8b28ca2a
Instruction Fuzzy Hash: D631B2B290020DABDB219BA0DC49FEF37BCEF89750F1041B5FA09D6060EB749744AB64

Function 00F9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F9E6B4

Part of subcall function 00F4E551: timeGetTime.WINMM(?,?,00F9E6D4), ref: 00F4E555

Sleep.KERNEL32(0000000A), ref: 00F9E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F9E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F9E727
SetActiveWindow.USER32 ref: 00F9E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F9E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F9E773
Sleep.KERNEL32(000000FA), ref: 00F9E77E
IsWindow.USER32 ref: 00F9E78A
EndDialog.USER32(00000000), ref: 00F9E79B

Strings

BUTTON, xrefs: 00F9E719

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 74ba3da6a1e0c510813eb4462011c95a85e82f0d9c6a35b39c5963b02cf6d0e5
Instruction ID: c0e652ecf492ca2a87b537b8ca042819658ab08003e014bd36af812e150e48ac
Opcode Fuzzy Hash: 74ba3da6a1e0c510813eb4462011c95a85e82f0d9c6a35b39c5963b02cf6d0e5
Instruction Fuzzy Hash: B721C670600208AFFF119F61ED8EF253B69FB58758F080424F55982191DB7AAC50FB56

Function 00F9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F9EAA7

Strings

status PlayMe mode, xrefs: 00F9EA58
play PlayMe wait, xrefs: 00F9EA91
open , xrefs: 00F9EA0C
alias PlayMe, xrefs: 00F9EA36
close PlayMe, xrefs: 00F9EA6E, 00F9EA9B
play PlayMe, xrefs: 00F9EAA2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f838091cd4ca58ffd68aa3c102fc88985350e031c5218c9dccdee7b7d285a97f
Instruction ID: 0d16d2f6821b76aa03174a0553aff53207717314eb875158d68bb9dfa45ad78c
Opcode Fuzzy Hash: f838091cd4ca58ffd68aa3c102fc88985350e031c5218c9dccdee7b7d285a97f
Instruction Fuzzy Hash: 3B114231A9021D79EB20E761DC4AEFB7A7CEFD1B50F4004297901E20E1DEB45905E6B1

Function 00F99F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F9A012
SetKeyboardState.USER32(?), ref: 00F9A07D
GetAsyncKeyState.USER32(000000A0), ref: 00F9A09D
GetKeyState.USER32(000000A0), ref: 00F9A0B4
GetAsyncKeyState.USER32(000000A1), ref: 00F9A0E3
GetKeyState.USER32(000000A1), ref: 00F9A0F4
GetAsyncKeyState.USER32(00000011), ref: 00F9A120
GetKeyState.USER32(00000011), ref: 00F9A12E
GetAsyncKeyState.USER32(00000012), ref: 00F9A157
GetKeyState.USER32(00000012), ref: 00F9A165
GetAsyncKeyState.USER32(0000005B), ref: 00F9A18E
GetKeyState.USER32(0000005B), ref: 00F9A19C

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4dd174d6e3051018583d459eae3181ac5751eb9e2d57c67e67dc794fdaed1209
Instruction ID: 722a90fc3e3f5705a1ac8274fa2aa14fe1a7c0d73a7a4236c6eb4bd5c822751f
Opcode Fuzzy Hash: 4dd174d6e3051018583d459eae3181ac5751eb9e2d57c67e67dc794fdaed1209
Instruction Fuzzy Hash: D151FB30D0878829FF35DB6489117EAFFB49F11394F08459DD5C2571C2DA949A8CEBE2

Function 00F95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F95CE2
GetWindowRect.USER32(00000000,?), ref: 00F95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F95D59
GetDlgItem.USER32(?,00000002), ref: 00F95D69
GetWindowRect.USER32(00000000,?), ref: 00F95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F95DCF
GetDlgItem.USER32(?,000003E9), ref: 00F95DDD
GetWindowRect.USER32(00000000,?), ref: 00F95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F95E31
GetDlgItem.USER32(?,000003EA), ref: 00F95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00F95E67

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f14ac7661052388b3e2c61a4018b02128c28d633f8629c26d0d508b824478e48
Instruction ID: 77c97003e24e40ea0a6cc76c17049d4f120765b6a5043d0db858789ce951dd90
Opcode Fuzzy Hash: f14ac7661052388b3e2c61a4018b02128c28d633f8629c26d0d508b824478e48
Instruction Fuzzy Hash: BC511FB1E00609AFDF18DF68CE8AEAE7BB5EB48710F108129F519E7290D7709E04DB50

Function 00F48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F48BE8,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48FC5

DestroyWindow.USER32(?), ref: 00F48C81
KillTimer.USER32(00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00F86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000,?), ref: 00F869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F48BBA,00000000), ref: 00F869D4
DeleteObject.GDI32(00000000), ref: 00F869E6

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d60af06578d1413c3beea4aa0c6798d023df6ea3d52a193ccb52717d3a7c6819
Instruction ID: 8b2bec7a2a3d9ecba77412f0685ee46f6885bc830bee73bc0a97ce58cb277266
Opcode Fuzzy Hash: d60af06578d1413c3beea4aa0c6798d023df6ea3d52a193ccb52717d3a7c6819
Instruction Fuzzy Hash: 1061CE31902611DFDB369F14DA89B697BF1FB40362F104518E5829B5A0CB3AE982FF90

Function 00F49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F49944: GetWindowLongW.USER32(?,000000EB), ref: 00F49952

GetSysColor.USER32(0000000F), ref: 00F49862

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 827ceba26f481ba5122201670c8a62472622292cc01698b3ff839e8707c19894
Instruction ID: e318cc86b52e3b8e0dc3d376120a4fb58b3416926d5fc30b4b06804c795a8eb1
Opcode Fuzzy Hash: 827ceba26f481ba5122201670c8a62472622292cc01698b3ff839e8707c19894
Instruction Fuzzy Hash: FA4193316086449FDB209F3C9C49FBA3B65AB46330F684615FDA68B1E1D771D842FB50

Function 00F996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F99717
LoadStringW.USER32(00000000,?,00F7F7F8,00000001), ref: 00F99720

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F99742
LoadStringW.USER32(00000000,?,00F7F7F8,00000001), ref: 00F99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F99866

Strings

Line %d:, xrefs: 00F997A0
%s (%d) : ==> %s: %s %s, xrefs: 00F9984A
^ ERROR, xrefs: 00F997FB
Line %d (File "%s"):, xrefs: 00F9978F
Error: , xrefs: 00F9981D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5eb3bcd8a39cbaae61690e69bdcb45d6b74be6308f93bb52b243a1ba5899db33
Instruction ID: 81b5d27c674b5df8ad07d555ca5ed1410481daf934987e2d2c4f18e9c5e4705b
Opcode Fuzzy Hash: 5eb3bcd8a39cbaae61690e69bdcb45d6b74be6308f93bb52b243a1ba5899db33
Instruction Fuzzy Hash: C8414172804119AADF04FBE4CE46EEE7778AF55350F504029F605B2092EFB95F48EB61

Function 00F906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F9083C

Strings

SOFTWARE\Classes\, xrefs: 00F9070E
\CLSID, xrefs: 00F90724
\IPC$, xrefs: 00F90784

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 36d52a45ca7ec39a08d1b54ceb1ef8f9a659e7d9433dda86edaca25872f79a22
Instruction ID: e2e7311fc196e056edeac4c3c5979f9af5878f0b929ec3d9d5fd3ebb172ac72b
Opcode Fuzzy Hash: 36d52a45ca7ec39a08d1b54ceb1ef8f9a659e7d9433dda86edaca25872f79a22
Instruction Fuzzy Hash: 14411572C1022DAFDF25EBA4DC85CEDB778BF44760F444129E905A31A1EB749E04EBA0

Function 00FC3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FC403B
CreateCompatibleDC.GDI32(00000000), ref: 00FC4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FC4055
SelectObject.GDI32(00000000,00000000), ref: 00FC405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FC4068
DeleteDC.GDI32(00000000), ref: 00FC4072
GetWindowLongW.USER32(?,000000EC), ref: 00FC407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FC4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FC409E

Strings

static, xrefs: 00FC3FD3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f2c8bc7df364ea261ef1a776d3d3b87d90a18e10a1b8a34c0a47c91859ef3cb4
Instruction ID: e843e4a6ef1f803dcd292e6e2072158d18896d244257aad96374b06369c69eb9
Opcode Fuzzy Hash: f2c8bc7df364ea261ef1a776d3d3b87d90a18e10a1b8a34c0a47c91859ef3cb4
Instruction Fuzzy Hash: 1631603254121AAFDF219FA4CE46FDA3B68FF0D360F110215FA58E61A0C775D811EB90

Function 00FB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB3C5C
CoInitialize.OLE32(00000000), ref: 00FB3C8A
CoUninitialize.OLE32 ref: 00FB3C94
_wcslen.LIBCMT ref: 00FB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FB3F0E
CoGetObject.OLE32(?,00000000,00FCFB98,?), ref: 00FB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FB3FC4
VariantClear.OLEAUT32(?), ref: 00FB3FD8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: a8a848bd030888a968ff1a96b289fee350a62a0f38528c94a69070af192f4e58
Instruction ID: 6b8d1f27818f3c5a2f7047111b86d1f82f512a49871e8fc4a0e99594e8050edf
Opcode Fuzzy Hash: a8a848bd030888a968ff1a96b289fee350a62a0f38528c94a69070af192f4e58
Instruction Fuzzy Hash: 93C16571A083059FC700DF6AC98496BBBE9FF88754F14491DF98A9B250DB30EE05DB92

Function 00FA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FA7BA3
CoCreateInstance.OLE32(00FCFD08,00000000,00000001,00FF6E6C,?), ref: 00FA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FA7C74
CoTaskMemFree.OLE32(?,?), ref: 00FA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FA7D81
CoTaskMemFree.OLE32(00000000), ref: 00FA7DD6
CoUninitialize.OLE32 ref: 00FA7DDC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 2cb36311257c8489b53bdf49d0bca9cd5eef7aba2ccc73dd8b698d82e7c6dfff
Instruction ID: 45b851ece2dabaa4f9660431b8692bbfb352127f642e35c6f91edf2660dc90b5
Opcode Fuzzy Hash: 2cb36311257c8489b53bdf49d0bca9cd5eef7aba2ccc73dd8b698d82e7c6dfff
Instruction Fuzzy Hash: A6C12AB5A04209AFCB14DF64C884DAEBBF9FF49314F148499E81ADB261D730ED45DB90

Function 00FC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC5515
CharNextW.USER32(00000158), ref: 00FC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC55AC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a2211eb8d84b397c2f2fc48326b85ea64a963300dbaa9d34a2dd2c8c315a18fb
Instruction ID: 12315f7587b12d2d6a6bdcdf005a06aa7a6685f7133302051bbdbcac9e2f6568
Opcode Fuzzy Hash: a2211eb8d84b397c2f2fc48326b85ea64a963300dbaa9d34a2dd2c8c315a18fb
Instruction Fuzzy Hash: E5618C3190060AABDF10DF54CE86FFE7B79AB05B24F104549F529AB290D774AA80FB60

Function 00F8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00F8FB08
VariantInit.OLEAUT32(?), ref: 00F8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00F8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F8FBA1
VariantClear.OLEAUT32(?), ref: 00F8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F8FBCC
VariantClear.OLEAUT32(?), ref: 00F8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F8FBE9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 778c0629e75a9e59f533a16dedd576b1dab48ab3b41209ac9ffd1d17a0837369
Instruction ID: 49f29a5b5c426a335b05a4a283f50cb6861d5fb6bf7db8f0a9a453ec613672cb
Opcode Fuzzy Hash: 778c0629e75a9e59f533a16dedd576b1dab48ab3b41209ac9ffd1d17a0837369
Instruction Fuzzy Hash: D9413E35A002199FCB04EF64CC55DEEBBB9FF48354F008069E95AA7261DB34A949DFA0

Function 00F99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00F99D22
GetKeyState.USER32(000000A0), ref: 00F99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00F99D57
GetKeyState.USER32(000000A1), ref: 00F99D6C
GetAsyncKeyState.USER32(00000011), ref: 00F99D84
GetKeyState.USER32(00000011), ref: 00F99D96
GetAsyncKeyState.USER32(00000012), ref: 00F99DAE
GetKeyState.USER32(00000012), ref: 00F99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00F99DD8
GetKeyState.USER32(0000005B), ref: 00F99DEA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 70262764f96fb4e6db3467ff1b609c9f216945bcb30152afe092db66e2b2a953
Instruction ID: 28dfbae6ecd68f4c5b64f4fdcb2206f03fd6a22bd98bdd821e419fce05e7bf42
Opcode Fuzzy Hash: 70262764f96fb4e6db3467ff1b609c9f216945bcb30152afe092db66e2b2a953
Instruction Fuzzy Hash: 4241FB30D0C7CA69FF31976889443B5BEA06F12364F09405EC9C6575C1EBE559C8EBA2

Function 00FB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FB05BC
inet_addr.WSOCK32(?), ref: 00FB061C
gethostbyname.WSOCK32(?), ref: 00FB0628
IcmpCreateFile.IPHLPAPI ref: 00FB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FB07B9
WSACleanup.WSOCK32 ref: 00FB07BF

Strings

Ping, xrefs: 00FB0676

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fd3f3fcd6db7b52ef5ed1801b990ef36e8401ff976a607bf9342b1ff9ca9e332
Instruction ID: 049ea33b6bbbc06ecf263832ea710dacdae9f9177335b61f5eb384826478eac4
Opcode Fuzzy Hash: fd3f3fcd6db7b52ef5ed1801b990ef36e8401ff976a607bf9342b1ff9ca9e332
Instruction Fuzzy Hash: 539190359042019FD720DF16C989F5BBBE0EF44328F1885A9F4698B6A2CB34EC45EF91

Function 00FB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FB8CF3

Part of subcall function 00F98E54: _wcslen.LIBCMT ref: 00F98E77

_wcslen.LIBCMT ref: 00FB8D4E
_wcslen.LIBCMT ref: 00FB8D9C
_wcslen.LIBCMT ref: 00FB8DDC
_wcslen.LIBCMT ref: 00FB8E6E

Strings

winapi, xrefs: 00FB8D96, 00FB8D9B
stdcall, xrefs: 00FB8DD6, 00FB8DDB
none, xrefs: 00FB8E65, 00FB8E6A
cdecl, xrefs: 00FB8D48, 00FB8D4D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 9fbd70ee54cc8b8a5b4103ae8e829ec7aa7382f93b2d11c43d96368431e75ee5
Instruction ID: 1e7d594a5d76813f62bd2c5120aa038ab9ce5733999bae18bdb0cbe033a58d9d
Opcode Fuzzy Hash: 9fbd70ee54cc8b8a5b4103ae8e829ec7aa7382f93b2d11c43d96368431e75ee5
Instruction Fuzzy Hash: AB51B431A041169BCB14DFA9C9419FEB7A9BFA4364B204229E916E7284DF34DD42EB90

Function 00FB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FB3774
CoUninitialize.OLE32 ref: 00FB377F
CoCreateInstance.OLE32(?,00000000,00000017,00FCFB78,?), ref: 00FB37D9
IIDFromString.OLE32(?,?), ref: 00FB384C
VariantInit.OLEAUT32(?), ref: 00FB38E4
VariantClear.OLEAUT32(?), ref: 00FB3936

Strings

Invalid parameter, xrefs: 00FB3865
Failed to create object, xrefs: 00FB37E4, 00FB389A
NULL Pointer assignment, xrefs: 00FB381E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: befa0de3a7d5d0248a58a822fd10e4bca1516988b846c3d81fccc0a92f6bb5de
Instruction ID: 71203e1948a633ae1b964c811771d907e82e5d04f393c8e22586653aaeb84f1a
Opcode Fuzzy Hash: befa0de3a7d5d0248a58a822fd10e4bca1516988b846c3d81fccc0a92f6bb5de
Instruction Fuzzy Hash: 3B61A072648301AFD710DF55C889FAABBE8EF44710F104809F98597291DB74EE48EF92

Function 00FA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FA33CF

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FA33F0

Strings

Incorrect parameters to object property !, xrefs: 00FA34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00FA3504
^ ERROR , xrefs: 00FA349E
"%s" (%d) : ==> %s:, xrefs: 00FA3522
Line %d (File "%s"):, xrefs: 00FA3443, 00FA345C
Error: , xrefs: 00FA34D1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3db9bf5284ec299a4178235bdbf994389a53bf5aef737b1c5997afea289b71f1
Instruction ID: abc96c998d0a60460aa83cef109a2984c73a7ead069de1c2744ce0c9ab345738
Opcode Fuzzy Hash: 3db9bf5284ec299a4178235bdbf994389a53bf5aef737b1c5997afea289b71f1
Instruction Fuzzy Hash: 6A51AF72C0420AAADF15EBA0CD42EEEB778EF04350F148065F505B2062EB796F58FB61

Function 00F9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F9B5FC
_wcslen.LIBCMT ref: 00F9B608
_wcslen.LIBCMT ref: 00F9B64D
_wcslen.LIBCMT ref: 00F9B68C
_wcslen.LIBCMT ref: 00F9B6C7

Strings

KEYS, xrefs: 00F9B647, 00F9B64C
APPEND, xrefs: 00F9B6C1, 00F9B6C6
REMOVE, xrefs: 00F9B602, 00F9B607
EXISTS, xrefs: 00F9B686, 00F9B68B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 15c678affaf7e9dd1d3683b260248f96aa16453c259ec714e60f54862508eaf0
Instruction ID: 07a26ffc8577a8d7c52217ee75912d7809c62f8561b482f97eae0f952e396c99
Opcode Fuzzy Hash: 15c678affaf7e9dd1d3683b260248f96aa16453c259ec714e60f54862508eaf0
Instruction Fuzzy Hash: 74412933E0002A9BDF206F7DDE905BE77A5AFA0774B244269E521D7280E735EC81E790

Function 00FA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FA5416
GetLastError.KERNEL32 ref: 00FA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FA54A7

Strings

INVALID, xrefs: 00FA5459
UNKNOWN, xrefs: 00FA5444
NOTREADY, xrefs: 00FA544B
READY, xrefs: 00FA5460, 00FA5468
READONLY, xrefs: 00FA5452

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: bb3865c5d1271ec33d5025df8f147470122dbe883347dfcd756c25e93168de0e
Instruction ID: 48f67fac31e8f2fd4aca3afd361f8e45e7e3de4b273941e06446c0127d511585
Opcode Fuzzy Hash: bb3865c5d1271ec33d5025df8f147470122dbe883347dfcd756c25e93168de0e
Instruction Fuzzy Hash: E231F6B5E006089FC710DF68C894FAD7BB4EF4A715F188055E905CB262DB75ED82EB90

Function 00FC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00FC3C79
SetMenu.USER32(?,00000000), ref: 00FC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC3D10
IsMenu.USER32(?), ref: 00FC3D24
CreatePopupMenu.USER32 ref: 00FC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC3D5B
DrawMenuBar.USER32 ref: 00FC3D63

Strings

0, xrefs: 00FC3C54
F, xrefs: 00FC3D4E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d684f56ae8d796371fa051afbd8c64b1041bd40fc93df12d7311be71491d5b1a
Instruction ID: 6ff02fe79cb447c9b7e60be39fb78189235908ce49de8dd603f53e31d95b2ae6
Opcode Fuzzy Hash: d684f56ae8d796371fa051afbd8c64b1041bd40fc93df12d7311be71491d5b1a
Instruction Fuzzy Hash: 2F416B75A0120AAFDB14CF64D945FAA7BB5FF49350F14442CF946A7350D731AA10EF90

Function 00F91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F91F64
GetDlgCtrlID.USER32 ref: 00F91F6F
GetParent.USER32 ref: 00F91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F91F8E
GetDlgCtrlID.USER32(?), ref: 00F91F97
GetParent.USER32(?), ref: 00F91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F91FAE

Strings

ListBox, xrefs: 00F91F21
ComboBox, xrefs: 00F91EEC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 7b8f06b1f26041458dd8ec0875ed9102810f30b0ae6b9414a3e47052a5eae302
Instruction ID: 16432aff97d5b140d1b1fb6071863736ba5e691a06ad26cc1183d4a399ab4ccf
Opcode Fuzzy Hash: 7b8f06b1f26041458dd8ec0875ed9102810f30b0ae6b9414a3e47052a5eae302
Instruction Fuzzy Hash: 0421A171900118ABDF05AFA0DD45DEEBBA4AF05354F000115F959A72A1CBB95908FB60

Function 00F91FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00F92043
GetDlgCtrlID.USER32 ref: 00F9204E
GetParent.USER32 ref: 00F9206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9206D
GetDlgCtrlID.USER32(?), ref: 00F92076
GetParent.USER32(?), ref: 00F9208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F9208D

Strings

ListBox, xrefs: 00F92002
ComboBox, xrefs: 00F91FCD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 274e2ea72996d73d00af598608b44fc35f602e0950107b456470d65a4b5ae87e
Instruction ID: cc254eb822844e6668c6ebd7ace859d9749f7d0c9121d1d0cdf3aa23bb4b8907
Opcode Fuzzy Hash: 274e2ea72996d73d00af598608b44fc35f602e0950107b456470d65a4b5ae87e
Instruction Fuzzy Hash: 8521C675D00218BBDF10AFA0DD85EFEBBB8EF05350F004015FA59A72A1DAB98915FB60

Function 00FC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00FC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FC3C13

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5ac84ca32a61a6abc052ab2544124e4ebd15d4fbae1892689e0a7b84d14b3f3e
Instruction ID: 562e3ed2c662157bec28f26f5ffd456e94c87504aeea7e43eb0124f541e90559
Opcode Fuzzy Hash: 5ac84ca32a61a6abc052ab2544124e4ebd15d4fbae1892689e0a7b84d14b3f3e
Instruction Fuzzy Hash: 82618A75900209AFDB21DFA8CD82FEE77F8EB49310F104099FA15A7291C774AE41EB60

Function 00F9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00F9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F9A1E1,?,00000001), ref: 00F9B21D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ced843a24019cee4a9af76562f8f2b805da9b8b9515d148408b338a8acd65a5d
Instruction ID: 443fe473f319dad72ee74a8c4a2b268f7df20070dab4c1542467327f6268bd77
Opcode Fuzzy Hash: ced843a24019cee4a9af76562f8f2b805da9b8b9515d148408b338a8acd65a5d
Instruction Fuzzy Hash: C5318E71900208AFEF27DF25EE59F6D7BA9FB51321F104005FA49DB180D7B9A941AF60

Function 00F62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F62C94

Part of subcall function 00F629C8: HeapFree.KERNEL32(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F62CA0
_free.LIBCMT ref: 00F62CAB
_free.LIBCMT ref: 00F62CB6
_free.LIBCMT ref: 00F62CC1
_free.LIBCMT ref: 00F62CCC
_free.LIBCMT ref: 00F62CD7
_free.LIBCMT ref: 00F62CE2
_free.LIBCMT ref: 00F62CED
_free.LIBCMT ref: 00F62CFB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fff07eedab689fd0cc18de3ad0e1491b5924cd43b6e445a17670f7b9e4301654
Instruction ID: f4c6f0741a3caaf91430f43c648b3d966ee635c43ef3545d57da6ec4f3d05347
Opcode Fuzzy Hash: fff07eedab689fd0cc18de3ad0e1491b5924cd43b6e445a17670f7b9e4301654
Instruction Fuzzy Hash: CA119376600508AFCB86EF58DC82CDD3BB5FF45390F4144A5FA489B222DA35EA50BB90

Function 00F31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F31459
OleUninitialize.OLE32(?,00000000), ref: 00F314F8
UnregisterHotKey.USER32(?), ref: 00F316DD
DestroyWindow.USER32(?), ref: 00F724B9
FreeLibrary.KERNEL32(?), ref: 00F7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F7254B

Strings

close all, xrefs: 00F31454

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f217a458d0bca2aec339a5c9d93f6ed6d4567fd9e3f6330994376f2977ac3ee5
Instruction ID: 98cc149dda759772c176dfb8e06b24e6958e4f2fda640995b777aea3469ffa16
Opcode Fuzzy Hash: f217a458d0bca2aec339a5c9d93f6ed6d4567fd9e3f6330994376f2977ac3ee5
Instruction Fuzzy Hash: F4D15D31B01212CFCB19EF15C995B29F7A4BF05720F1482AEE44E6B252DB31AD16EF91

Function 00FA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FA80B0

Strings

*.*, xrefs: 00FA8066

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 87a11d616ef409676957c124201c1c7117acc867b9fcaf7292f16c363aa5c555
Instruction ID: 4a9232e54d78c92b1787c806c9f0d3bd0253001d78927372218881dfb484f70d
Opcode Fuzzy Hash: 87a11d616ef409676957c124201c1c7117acc867b9fcaf7292f16c363aa5c555
Instruction Fuzzy Hash: 8C81B6B29083459BCB24EF14CC84E6AB3E8BF86360F144C5EF885D7250DB75DD45AB92

Function 00F35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F35C7A

Part of subcall function 00F35D0A: GetClientRect.USER32(?,?), ref: 00F35D30
Part of subcall function 00F35D0A: GetWindowRect.USER32(?,?), ref: 00F35D71
Part of subcall function 00F35D0A: ScreenToClient.USER32(?,?), ref: 00F35D99

GetDC.USER32 ref: 00F746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F74708
SelectObject.GDI32(00000000,00000000), ref: 00F74716
SelectObject.GDI32(00000000,00000000), ref: 00F7472B
ReleaseDC.USER32(?,00000000), ref: 00F74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F747C4

Strings

U, xrefs: 00F74693

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9b21069ce189c107668efe47718cd70e7c7972419e81fc03463c65be25d90e6f
Instruction ID: 1bb59ce9ead5bb54b22e4679ee97f02ac37ca840790558e85ab75d0b45f876e2
Opcode Fuzzy Hash: 9b21069ce189c107668efe47718cd70e7c7972419e81fc03463c65be25d90e6f
Instruction Fuzzy Hash: 1671E331800205DFCF268F64C985AB97BB5FF4A374F14822AED595A166C335A842FF52

Function 00FA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FA35E4

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

LoadStringW.USER32(01002390,?,00000FFF,?), ref: 00FA360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00FA3724
"%s" (%d) : ==> %s:, xrefs: 00FA3742
^ ERROR, xrefs: 00FA36C9
Line %d (File "%s"):, xrefs: 00FA366B
Error: , xrefs: 00FA36EF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 51c99bd79b5922a0b19f7ffa0352812e3c8ca2c27c78610fac24b7f9f8e9a639
Instruction ID: 6e0e56901b1e43a64bbaa6e88a36b814de6e3df7cea12e50b2aa92a2c6b34d09
Opcode Fuzzy Hash: 51c99bd79b5922a0b19f7ffa0352812e3c8ca2c27c78610fac24b7f9f8e9a639
Instruction Fuzzy Hash: 12517FB1C0421ABADF15EBA0CC42EEDBB38EF05310F144125F505721A1EB795B99EFA1

Function 00FC8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

Part of subcall function 00F4912D: GetCursorPos.USER32(?), ref: 00F49141
Part of subcall function 00F4912D: ScreenToClient.USER32(00000000,?), ref: 00F4915E
Part of subcall function 00F4912D: GetAsyncKeyState.USER32(00000001), ref: 00F49183
Part of subcall function 00F4912D: GetAsyncKeyState.USER32(00000002), ref: 00F4919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00FC8B6B
ImageList_EndDrag.COMCTL32 ref: 00FC8B71
ReleaseCapture.USER32 ref: 00FC8B77
SetWindowTextW.USER32(?,00000000), ref: 00FC8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FC8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00FC8CFF

Strings

@GUI_DRAGFILE, xrefs: 00FC8C9A
@GUI_DROPID, xrefs: 00FC8C51

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: eb8a851d3daae62b0804f41618b7bb7544d6738da20b23c9fe42b895909d6bc3
Instruction ID: 7d66e2a31d2740a6366f810cb8635168879d70ea59e9ec962af813ef42948b58
Opcode Fuzzy Hash: eb8a851d3daae62b0804f41618b7bb7544d6738da20b23c9fe42b895909d6bc3
Instruction Fuzzy Hash: F651AE71508305AFD710EF24CD96FAA77E4FB88760F00061DF996A72E1CB759904EBA2

Function 00FAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FAC2CA
GetLastError.KERNEL32 ref: 00FAC322
SetEvent.KERNEL32(?), ref: 00FAC336
InternetCloseHandle.WININET(00000000), ref: 00FAC341

Strings

, xrefs: 00FAC2BB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 00222de189e2b816f14e23de31e6652af7be13e2aedf4931ebb30c30315c2930
Instruction ID: f212d4c8f5f657b54561bae51e2178dd62098b8ebbeb9eafaf745ceb07e03215
Opcode Fuzzy Hash: 00222de189e2b816f14e23de31e6652af7be13e2aedf4931ebb30c30315c2930
Instruction Fuzzy Hash: F2313CB1900708AFDB219F649D89AAB7AECEF4A754B14851AE44AD3200DB34D905ABE1

Function 00F9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F73AAF,?,?,Bad directive syntax error,00FCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F998BC
LoadStringW.USER32(00000000,?,00F73AAF,?), ref: 00F998C3

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F99987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00F998F1
Line %d:, xrefs: 00F99912
., xrefs: 00F9996D
Error: , xrefs: 00F99955
Line %d (File "%s"):, xrefs: 00F9992D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b8cdc8a700ec38246cb773ca7b7fcd75961c2627a0dae64ef504ff4b6989699b
Instruction ID: 480f5deb6655b149ee8326a176b243bccef97857bde37e65dd447420bab6984c
Opcode Fuzzy Hash: b8cdc8a700ec38246cb773ca7b7fcd75961c2627a0dae64ef504ff4b6989699b
Instruction Fuzzy Hash: 25217E3284421EABDF15EF90CC06EEE7775FF18710F044419F619660A2EBB99618FB51

Function 00F9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00F920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F9214D

Strings

list, xrefs: 00F9212F
SHELLDLL_DefView, xrefs: 00F920CC
smallicons, xrefs: 00F92115
largeicons, xrefs: 00F920E1
details, xrefs: 00F920FB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9ef880bb506e650a2689cccfb7f93859b9148fb661d004e7b1cb0724a8a2d801
Instruction ID: 8620007239390e547cb34bb8bc4017937f3e3a070a92d0bf2b03d9565582689e
Opcode Fuzzy Hash: 9ef880bb506e650a2689cccfb7f93859b9148fb661d004e7b1cb0724a8a2d801
Instruction Fuzzy Hash: C6112C7768870ABAFE412620DC07DF6379CCF04725F200016FB08A50F1FE65A8957654

Function 00F68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbbfc3ee2fbf46e8f2ea3fd00cc842ebea1264cd3dd59781647abf3e0f80705
Instruction ID: e935344005c3f2e9405047e801188d56d7b8a4183ce383118d470873bd3706fa
Opcode Fuzzy Hash: 4cbbfc3ee2fbf46e8f2ea3fd00cc842ebea1264cd3dd59781647abf3e0f80705
Instruction Fuzzy Hash: 3CC12475D08249AFCF11DFA8C841BADBBB4EF09360F044199F915A7392CB758946EB60

Function 00F6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00F6CEB7
_free.LIBCMT ref: 00F6CF22
_free.LIBCMT ref: 00F6CF48
_free.LIBCMT ref: 00F6CF71
_free.LIBCMT ref: 00F6CFA9
_free.LIBCMT ref: 00F6CFDA
_free.LIBCMT ref: 00F6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00F6D09C
_free.LIBCMT ref: 00F6D0B5

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 1f91536b9fadee9a954d6b27211a667c8ea56d252377a6a2413d2522efba2367
Instruction ID: 8b097932f773483763a6a941e9d9163f722cabdda4b0d3cb024eeb82f30e4dd4
Opcode Fuzzy Hash: 1f91536b9fadee9a954d6b27211a667c8ea56d252377a6a2413d2522efba2367
Instruction Fuzzy Hash: 71611471E04201AFDB25AFB49C81B7E7BA5AF05360F04416EF9C597286DB3A9901B7F0

Function 00FC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FC5186
ShowWindow.USER32(?,00000000), ref: 00FC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00FC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FC51D1

Part of subcall function 00FC6FBA: DeleteObject.GDI32(00000000), ref: 00FC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00FC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FC5296

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: de6fce36560383631556a80dde7c62efd7c4b849d4d2720910e98973b9df669f
Instruction ID: 69b27162bb7fadfa40e1169b71e1c7a93656fe00b9e9c27203b0018bb28b23a5
Opcode Fuzzy Hash: de6fce36560383631556a80dde7c62efd7c4b849d4d2720910e98973b9df669f
Instruction Fuzzy Hash: 97519E30E40A0ABEEB209F24CE4BFD93BA5EB05B24F584009F519962E1C375B9C0FB40

Function 00F48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F48874,00000000,00000000,00000000,000000FF,00000000), ref: 00F86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F48874,00000000,00000000,00000000,000000FF,00000000), ref: 00F8692D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a91ba30bdeef007cbd74a9d76a10ac04f58d78544bd00eeea10bf5bdaaeef7dc
Instruction ID: bf2628e696e8e071abaa49ecee489cc53f579910cff3b8689a848d4febb3d969
Opcode Fuzzy Hash: a91ba30bdeef007cbd74a9d76a10ac04f58d78544bd00eeea10bf5bdaaeef7dc
Instruction Fuzzy Hash: BC515970A00209EFDB20DF24CD46FAA7BB5EF88760F104518F95AD72A0DB75E991EB50

Function 00FAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FAC182
GetLastError.KERNEL32 ref: 00FAC195
SetEvent.KERNEL32(?), ref: 00FAC1A9

Part of subcall function 00FAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FAC272
Part of subcall function 00FAC253: GetLastError.KERNEL32 ref: 00FAC322
Part of subcall function 00FAC253: SetEvent.KERNEL32(?), ref: 00FAC336
Part of subcall function 00FAC253: InternetCloseHandle.WININET(00000000), ref: 00FAC341

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: e4ba750544614502097c1c7d6ea8f41dcbd64d00c53f0cbe6a37bf2a70831f24
Instruction ID: fef2b9b27d6cb90788aa66820ddd76754683bf261d03f1c927f879a7a0c5b3ef
Opcode Fuzzy Hash: e4ba750544614502097c1c7d6ea8f41dcbd64d00c53f0cbe6a37bf2a70831f24
Instruction Fuzzy Hash: 42319EB1600609AFDB219FA5DE44BA6BBF8FF5A310B04441EF95A83610D731E814FBE0

Function 00F925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F92627

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d405738c91864bc60abce1fe172088f1197b9e11d18e9f6b71cb0829ecda509e
Instruction ID: 06e3e566138b5313533b337b893cf5c0ee6e0568f8dde6f5255fa5047e2e5b9b
Opcode Fuzzy Hash: d405738c91864bc60abce1fe172088f1197b9e11d18e9f6b71cb0829ecda509e
Instruction Fuzzy Hash: 2F01D431790214BBFB20676A9C8BF593F59DB4EB12F110001F31CAF1D2C9F22444AAA9

Function 00F91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F91449,?,?,00000000), ref: 00F9180C
HeapAlloc.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F91449,?,?,00000000), ref: 00F91828
GetCurrentProcess.KERNEL32(?,00000000,?,00F91449,?,?,00000000), ref: 00F91830
DuplicateHandle.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F91449,?,?,00000000), ref: 00F91843
GetCurrentProcess.KERNEL32(00F91449,00000000,?,00F91449,?,?,00000000), ref: 00F9184B
DuplicateHandle.KERNEL32(00000000,?,00F91449,?,?,00000000), ref: 00F9184E
CreateThread.KERNEL32(00000000,00000000,00F91874,00000000,00000000,00000000), ref: 00F91868

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a6ff852a584debf8b280a1b93f07f61544b7bf7f27ea8643a0dac64e7113351d
Instruction ID: ce7ccccbcb21f1b545234fb10912bfb16a0afcd3dacd343759382562c9b13e96
Opcode Fuzzy Hash: a6ff852a584debf8b280a1b93f07f61544b7bf7f27ea8643a0dac64e7113351d
Instruction Fuzzy Hash: 6F01BFB5240348BFE710AB66DD4EF5B3B6CEB89B11F044411FA05DB192C6759800DB60

Function 00FBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00F9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F9D501
Part of subcall function 00F9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F9D50F
Part of subcall function 00F9D4DC: CloseHandle.KERNEL32(00000000), ref: 00F9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FBA16D
GetLastError.KERNEL32 ref: 00FBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FBA268
GetLastError.KERNEL32(00000000), ref: 00FBA273
CloseHandle.KERNEL32(00000000), ref: 00FBA2C4

Strings

SeDebugPrivilege, xrefs: 00FBA18F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 52dd98e2366e14d98656f295b29992a76f235aba22db7b672c65af3d784cdeb5
Instruction ID: b02c4c8c95f4d0adeb9e1e462024e4247f1767a7260c913005f0d4fb3ff40372
Opcode Fuzzy Hash: 52dd98e2366e14d98656f295b29992a76f235aba22db7b672c65af3d784cdeb5
Instruction Fuzzy Hash: 6161A131604242AFD720DF19C895F55BBE1AF44328F18849CE46A8BBA3C776EC45DF92

Function 00FC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FC3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FC393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FC3954
_wcslen.LIBCMT ref: 00FC3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FC39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FC39F4

Strings

SysListView32, xrefs: 00FC38F7

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: ca6821758417711b6c212ccd6d7bb882c89e7925af8ec79f129cdee58856442a
Instruction ID: c2a334c588cc688ca19bf515879d58de15a9fa5e02615b43b4cb603e3b3e8ff7
Opcode Fuzzy Hash: ca6821758417711b6c212ccd6d7bb882c89e7925af8ec79f129cdee58856442a
Instruction Fuzzy Hash: D541C871D00219ABDF219F64CD46FEA77A9EF08390F104529F548E71C1D775DA44EB90

Function 00F9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F9BCFD
IsMenu.USER32(00000000), ref: 00F9BD1D
CreatePopupMenu.USER32 ref: 00F9BD53
GetMenuItemCount.USER32(01506F50), ref: 00F9BDA4
InsertMenuItemW.USER32(01506F50,?,00000001,00000030), ref: 00F9BDCC

Strings

0, xrefs: 00F9BCA8
2, xrefs: 00F9BD37

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: cba4152e251c85fdccad1f063f6a823e8c4f63a883ce65b0e481dcce89cf3f9e
Instruction ID: 0e61719ab0a0819842d873e2f3b089500d1b598d690836901d0e568f4a3cf600
Opcode Fuzzy Hash: cba4152e251c85fdccad1f063f6a823e8c4f63a883ce65b0e481dcce89cf3f9e
Instruction Fuzzy Hash: 2C51D170A00209DBFF11CFA9EA88BAEBBF4FF45324F14411AE405D7290D7749941EB91

Function 00F9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F9C913

Strings

warning, xrefs: 00F9C8FC
info, xrefs: 00F9C8B4
blank, xrefs: 00F9C895
stop, xrefs: 00F9C8E4
question, xrefs: 00F9C8CC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d418944562558cc12c77e9038faa1a4574b3bf4dd51b8a84a5ff8c6afae70c38
Instruction ID: 827c8d7fe599e0b04276fd26ba134b590669fcabfa8be543fef3a14bcc821457
Opcode Fuzzy Hash: d418944562558cc12c77e9038faa1a4574b3bf4dd51b8a84a5ff8c6afae70c38
Instruction Fuzzy Hash: 59110033A8930ABAFF056B549C83DAA7B9CDF15769B10002AF604E6192DB74AD4073E5

Function 00F9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F9DE42
gethostname.WSOCK32(?,00000100), ref: 00F9DE5C
gethostbyname.WSOCK32(?), ref: 00F9DE69
inet_ntoa.WSOCK32(?), ref: 00F9DEAB
_strcat.LIBCMT ref: 00F9DEB9
WSACleanup.WSOCK32 ref: 00F9DEDE

Strings

0.0.0.0, xrefs: 00F9DE87

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 5d951785da9e945d2c613b210fd0f72517614505914af14dbd7ff9253e35f9f8
Instruction ID: d34fa532e441afb71486a62143c4ec39690239e0a56ebedc6d9167006e734e9e
Opcode Fuzzy Hash: 5d951785da9e945d2c613b210fd0f72517614505914af14dbd7ff9253e35f9f8
Instruction Fuzzy Hash: C4113671800109ABDF24BB60DC0BEEF37ACDF10721F110169F50997091EF749A84BAA0

Function 00FC9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetSystemMetrics.USER32(0000000F), ref: 00FC9FC7
GetSystemMetrics.USER32(0000000F), ref: 00FC9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FCA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FCA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FCA263
ShowWindow.USER32(00000003,00000000), ref: 00FCA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00FCA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FCA2CA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 2250253d1c9a48122588d45a3b68065c547de42a8309606f4f45c951ed6070d0
Instruction ID: b95d9992a7af05c5c9bf19249d8373164f30a590ddd25711211953105fffbd25
Opcode Fuzzy Hash: 2250253d1c9a48122588d45a3b68065c547de42a8309606f4f45c951ed6070d0
Instruction Fuzzy Hash: 68B19E31A0021ADFDF14CF68CA86BEE7BB2FF44715F088069ED499B295D731A940EB51

Function 00F9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F9ED2A
_wcslen.LIBCMT ref: 00F9ED3B
_wcslen.LIBCMT ref: 00F9ED79
_wcslen.LIBCMT ref: 00F9EDAF
_wcslen.LIBCMT ref: 00F9EDDF
_wcslen.LIBCMT ref: 00F9EDEF
_wcslen.LIBCMT ref: 00F9EE2B
_wcslen.LIBCMT ref: 00F9EE5A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a0f7e5e9f7d4d00d0b9771717efb8663b4049cd28b6b057da1f1a6c38c6e415c
Instruction ID: 39171252ec8f187d48992d126f802ad34ea456cae342bf39270cdf8da945fd72
Opcode Fuzzy Hash: a0f7e5e9f7d4d00d0b9771717efb8663b4049cd28b6b057da1f1a6c38c6e415c
Instruction Fuzzy Hash: A941B265C1021875DF11EBF48C8A9CFB7B8EF45311F508466EA18E3122FB38E249D3A5

Function 00F4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F8682C,00000004,00000000,00000000), ref: 00F4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F8682C,00000004,00000000,00000000), ref: 00F8F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F8682C,00000004,00000000,00000000), ref: 00F8F454

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9f5879152cbc8def2c1f381583e326fe8b8e33b348c3d081815a108475b151f5
Instruction ID: ff0cd6909c41fd8ee0396dabbab53e08f7effb3d49b604922d9575ab560d859b
Opcode Fuzzy Hash: 9f5879152cbc8def2c1f381583e326fe8b8e33b348c3d081815a108475b151f5
Instruction Fuzzy Hash: 9E413B31A18640BED7399F28CD88B6A7F91AF56320F14443DE88F53660C732A888FB51

Function 00FC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FC2D1B
GetDC.USER32(00000000), ref: 00FC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00FC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FC2DE1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5b3de7f600d99fa2f699bbd0c12e164d7ad65a2bc6f29f56a1086ddbb73076cf
Instruction ID: 1df263becc5009b442f24b95207ba55718f795c6955a319820b7bee4ee98c451
Opcode Fuzzy Hash: 5b3de7f600d99fa2f699bbd0c12e164d7ad65a2bc6f29f56a1086ddbb73076cf
Instruction Fuzzy Hash: 3B318B72201214BFEB118F548E8AFEB3BA9EF59721F084055FE099B291C6759C41DBA0

Function 00F95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F95637
_memcmp.LIBVCRUNTIME ref: 00F95659
_memcmp.LIBVCRUNTIME ref: 00F95671
_memcmp.LIBVCRUNTIME ref: 00F95684
_memcmp.LIBVCRUNTIME ref: 00F9569E
_memcmp.LIBVCRUNTIME ref: 00F956B1
_memcmp.LIBVCRUNTIME ref: 00F956C9
_memcmp.LIBVCRUNTIME ref: 00F956E4

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0f07bcf1d6cb21f5e8eab80baf54bbc3e85b81d8f5ba53ac9ee75cfb7d3ecc93
Instruction ID: 83d55d4e5326150de52a84ca164190786bada12305a5a498d99994093df9cc15
Opcode Fuzzy Hash: 0f07bcf1d6cb21f5e8eab80baf54bbc3e85b81d8f5ba53ac9ee75cfb7d3ecc93
Instruction Fuzzy Hash: 52213A62F4090A77FA159D208E93FBA734DBF51B91F400024FE049A541F724FE18B7A6

Function 00FB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FB5007
NULL Pointer assignment, xrefs: 00FB502E, 00FB5383

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 674fc325f8e5cc883e25b5830a3b5e3f0b44ec3443e7b9095c67cfebb3086501
Instruction ID: e67c65d8a13b8ca435ddd919b18ac7848cb12bfe9e7744cc8c47259162e6f17b
Opcode Fuzzy Hash: 674fc325f8e5cc883e25b5830a3b5e3f0b44ec3443e7b9095c67cfebb3086501
Instruction Fuzzy Hash: 1BD1EC71A0060AAFDF10DFA9C880BEEB7B5BF48754F148069E915AB280E774DD45DFA0

Function 00F71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F71651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F717FB,?,00F717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F716FB

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F71777
__freea.LIBCMT ref: 00F717A2
__freea.LIBCMT ref: 00F717AE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9fb93cf540668aa19f5110a743e8f913f88fe02be32ba3005e4d76b080ecde18
Instruction ID: c355d6a0854e5fef48adfa5a83f3fd6fa7b75be8c114fd17bc4825693d8c5b1b
Opcode Fuzzy Hash: 9fb93cf540668aa19f5110a743e8f913f88fe02be32ba3005e4d76b080ecde18
Instruction Fuzzy Hash: 2C91E972E002165ADF288E7CCC41EEE7BB5BF45720F18865AE809E7140D735DD49E7A2

Function 00FB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB4648
VariantInit.OLEAUT32(?), ref: 00FB4749
VariantClear.OLEAUT32(?), ref: 00FB4753
VariantClear.OLEAUT32(?), ref: 00FB47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FB472C
Null Object assignment in FOR..IN loop, xrefs: 00FB45D8, 00FB4706, 00FB47BE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 790cc05519fa8ce031bbdc8bcbb729538897233fc2d28d6a09488594f2b87858
Instruction ID: 58adcbcaa3e07216c8e19873b7213d93130a4f85e21e5a84d83824af8c521fe0
Opcode Fuzzy Hash: 790cc05519fa8ce031bbdc8bcbb729538897233fc2d28d6a09488594f2b87858
Instruction Fuzzy Hash: CA918271E00219ABDF20CF66C944FEEBBB9AF45720F108559E505AB282D770A945DFA0

Function 00FA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FA1430

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d906d846d29f53dbfc44234fcc6151b7aa0076132ed2a404a937cc46237abaac
Instruction ID: fac13f3e811d0e54b938b7b9a742abac063dc05f1aec0379687a03ebeb524c2b
Opcode Fuzzy Hash: d906d846d29f53dbfc44234fcc6151b7aa0076132ed2a404a937cc46237abaac
Instruction Fuzzy Hash: 9691E6B1E002099FDB00DF98C885BBE77B5FF46325F164029E941EB291D778E945EB90

Function 00F4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5dae07ea525b743813cd26840e974860c7ea799bac5a0f18f93977ed48b7846a
Instruction ID: 88fa6172958918ca1419e835d425b4355d02cf37769c299c72b3d5da56e6afef
Opcode Fuzzy Hash: 5dae07ea525b743813cd26840e974860c7ea799bac5a0f18f93977ed48b7846a
Instruction Fuzzy Hash: 01912871E44219AFCB10DFA9CC84AEEBFB8FF49320F244159E915B7251D378A941EB60

Function 00FB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB396B
CharUpperBuffW.USER32(?,?), ref: 00FB3A7A
_wcslen.LIBCMT ref: 00FB3A8A
VariantClear.OLEAUT32(?), ref: 00FB3C1F

Part of subcall function 00FA0CDF: VariantInit.OLEAUT32(00000000), ref: 00FA0D1F
Part of subcall function 00FA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FA0D28
Part of subcall function 00FA0CDF: VariantClear.OLEAUT32(?), ref: 00FA0D34

Strings

AUTOIT.ERROR, xrefs: 00FB3A80, 00FB3A85
Incorrect Parameter format, xrefs: 00FB39A6, 00FB3BA1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9178cc6cd57a3cf3ad13fe226685a2f6db7473b7ddfd7f4e3b9c2ce38e5fc2de
Instruction ID: 94c5b8781c4eff2b0e30bac6a968ff606a1de6f42630eacc59e5225866a13ce3
Opcode Fuzzy Hash: 9178cc6cd57a3cf3ad13fe226685a2f6db7473b7ddfd7f4e3b9c2ce38e5fc2de
Instruction Fuzzy Hash: 47913675A083059FC704EF25C88196AB7E5BF88324F14892DF88997351DB34EE45EF92

Function 00FB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00F9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?,?,00F9035E), ref: 00F9002B
Part of subcall function 00F9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90046
Part of subcall function 00F9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90054
Part of subcall function 00F9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?), ref: 00F90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FB4C51
_wcslen.LIBCMT ref: 00FB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FB4DCF
CoTaskMemFree.OLE32(?), ref: 00FB4DDA

Strings

NULL Pointer assignment, xrefs: 00FB4E23, 00FB4E52

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b0e300ec7ef065fcbbc514f1caa359b92cda2067cc70a2616502c603e42cc0b0
Instruction ID: e30c6d2a873ff69eb17a38e74bf793399945412841a283dac941502e25bc3fdf
Opcode Fuzzy Hash: b0e300ec7ef065fcbbc514f1caa359b92cda2067cc70a2616502c603e42cc0b0
Instruction Fuzzy Hash: AE911671D0021DAFDF14DFA5CC91AEEB7B8BF48310F108169E915A7291DB74AA44EFA0

Function 00FC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FC2183
GetMenuItemCount.USER32(00000000), ref: 00FC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FC21DD
_wcslen.LIBCMT ref: 00FC2213
GetMenuItemID.USER32(?,?), ref: 00FC224D
GetSubMenu.USER32(?,?), ref: 00FC225B

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FC22E3

Part of subcall function 00F9E97B: Sleep.KERNELBASE ref: 00F9E9F3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2e098f7e91fc273084d5bbe33bf1b55a7b1943c4fd7f95c876596e01bf685fd7
Instruction ID: fca90c13dc46fdff3ec4498fa4246aea8f6052bb9046697920af51f5db19a856
Opcode Fuzzy Hash: 2e098f7e91fc273084d5bbe33bf1b55a7b1943c4fd7f95c876596e01bf685fd7
Instruction Fuzzy Hash: 40718E75E00206AFDB54EF64C942FAEB7F1EF48320F148459E816EB341D738AD41AB90

Function 00FC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01506D20), ref: 00FC7F37
IsWindowEnabled.USER32(01506D20), ref: 00FC7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FC801E
SendMessageW.USER32(01506D20,000000B0,?,?), ref: 00FC8051
IsDlgButtonChecked.USER32(?,?), ref: 00FC8089
GetWindowLongW.USER32(01506D20,000000EC), ref: 00FC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FC80C3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2368dcd9ca7e7339111c7c9c2b74bc4a9085cfcdbda884940d6f8b936a965f0f
Instruction ID: bd51882eb656ea21542f2eafa2c4330420c1156ea6f0821bb3e8b6c3fda23153
Opcode Fuzzy Hash: 2368dcd9ca7e7339111c7c9c2b74bc4a9085cfcdbda884940d6f8b936a965f0f
Instruction Fuzzy Hash: 0C71BF34A08346AFEB21AF64CEC6FAABBB5EF09360F14005DE95553251CB31A845FF90

Function 00F9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F9AEF9
GetKeyboardState.USER32(?), ref: 00F9AF0E
SetKeyboardState.USER32(?), ref: 00F9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F9B020

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 898a758c5ab2a417faf40bc7f9c8a9331b514608025077334aed0470737c4a35
Instruction ID: 1d9dd83d8c2c3e31ea27f98fc55a4fae7bebcd8fd7e38b04e582f279ec8b4e92
Opcode Fuzzy Hash: 898a758c5ab2a417faf40bc7f9c8a9331b514608025077334aed0470737c4a35
Instruction Fuzzy Hash: C851D1A1A047D53DFF3743348D49BBABEA95B06318F088589E1D9458D2C3D9ACC8F791

Function 00F9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F9AD19
GetKeyboardState.USER32(?), ref: 00F9AD2E
SetKeyboardState.USER32(?), ref: 00F9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F9AE38

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 42d1c60442cb784ff7be0458aa38a04342d56bbe6c1db5310b3b2ab3c7444861
Instruction ID: c41996d84e70317f353046b2aaca43859b5f1397a88bf9c91e99b7c4ed3d5c84
Opcode Fuzzy Hash: 42d1c60442cb784ff7be0458aa38a04342d56bbe6c1db5310b3b2ab3c7444861
Instruction Fuzzy Hash: CC51D5A1D047D53DFF3793358C55B7A7EA85B46310F088489E1D9468C2D294EC98F7D2

Function 00F6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00F73CD6,?,?,?,?,?,?,?,?,00F65BA3,?,?,00F73CD6,?,?), ref: 00F65470
__fassign.LIBCMT ref: 00F654EB
__fassign.LIBCMT ref: 00F65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F73CD6,00000005,00000000,00000000), ref: 00F6552C
WriteFile.KERNEL32(?,00F73CD6,00000000,00F65BA3,00000000,?,?,?,?,?,?,?,?,?,00F65BA3,?), ref: 00F6554B
WriteFile.KERNEL32(?,?,00000001,00F65BA3,00000000,?,?,?,?,?,?,?,?,?,00F65BA3,?), ref: 00F65584

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d42a9af1b3bf286618d9fbeed2ab7ebaf2030c7a0ba37f7a5818f2655aa06e73
Instruction ID: 4d5c1456a2f136d58c50f59d9c43b0430267d5aa722060bf6fa8a63f0cee9254
Opcode Fuzzy Hash: d42a9af1b3bf286618d9fbeed2ab7ebaf2030c7a0ba37f7a5818f2655aa06e73
Instruction Fuzzy Hash: B851DFB1E006499FDB10CFA8D846AEEBBF9EF08710F18411EF946F3291D6309A41DB60

Function 00F52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F52D53
_ValidateLocalCookies.LIBCMT ref: 00F52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F52E0C
_ValidateLocalCookies.LIBCMT ref: 00F52E61

Strings

csm, xrefs: 00F52DF6

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c8a663c2390f4e43e973773d04606ebb373973cc707460d5bfb0aeef2f00cc0f
Instruction ID: aa77299c459bc567a4c195cc1a1f228f1b5d5abc269d3407529d1dcd09fce808
Opcode Fuzzy Hash: c8a663c2390f4e43e973773d04606ebb373973cc707460d5bfb0aeef2f00cc0f
Instruction Fuzzy Hash: 9041E834E002089BCF10DF68CC45A9EBBB5BF46326F148255EE146B352D735DA09EBD0

Function 00FB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
Part of subcall function 00FB304E: _wcslen.LIBCMT ref: 00FB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FB1112
WSAGetLastError.WSOCK32 ref: 00FB1121
WSAGetLastError.WSOCK32 ref: 00FB11C9
closesocket.WSOCK32(00000000), ref: 00FB11F9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2a0ef10c9c87fd122812cc3daeea518ef75f3952ad7f2137a419058c82276be4
Instruction ID: b5c976218307d2e1381e8cb5b95845b53b58bca90738b4a8aba6aaf5840bd138
Opcode Fuzzy Hash: 2a0ef10c9c87fd122812cc3daeea518ef75f3952ad7f2137a419058c82276be4
Instruction Fuzzy Hash: 5D41D036600208AFDB109F29CC95BEABBA9FF45364F148059F909AB291C774AD41DFE0

Function 00F9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F9CF22,?), ref: 00F9DDFD

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F9CF22,?), ref: 00F9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00F9CF45
MoveFileW.KERNEL32(?,?), ref: 00F9CF7F
_wcslen.LIBCMT ref: 00F9D005
_wcslen.LIBCMT ref: 00F9D01B
SHFileOperationW.SHELL32(?), ref: 00F9D061

Strings

\*.*, xrefs: 00F9CFF3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 44f0a99d364e1bc74ef17fc3219208d88c95d082609533be5bf813fa61762c59
Instruction ID: 798038c7c8da9977500c7a0a1551f0061b0ee4cc95e207464b4c97a01ba858f4
Opcode Fuzzy Hash: 44f0a99d364e1bc74ef17fc3219208d88c95d082609533be5bf813fa61762c59
Instruction Fuzzy Hash: 0F415871D051185FEF12EBA4DD81EDDB7B8AF04384F1000E6E509E7141EA74A688DB50

Function 00FC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00FC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00FC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00FC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00FC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00FC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00FC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC2F0B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a6bac163865a9f5be888c63df0f3e06919d170a28ccf99a38b944aaf13c2a55c
Instruction ID: 8cffeba59296894baebce81cd110e9f7d85ad5971e7da97e64dee41f5b893d1d
Opcode Fuzzy Hash: a6bac163865a9f5be888c63df0f3e06919d170a28ccf99a38b944aaf13c2a55c
Instruction Fuzzy Hash: 6D311931A04156AFDB61DF58DE86FA537E1FB4A720F150168F9449F2A1CB72EC40EB41

Function 00F97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F9778F
SysAllocString.OLEAUT32(00000000), ref: 00F97792
SysAllocString.OLEAUT32(?), ref: 00F977B0
SysFreeString.OLEAUT32(?), ref: 00F977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00F977DE
SysAllocString.OLEAUT32(?), ref: 00F977EC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e3e9a554955950df7349da25d7dcee5dfface2d3589800f525f1eb3dc170591b
Instruction ID: cc796317202ed4ff2e8db7fd06cc56a432131a937b43d5ef1d38b84e603ce071
Opcode Fuzzy Hash: e3e9a554955950df7349da25d7dcee5dfface2d3589800f525f1eb3dc170591b
Instruction Fuzzy Hash: 9F21C476A04319AFEF10EFE9CC89DBB77ACEB093647048025F908DB150D670DC45A7A1

Function 00F977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F97868
SysAllocString.OLEAUT32(00000000), ref: 00F9786B
SysAllocString.OLEAUT32 ref: 00F9788C
SysFreeString.OLEAUT32 ref: 00F97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00F978AF
SysAllocString.OLEAUT32(?), ref: 00F978BD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0b49dd91b6d6c8b58d105e4b4410f4c5d276e2501cd05cefd750f4405434278b
Instruction ID: 897c6a86ecf36a18a5b75055c2d706635aae71ff2ecb935f3ba1f0e7d60c4c9d
Opcode Fuzzy Hash: 0b49dd91b6d6c8b58d105e4b4410f4c5d276e2501cd05cefd750f4405434278b
Instruction Fuzzy Hash: E4217731A14308AFEF10EFA8DC89DAA77ECFB097607148125F915CB1A1D674DC41DB64

Function 00FA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA052E

Strings

nul, xrefs: 00FA0567

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a48ff1ec74a7bdbbc197a68f0ee333138bf94b1f32c0cb059dbcc114a097e150
Instruction ID: f21d93a65fe0dc82b1eb36043876e90b48503e1c300d1c159a3db5e3d67f4d1e
Opcode Fuzzy Hash: a48ff1ec74a7bdbbc197a68f0ee333138bf94b1f32c0cb059dbcc114a097e150
Instruction Fuzzy Hash: 782191B5D003059FDB208F29EC05A9A7BB4AF46760F244A18E8A1D31E0DB709940EF60

Function 00FA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FA0601

Strings

nul, xrefs: 00FA0639

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 42503efe5c6855636095ae7789e8034aad8362f63c81a9c2e836c23228e6679d
Instruction ID: df54424ff4cd0ed0065d456441b41f135855c0deb3ebef8f1fe7c4f48069cf96
Opcode Fuzzy Hash: 42503efe5c6855636095ae7789e8034aad8362f63c81a9c2e836c23228e6679d
Instruction Fuzzy Hash: FD2183B59003059FDB209F69AC05E9A77F4BF96734F200A19F9A1E73E0DB719860EB50

Function 00FC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F3604C
Part of subcall function 00F3600E: GetStockObject.GDI32(00000011), ref: 00F36060
Part of subcall function 00F3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F3606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FC4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FC411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FC412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FC4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FC4145

Strings

Msctls_Progress32, xrefs: 00FC40E3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 1eb9b64b581c099b15d517f3940fed5a0112f9d636f6facf56293ea6b8c9b88b
Instruction ID: 804b78a06ca05723930ba4112e2324c9cd452926e29740b886d145ffcea5604f
Opcode Fuzzy Hash: 1eb9b64b581c099b15d517f3940fed5a0112f9d636f6facf56293ea6b8c9b88b
Instruction Fuzzy Hash: 3F1193B254021E7EEF119E64CC86EE77F9DEF087A8F004111FA58A2050C676DC21ABA4

Function 00F6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F6D7A3: _free.LIBCMT ref: 00F6D7CC

_free.LIBCMT ref: 00F6D82D

Part of subcall function 00F629C8: HeapFree.KERNEL32(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6D838
_free.LIBCMT ref: 00F6D843
_free.LIBCMT ref: 00F6D897
_free.LIBCMT ref: 00F6D8A2
_free.LIBCMT ref: 00F6D8AD
_free.LIBCMT ref: 00F6D8B8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d650bb73ab1b75fc19b729ebf519ff975ed6d7710430088d82a6002db4b53f5d
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: F4115B71B40B04AADA25BFB0CC47FCB7BFCAF40740F440825B299A6092DA69B505B662

Function 00F9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F9DA74
LoadStringW.USER32(00000000), ref: 00F9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F9DA91
LoadStringW.USER32(00000000), ref: 00F9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F9DAB9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 23d4a50ed12875d37a6ab0c047a63d2119aab1a315a33966e0655725abe4506d
Instruction ID: df3d85e96833a06ef0b816e6c9763479e904a114061c589aa2b3f0e94be33267
Opcode Fuzzy Hash: 23d4a50ed12875d37a6ab0c047a63d2119aab1a315a33966e0655725abe4506d
Instruction Fuzzy Hash: 280117F650020C7FEB11EBA49E8AEE7766CDB04701F404455F749E2041EA749E856F75

Function 00FA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(014FF4D8,014FF4D8), ref: 00FA097B
EnterCriticalSection.KERNEL32(014FF4B8,00000000), ref: 00FA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FA09A9
CloseHandle.KERNEL32(?), ref: 00FA09B8
InterlockedExchange.KERNEL32(014FF4D8,000001F6), ref: 00FA09C8
LeaveCriticalSection.KERNEL32(014FF4B8), ref: 00FA09CF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5a2c2b89bcbfcde72cf81ccc04067a09d1a0f38b106c0385c0904bc696f4baed
Instruction ID: b13c9852d3bcff426178ce099224bb39a5ff3944b79f181bebb6ce438f9e4f68
Opcode Fuzzy Hash: 5a2c2b89bcbfcde72cf81ccc04067a09d1a0f38b106c0385c0904bc696f4baed
Instruction Fuzzy Hash: 5DF01972442A06BBD7415BA4EF8AED6BA39FF06712F402025F206928A0CB759465EFD0

Function 00FB1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FB1DE1
WSAGetLastError.WSOCK32 ref: 00FB1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00FB1EDB
inet_ntoa.WSOCK32(?), ref: 00FB1E8C

Part of subcall function 00F939E8: _strlen.LIBCMT ref: 00F939F2

Part of subcall function 00FB3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FAEC0C), ref: 00FB3240

_strlen.LIBCMT ref: 00FB1F35

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: ab5c625035754c7ace67717c43650db83a403b46bb09fc0fee58abfb16acb223
Instruction ID: 75f63dfed29ad946df787cf7d629e76ea629bcf43f2d3457aa5920e483de965f
Opcode Fuzzy Hash: ab5c625035754c7ace67717c43650db83a403b46bb09fc0fee58abfb16acb223
Instruction Fuzzy Hash: 23B1F031604300AFC320DF25C8A5F6A7BA5BF84328F94854CF55A4B2E2CB71ED46DB91

Function 00F35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F35D30
GetWindowRect.USER32(?,?), ref: 00F35D71
ScreenToClient.USER32(?,?), ref: 00F35D99
GetClientRect.USER32(?,?), ref: 00F35ED7
GetWindowRect.USER32(?,?), ref: 00F35EF8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 69886b21d9eb3343aab4e6884466c18856ac9cdef58e31bb6452c2d0665d696a
Instruction ID: 0fcf1b24f651401454c33e10509d9f3dc5aa27d8b27c127de2a66b2f337702f8
Opcode Fuzzy Hash: 69886b21d9eb3343aab4e6884466c18856ac9cdef58e31bb6452c2d0665d696a
Instruction Fuzzy Hash: 0DB17A35A0074ADBDB10CFA9C5807EEB7F1FF48320F14841AE8A9D7250DB34AA91EB55

Function 00F601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00F600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F600D6
__allrem.LIBCMT ref: 00F600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F6010B
__allrem.LIBCMT ref: 00F60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F60140

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 58678b1a9af3c042052dfda87c743ecbaf68b50661eb5899ee5a7509716764ac
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0581F672A00706ABE7249F78CC41B6B73E9AF42334F24463AF951D7681EB74D948B790

Function 00F661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F582D9,00F582D9,?,?,?,00F6644F,00000001,00000001,8BE85006), ref: 00F66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F6644F,00000001,00000001,8BE85006,?,?,?), ref: 00F662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F663D8
__freea.LIBCMT ref: 00F663E5

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

__freea.LIBCMT ref: 00F663EE
__freea.LIBCMT ref: 00F66413

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f6a5a3dfacb4b755b3fbdcac2cea45d04834f8cc7e21b20d569e6b5817b809f9
Instruction ID: 661cffd7ce330cc872c56ed4ce8c86223a28083d6fdd07e81600f501186a2267
Opcode Fuzzy Hash: f6a5a3dfacb4b755b3fbdcac2cea45d04834f8cc7e21b20d569e6b5817b809f9
Instruction Fuzzy Hash: AE51C372A00216ABDF258F64DD82EBF77A9EF44760F15462AFC05D7240EB34DC44E6A0

Function 00FBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FBBDF3
RegCloseKey.ADVAPI32(?), ref: 00FBBDFF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 4b80e4505a4ad73e908c20f72084e0007f3cba230f8d06c092a8a168b5992322
Instruction ID: 7d869a2b9a01da0c2bd4e7deedfe650e886c982b2a96a3cd6fa4d36ca040e6bd
Opcode Fuzzy Hash: 4b80e4505a4ad73e908c20f72084e0007f3cba230f8d06c092a8a168b5992322
Instruction Fuzzy Hash: E381BC71608241AFC714DF25C881E6ABBE5FF84318F14895CF4998B2A2CB75ED05EF92

Function 00F8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00F8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00F8F860
VariantCopy.OLEAUT32(00F8FA64,00000000), ref: 00F8F889
VariantClear.OLEAUT32(00F8FA64), ref: 00F8F8AD
VariantCopy.OLEAUT32(00F8FA64,00000000), ref: 00F8F8B1
VariantClear.OLEAUT32(?), ref: 00F8F8BB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 337eafffe8e973b675801510044c2aeaac9c2ee85951afe8bcb784aaa056e466
Instruction ID: db98c6b59cd22b95452b3a137c449cc956cb3b4e92d049a2c02fd263c1ece836
Opcode Fuzzy Hash: 337eafffe8e973b675801510044c2aeaac9c2ee85951afe8bcb784aaa056e466
Instruction Fuzzy Hash: D751D932A00310BEDF14BF65DC96BA9B3A4EF45320F249466E905DF291DB748C48E7A6

Function 00FA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FA94E5
_wcslen.LIBCMT ref: 00FA9506
_wcslen.LIBCMT ref: 00FA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FA9585

Strings

X, xrefs: 00FA9412

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: bc64f831e3d0178b8f522815c7539c694a27af3e3b6f67b476e173031fd7ecd5
Instruction ID: fb3f2075051f50f42c67a6834994d7e0d2bb76a5c31450503cbe2922ea8c72be
Opcode Fuzzy Hash: bc64f831e3d0178b8f522815c7539c694a27af3e3b6f67b476e173031fd7ecd5
Instruction Fuzzy Hash: 4EE1A4719083409FC724DF24C881B6AB7E4BF85324F08856DF8899B2A2DB75ED05DB92

Function 00F4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

BeginPaint.USER32(?,?,?), ref: 00F49241
GetWindowRect.USER32(?,?), ref: 00F492A5
ScreenToClient.USER32(?,?), ref: 00F492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F492D3
EndPaint.USER32(?,?,?,?,?), ref: 00F49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F871EA

Part of subcall function 00F49339: BeginPath.GDI32(00000000), ref: 00F49357

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0c246fef1cc3a881da84d4e74ebeea32ddd29bca5d46d24695972a2acfcb03e3
Instruction ID: 545b6b04968487f833eca11160505099abafa373a5eea883581d5b3943a866c9
Opcode Fuzzy Hash: 0c246fef1cc3a881da84d4e74ebeea32ddd29bca5d46d24695972a2acfcb03e3
Instruction Fuzzy Hash: 5B419131608301AFD721EF24CC89FBB7BA8EF46320F140269F998872E1C7759945EB61

Function 00FA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FA0847
EnterCriticalSection.KERNEL32(?), ref: 00FA0863
LeaveCriticalSection.KERNEL32(?), ref: 00FA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FA0921

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: d8f2a14e9027acb0718a1321f0ab03cba7d665afbe7d9c581bb0aada638e7374
Instruction ID: 98d948fc84e3f77e3259e5ac559735b81e95e7d384df232913599d448724e8d6
Opcode Fuzzy Hash: d8f2a14e9027acb0718a1321f0ab03cba7d665afbe7d9c581bb0aada638e7374
Instruction Fuzzy Hash: B7417C71900209EFDF149F54DC85AAAB7B8FF05310F1440A9ED049B297DB34DE65EBA4

Function 00FC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F8F3AB,00000000,?,?,00000000,?,00F8682C,00000004,00000000,00000000), ref: 00FC824C
EnableWindow.USER32(?,00000000), ref: 00FC8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FC82D1
ShowWindow.USER32(?,00000004), ref: 00FC82E5
EnableWindow.USER32(?,00000001), ref: 00FC830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FC832F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9f2bfdf7c161bbfc78181579a81a0680b54aad369af3a07a06f4faaf45f96cbc
Instruction ID: ce1ed3d66f1645423ede8ba1bd3d08d3c20f4774d7f754127d66d38f2df23064
Opcode Fuzzy Hash: 9f2bfdf7c161bbfc78181579a81a0680b54aad369af3a07a06f4faaf45f96cbc
Instruction Fuzzy Hash: E341B934A01645EFDB22CF15CA8AFE47BE0FB06764F18516DE5484F262CB32A842EF50

Function 00F94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F94CEA
_wcslen.LIBCMT ref: 00F94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F94D10
_wcsstr.LIBVCRUNTIME ref: 00F94D1A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: dbb44bdcb84ff961c2648d0aa2065016a233f6cc218e96e5daad4832e5c998c1
Instruction ID: ca75e8ab7f81fc78c8bc3ce2b6c9a834c93541015d93d3956fabb2b3480534a4
Opcode Fuzzy Hash: dbb44bdcb84ff961c2648d0aa2065016a233f6cc218e96e5daad4832e5c998c1
Instruction Fuzzy Hash: B4212936A042047BFF155B35ED0AE7B7F9CDF55760F10402AF809CB191EA65EC01B6A0

Function 00FA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F33A97,?,?,00F32E7F,?,?,?,00000000), ref: 00F33AC2

_wcslen.LIBCMT ref: 00FA587B
CoInitialize.OLE32(00000000), ref: 00FA5995
CoCreateInstance.OLE32(00FCFCF8,00000000,00000001,00FCFB68,?), ref: 00FA59AE
CoUninitialize.OLE32 ref: 00FA59CC

Strings

.lnk, xrefs: 00FA5876, 00FA58C1, 00FA5985

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 696904c6f9f25b335417546040b45a6984a56e7b00d98044bad99af8be55b215
Instruction ID: 398e7affa00d16a19d5dc451be9adb73797cd8db24a4da124c3b4d8a889c699c
Opcode Fuzzy Hash: 696904c6f9f25b335417546040b45a6984a56e7b00d98044bad99af8be55b215
Instruction Fuzzy Hash: 0FD166B5A047019FC714DF25C880A2ABBE5FF8AB20F14885DF8899B361D735EC45DB92

Function 00F9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F90FCA
Part of subcall function 00F90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F90FD6
Part of subcall function 00F90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F90FE5
Part of subcall function 00F90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F90FEC
Part of subcall function 00F90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F91002

GetLengthSid.ADVAPI32(?,00000000,00F91335), ref: 00F917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F917BA
HeapAlloc.KERNEL32(00000000), ref: 00F917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F917DA
GetProcessHeap.KERNEL32(00000000,00000000,00F91335), ref: 00F917EE
HeapFree.KERNEL32(00000000), ref: 00F917F5

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: df23123833eaaf32221ddbd2587828e9b75b719c07658df5561bf436fab36b5e
Instruction ID: 2d5236ad9d3c61401fbf0c4ffd48a6434aeefe81b675b53bc36e4f5c3c6a62e0
Opcode Fuzzy Hash: df23123833eaaf32221ddbd2587828e9b75b719c07658df5561bf436fab36b5e
Instruction Fuzzy Hash: 7911AC3290020AFFEF119FA5CD4AFAF7BA9FB41365F144028F44597221C739A940EBA0

Function 00F914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00F91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F91515
CloseHandle.KERNEL32(00000004), ref: 00F91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F91563

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: fa42eaaf1faaeb196f894ccd1dafbe2b027d180b4e63cc8b23bd98b57a74b9d6
Instruction ID: b9444e9c2cc4f2321ac5cd28b7d10830b69c4d2d6b8b850e792eac43d4afa2b1
Opcode Fuzzy Hash: fa42eaaf1faaeb196f894ccd1dafbe2b027d180b4e63cc8b23bd98b57a74b9d6
Instruction Fuzzy Hash: C5111A7250024EABEF12CF98DE49FDA7BA9FF49754F054025FA05A2060C3768E61AB60

Function 00F53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F53379,00F52FE5), ref: 00F53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F533B7
SetLastError.KERNEL32(00000000,?,00F53379,00F52FE5), ref: 00F53409

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a175758009a3e1fd59792d130facd9f9cec609ef305f0739054c67d7c1d832a8
Instruction ID: 8bfb04a77b69eb68bb435842096da64f7d912c9ac7fbddf3628a0db9fb5e17e4
Opcode Fuzzy Hash: a175758009a3e1fd59792d130facd9f9cec609ef305f0739054c67d7c1d832a8
Instruction Fuzzy Hash: B301B533A09329AEE615277C7D86A663E58DF053FB720022DFE10851F1EF554D0AB588

Function 00F62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F65686,00F73CD6,?,00000000,?,00F65B6A,?,?,?,?,?,00F5E6D1,?,00FF8A48), ref: 00F62D78
_free.LIBCMT ref: 00F62DAB
_free.LIBCMT ref: 00F62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F5E6D1,?,00FF8A48,00000010,00F34F4A,?,?,00000000,00F73CD6), ref: 00F62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F5E6D1,?,00FF8A48,00000010,00F34F4A,?,?,00000000,00F73CD6), ref: 00F62DEC
_abort.LIBCMT ref: 00F62DF2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 81b5c04f40282a77e11b73b5c8bb2c8a2e9ac8b2965e1a88b8c004082194b095
Instruction ID: 0450a4dc0566e9defa97b2e03db9d944f721e227956adf8889668de538f9fe6b
Opcode Fuzzy Hash: 81b5c04f40282a77e11b73b5c8bb2c8a2e9ac8b2965e1a88b8c004082194b095
Instruction Fuzzy Hash: 43F0C832E05E1527C3923739BD16F6E356DAFC27B1F250519F828931D6EF28880272A0

Function 00FC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496A2
Part of subcall function 00F49639: BeginPath.GDI32(?), ref: 00F496B9
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00FC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00FC8A80
EndPath.GDI32(?), ref: 00FC8A90
StrokePath.GDI32(?), ref: 00FC8AA0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 859806fb41bc43775542a447cae9e32963f06a0985b1308590483ff211a33c39
Instruction ID: f850df26a5e1e46ad96711fc6d2467278d67d361d4d15f59cba1a0654929e3b9
Opcode Fuzzy Hash: 859806fb41bc43775542a447cae9e32963f06a0985b1308590483ff211a33c39
Instruction Fuzzy Hash: AE11097644010DFFDB129F90DD89EAA7F6CEB08390F048016FA599A1A1C7729D55EFA0

Function 00F951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F95230
ReleaseDC.USER32(00000000,00000000), ref: 00F95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F95261

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 10969ddb90bba011222401d2698ee146da33a389b64b186db9b49753af71e373
Instruction ID: ca30bc7bf841b3472f23890a763e62255cb6f0aff9eff6ab1ce47ef195f88b6d
Opcode Fuzzy Hash: 10969ddb90bba011222401d2698ee146da33a389b64b186db9b49753af71e373
Instruction Fuzzy Hash: BB018475E01708BBEF105BA59D4AE4EBF78EB44751F044065FA08A7280D6709800DBA0

Function 00F31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F31C22

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8557dd3bb649fae0f15c8831364d3896f253883c04ae49aedb72e8a983dba543
Instruction ID: 37f0e19f2c8846bbb16a2589e9272c1a2b61fb8f43e42a892d8f83bb0facc490
Opcode Fuzzy Hash: 8557dd3bb649fae0f15c8831364d3896f253883c04ae49aedb72e8a983dba543
Instruction Fuzzy Hash: A50167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 00F9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00F9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F9EB75

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b277e2c5883c5243653607a608f67d736f93fe945957a66b9aacd779d35e36f8
Instruction ID: faf9e1b729c313b92347992b1ae5ad31732b55c6b5687c1153e93032cd32690c
Opcode Fuzzy Hash: b277e2c5883c5243653607a608f67d736f93fe945957a66b9aacd779d35e36f8
Instruction Fuzzy Hash: 29F03A72A4015CBBE7215B639E0EEEF3A7CEFCAB15F000158F609D2091D7A15A01EAF5

Function 00F87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00F87452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00F87469
GetWindowDC.USER32(?), ref: 00F87475
GetPixel.GDI32(00000000,?,?), ref: 00F87484
ReleaseDC.USER32(?,00000000), ref: 00F87496
GetSysColor.USER32(00000005), ref: 00F874B0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: fdc51b1a5b9b85c120a332e741da42c015a7274df501ddf10189baba55e7294a
Instruction ID: 27493b2d5e0dcc23136e771f804b3beca084c786ee7ca3447c2375cf68788df3
Opcode Fuzzy Hash: fdc51b1a5b9b85c120a332e741da42c015a7274df501ddf10189baba55e7294a
Instruction Fuzzy Hash: E5018B32400209EFDB11AFA4DE0AFEA7BB5FB04321F640060F919A30A1CB311E42BB90

Function 00F91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F9187F
UnloadUserProfile.USERENV(?,?), ref: 00F9188B
CloseHandle.KERNEL32(?), ref: 00F91894
CloseHandle.KERNEL32(?), ref: 00F9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F918A5
HeapFree.KERNEL32(00000000), ref: 00F918AC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3386af84c6987b7fcaf6d9dcdab1511a72c274ea4820873ca94364af8a9bf220
Instruction ID: ef155633d59e276a5af5091e68882571fa7643a5aa355976980335e276226bd7
Opcode Fuzzy Hash: 3386af84c6987b7fcaf6d9dcdab1511a72c274ea4820873ca94364af8a9bf220
Instruction Fuzzy Hash: 87E0ED36404509BBDB015FA2EE0DD05BF39FF497217108220F22982471CB335420EF90

Function 00F9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F9C6EE
_wcslen.LIBCMT ref: 00F9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F9C7CA

Strings

0, xrefs: 00F9C6AF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 5376eb12bc8e4eadc4b714741cb74867512c0b78fec783f66376d344340731fe
Instruction ID: f92fb6b11d25ac4061ab42134f943a575ac20d3e6ea1e49fd1e1279f7d25fc3e
Opcode Fuzzy Hash: 5376eb12bc8e4eadc4b714741cb74867512c0b78fec783f66376d344340731fe
Instruction Fuzzy Hash: D551AF71A043009BEB159F68C985B6B77E4AF89320F040A2DF999D31D1DB74D908EBD3

Function 00FBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FBAEA3

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

GetProcessId.KERNEL32(00000000), ref: 00FBAF38
CloseHandle.KERNEL32(00000000), ref: 00FBAF67

Strings

<, xrefs: 00FBAE6B
@, xrefs: 00FBAE72

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 72598fb65e197461eb2494837bfb7f5dfb18eb39d078a8a2b8f7fcc1e590eccf
Instruction ID: b597d7ee9e031a87c508b610e0b9cb2ac27562155db3c3164940831a52da74d6
Opcode Fuzzy Hash: 72598fb65e197461eb2494837bfb7f5dfb18eb39d078a8a2b8f7fcc1e590eccf
Instruction Fuzzy Hash: FB716975A00619DFCB14EF66C885A9EBBF0BF08320F048499E856AB352C774ED45EF91

Function 00F9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F972CF

Strings

DllGetClassObject, xrefs: 00F97242

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: c25a12262ec1d93283289550d1a49275569e08ecbbe2edb180d77107b3c7426e
Instruction ID: 4665484bdf1e05574b8ed9f8ddc36e3201d0f12831aaae9a7737fbd19665e359
Opcode Fuzzy Hash: c25a12262ec1d93283289550d1a49275569e08ecbbe2edb180d77107b3c7426e
Instruction Fuzzy Hash: C4418D71A24304EFEF15DF54C885B9A7BA9EF44710F2480A9BD099F24AD7B0D944EFA0

Function 00FC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC3E35
IsMenu.USER32(?), ref: 00FC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FC3E92
DrawMenuBar.USER32 ref: 00FC3EA5

Strings

0, xrefs: 00FC3D89

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 05cf3527c98872804c4296126f5d708a012feff35e43a020f6f12784f058ea2f
Instruction ID: 65ad72ca42df5c3d2570dcd54e174e692ee7b4189882b3e354946ebd2cd6a204
Opcode Fuzzy Hash: 05cf3527c98872804c4296126f5d708a012feff35e43a020f6f12784f058ea2f
Instruction Fuzzy Hash: 63414A75A0020AAFDB10DF50D985EAABBB5FF493A4F04812DF90597250D734EE49EFA0

Function 00F91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F91EA9

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Strings

ListBox, xrefs: 00F91E25
ComboBox, xrefs: 00F91DF0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 245785c81cfc9c7048c875170664406eb8fcb5be5839075720e4c64cf791e786
Instruction ID: 681a47ab4e912ac555ece12a0ece61b1a8561f213f8148c9a79e6d1e87b69cf1
Opcode Fuzzy Hash: 245785c81cfc9c7048c875170664406eb8fcb5be5839075720e4c64cf791e786
Instruction Fuzzy Hash: 4C213B75A00109BFEF14AB64DD46CFFB7B8EF45360F104129F919A71E1DB785909B620

Function 00FC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FC2F8D
LoadLibraryW.KERNEL32(?), ref: 00FC2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FC2FA9
DestroyWindow.USER32(?), ref: 00FC2FB1

Strings

SysAnimate32, xrefs: 00FC2F68

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 42b76188211cc6b2a604ddd3843e2f98b33a1715b1e5e0457e84fabe66f59f34
Instruction ID: e9f04aac8084dd34229418c5134829c92e68112c867c529fdf36150172639551
Opcode Fuzzy Hash: 42b76188211cc6b2a604ddd3843e2f98b33a1715b1e5e0457e84fabe66f59f34
Instruction Fuzzy Hash: 0021B872A0020AABEB218E649E82FBB77B9EB58334F10021CFA54D2190C771DC41F7A0

Function 00F54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F54D1E,00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002), ref: 00F54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F54D1E,00F628E9,?,00F54CBE,00F628E9,00FF88B8,0000000C,00F54E15,00F628E9,00000002,00000000), ref: 00F54DC3

Strings

CorExitProcess, xrefs: 00F54D98
mscoree.dll, xrefs: 00F54D86

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e51c13866f658861d9d2873d5f43be678a4299c399d35df78ead9835ba72d9f5
Instruction ID: 12350ae1fd9e3c98157d1d052510587eafdf9d2dd3ca097311f0c99613e7c113
Opcode Fuzzy Hash: e51c13866f658861d9d2873d5f43be678a4299c399d35df78ead9835ba72d9f5
Instruction Fuzzy Hash: 7BF0813090020CABDB109B90DD0AFADBBB5EF04716F040155ED09A3250CF349984EAD1

Function 00F34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F34EAE
FreeLibrary.KERNEL32(00000000,?,?,00F34EDD,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F34EA8
kernel32.dll, xrefs: 00F34E94

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 09484a0c0c73b445ebc1331bc67daf69b3493894139f3d7dc65df07184c2418c
Instruction ID: b215839a817e5f5c46ce1eb0e0df179e8000a55ac2bb1b41372e909a1b840b8f
Opcode Fuzzy Hash: 09484a0c0c73b445ebc1331bc67daf69b3493894139f3d7dc65df07184c2418c
Instruction Fuzzy Hash: 98E08635E015225BD22117266C1AF6B7554AFC1B72B0D0115FD08D3120DB60ED4260E1

Function 00F34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F34E74
FreeLibrary.KERNEL32(00000000,?,?,00F73CDE,?,01001418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F34E87

Strings

kernel32.dll, xrefs: 00F34E5B
Wow64RevertWow64FsRedirection, xrefs: 00F34E6E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f45ff7c2d87c046ac400204faae754e08b896d94e639111b7c70538ed378b6ae
Instruction ID: 8728d81927d4be91d1e1972a42dc781d1ec228600e57f7cdcfc1caa6b9e10817
Opcode Fuzzy Hash: f45ff7c2d87c046ac400204faae754e08b896d94e639111b7c70538ed378b6ae
Instruction Fuzzy Hash: C0D0C232D026225786221B26AC0AE8B3A18AF81F3530D0115F908A3114CF20ED42B1D0

Function 00FA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2C05
DeleteFileW.KERNEL32(?), ref: 00FA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FA2CC0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b3f2a1d668ef16389e5dabf06813ba3f01045c57ba4e35a8dbc21e47ac1d9b1a
Instruction ID: fe7839791b44103da15b4b153938eea9cc7893b71495bcd9b1093cebd4b19357
Opcode Fuzzy Hash: b3f2a1d668ef16389e5dabf06813ba3f01045c57ba4e35a8dbc21e47ac1d9b1a
Instruction Fuzzy Hash: AFB170B2E00119ABDF24DFA8CC85EDEB77DEF49350F0040A6FA09E7151EA349A449F61

Function 00FBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FBA468
CloseHandle.KERNEL32(?), ref: 00FBA63D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a2f6f8bba3840cb6b0fa7878bd2016296a228ecc3b357cd6cfd79379874716a9
Instruction ID: 44cda2fed4d5aa9d6418713f416045908ba8535090108cd479edfeb33c9e1bde
Opcode Fuzzy Hash: a2f6f8bba3840cb6b0fa7878bd2016296a228ecc3b357cd6cfd79379874716a9
Instruction Fuzzy Hash: 4CA1A271604300AFD720DF25C886F2AB7E5AF44724F14881DFA9A9B392DB74EC419F92

Function 00F6BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FD3700), ref: 00F6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0100121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01001270,000000FF,?,0000003F,00000000,?), ref: 00F6BC36
_free.LIBCMT ref: 00F6BB7F

Part of subcall function 00F629C8: HeapFree.KERNEL32(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6BD4B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 6f3a2401bb915e195420eb83e39151bdc31cdfd51cd715f34a42b0aab2be8d5f
Instruction ID: a5b16efec0e2d595ee514543fe954e31f55a7d296b21eb58791b9b33ca4ab62f
Opcode Fuzzy Hash: 6f3a2401bb915e195420eb83e39151bdc31cdfd51cd715f34a42b0aab2be8d5f
Instruction Fuzzy Hash: E451F972D04209EFCB21DF65DC8196EB7BCEF40360F10026AE554D7291EB349E81EB90

Function 00F9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F9CF22,?), ref: 00F9DDFD

Part of subcall function 00F9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F9CF22,?), ref: 00F9DE16

Part of subcall function 00F9E199: GetFileAttributesW.KERNEL32(?,00F9CF95), ref: 00F9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00F9E473
MoveFileW.KERNEL32(?,?), ref: 00F9E4AC
_wcslen.LIBCMT ref: 00F9E5EB
_wcslen.LIBCMT ref: 00F9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F9E650

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: ce8a98f9d61d7508ecd2e7261a222bde4605937f2eb7413e9f0ecb4a19a7a268
Instruction ID: 309144dd3c8ce6b9aa4ac0b8fab9c391aa56b027abedbcf6f232142fd57ce621
Opcode Fuzzy Hash: ce8a98f9d61d7508ecd2e7261a222bde4605937f2eb7413e9f0ecb4a19a7a268
Instruction Fuzzy Hash: 9D5192B24083459BDB24DBA4DC819DF73ECAF84350F00491EF689D3191EF79A588D766

Function 00FBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00FBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FBB6AE,?,?), ref: 00FBC9B5
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBC9F1
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA68
Part of subcall function 00FBC998: _wcslen.LIBCMT ref: 00FBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FBBBB3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8803b01100614447e3c23928a40a54c009a41ff2509bc314cc81f8a55ff01e59
Instruction ID: d34bfbb8ca028ca833a4bc876bb5b18a722eacdc8eb755b9afc87e43a2bf7cff
Opcode Fuzzy Hash: 8803b01100614447e3c23928a40a54c009a41ff2509bc314cc81f8a55ff01e59
Instruction Fuzzy Hash: D961C031608201AFC314DF15C891E6ABBE9FF84318F14855CF4998B2A2CB75ED45EF92

Function 00F98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F98BCD
VariantClear.OLEAUT32 ref: 00F98C3E
VariantClear.OLEAUT32 ref: 00F98C9D
VariantClear.OLEAUT32(?), ref: 00F98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F98D3B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 291cb3f6aecedb64109d19e0e41055d8679fbc140f1cd58d27088411cf332c3c
Instruction ID: 632c99ed75b9ae2abd439d1b1f1db4e73cf0c7803dc2e67ab8c909231fbeac65
Opcode Fuzzy Hash: 291cb3f6aecedb64109d19e0e41055d8679fbc140f1cd58d27088411cf332c3c
Instruction Fuzzy Hash: AE515AB5A00219EFDB14CF68C894EAAB7F8FF89350B158559E909DB350E730E912CF90

Function 00FA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FA8C5F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e3a2e27125163772b99c854d875d93bced24150582ae909aa20b894c3b2df9d9
Instruction ID: 4caab79c85e38ea0b0c85e20ee5f7ac28c0ef68540cbf162fd9db3403921b898
Opcode Fuzzy Hash: e3a2e27125163772b99c854d875d93bced24150582ae909aa20b894c3b2df9d9
Instruction Fuzzy Hash: 46515C75A002189FCB14DF65C881E69BBF5FF49364F088058E849AB362CB35ED51EFA0

Function 00FB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FB9032
FreeLibrary.KERNEL32(00000000), ref: 00FB9052

Part of subcall function 00F4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FA1043,?,75C0E610), ref: 00F4F6E6
Part of subcall function 00F4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F8FA64,00000000,00000000,?,?,00FA1043,?,75C0E610,?,00F8FA64), ref: 00F4F70D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3d4fa56d8c05933ea2d8d3fca2d224b6fe95fa51da0125bfa52f429a7cfd8ec3
Instruction ID: 00bb09037e7ba97529a196c3ebb94a5494ebce70c968f45d73665df09d9dc711
Opcode Fuzzy Hash: 3d4fa56d8c05933ea2d8d3fca2d224b6fe95fa51da0125bfa52f429a7cfd8ec3
Instruction Fuzzy Hash: 27515C35A04205DFCB10EF65C4949ADBBB1FF49364F088098E9099B362DB75ED86EF90

Function 00FC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00FC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FAAB79,00000000,00000000), ref: 00FC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FC6CC7

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 312eada402ed8e009ee223a034f6da86f9da9a4dc7c01ee9cb50a097e028ece0
Instruction ID: b1af642546ff78b5c768931054fd3d0dde7bff86df1ca3f81b2be8168dad400f
Opcode Fuzzy Hash: 312eada402ed8e009ee223a034f6da86f9da9a4dc7c01ee9cb50a097e028ece0
Instruction Fuzzy Hash: EC41D635A08105AFD724CF28CE56FA57BA5EB49361F15022CF899E73E1C371ED41EA90

Function 00F62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F620C3
_free.LIBCMT ref: 00F620E3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8fc6d05bf3c004f0ac263b6d92f9ae5c5b69f05f0e4fd748d9b62e99f74c0aa8
Instruction ID: 1252ad06e9ae2c6491d5981706a9e4941cca49a26b06d9f260bf5a2816d51164
Opcode Fuzzy Hash: 8fc6d05bf3c004f0ac263b6d92f9ae5c5b69f05f0e4fd748d9b62e99f74c0aa8
Instruction Fuzzy Hash: A741D232E00604AFCB24DF78CD81A6DB7B5EF89724F154569EA15EB351DB31AD01EB80

Function 00F4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F49141
ScreenToClient.USER32(00000000,?), ref: 00F4915E
GetAsyncKeyState.USER32(00000001), ref: 00F49183
GetAsyncKeyState.USER32(00000002), ref: 00F4919D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c6dcd07f1e1abe0ab576f625aa98e7fb1a7a0f484a3a94a1f829852331aceb8c
Instruction ID: dd7ffb77db66b8080dd88197b2aca3585f64e64ebf479c2d68b8cb13329303fb
Opcode Fuzzy Hash: c6dcd07f1e1abe0ab576f625aa98e7fb1a7a0f484a3a94a1f829852331aceb8c
Instruction Fuzzy Hash: 21414131A0861AABDF15AF64C848BEEBB74FB45334F244219E829A7290C7746950EB91

Function 00FA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FA3922
TranslateMessage.USER32(?), ref: 00FA394B
DispatchMessageW.USER32(?), ref: 00FA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA3966

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b4976348c6d576d258c91ed9e9b385b00c209ad7212622d5b3d777b492cdc689
Instruction ID: a8222961002ed6795e81dc3d54faa6a617179952d8b0aef25fde84b9affabc81
Opcode Fuzzy Hash: b4976348c6d576d258c91ed9e9b385b00c209ad7212622d5b3d777b492cdc689
Instruction Fuzzy Hash: ED31C6B1D04345AFEB36CB34D849BB737A9EB0B314F04455DF49682190E3B9D684EB11

Function 00FACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00FACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FAC21E,00000000), ref: 00FACFF2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: c070b2065cbf8db8bed92027d261b6a8c1277500de0b081ca26dc1ab9cd44aba
Instruction ID: 8134017e5519e02cd549d593034839d111ea2229e5cc164e51dd44a44b78faff
Opcode Fuzzy Hash: c070b2065cbf8db8bed92027d261b6a8c1277500de0b081ca26dc1ab9cd44aba
Instruction Fuzzy Hash: 3A314DB1904209AFDB24DFA5D985AAABBF9EB15351B10442EF51AD3140DB30AD41EBB0

Function 00F91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00F919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00F919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00F919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F919E2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 4ff9ce3a2849a7a1dfb40212bba2fa2d6c0afd8a787cebe00d6c54a6c396d95c
Instruction ID: 91777e01488a4ab13e1da44ec4d3b05c9850647347eb4d46697cdd28d6c6d234
Opcode Fuzzy Hash: 4ff9ce3a2849a7a1dfb40212bba2fa2d6c0afd8a787cebe00d6c54a6c396d95c
Instruction Fuzzy Hash: 0331AF72A0021AEFDF14CFA8CE99ADE3BB5FB44325F104225F925A72D1C7709954EB90

Function 00FC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FC5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FC579D
_wcslen.LIBCMT ref: 00FC57AF
_wcslen.LIBCMT ref: 00FC57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FC5816

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: d08518f48227bcd8a6a51f2f097fa1b7e62c46a815d6c6eaf5aecb89fc279cc2
Instruction ID: 662825c1f2e1eefa375e51661ef879de8acb5e34820732f110f397586590911d
Opcode Fuzzy Hash: d08518f48227bcd8a6a51f2f097fa1b7e62c46a815d6c6eaf5aecb89fc279cc2
Instruction Fuzzy Hash: C5215271D046199ADB209FA0CD46FEE7778EF04B24F10425AE9199A180D774AAC5EF50

Function 00FB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FB0951
GetForegroundWindow.USER32 ref: 00FB0968
GetDC.USER32(00000000), ref: 00FB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FB09E8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 778064abd396831a90d5bb23594929d17f62b04e904192e692c5fb30a87477b9
Instruction ID: 816d347705af43968114199f8e6272177f19166a4d5e35d52153a97914687180
Opcode Fuzzy Hash: 778064abd396831a90d5bb23594929d17f62b04e904192e692c5fb30a87477b9
Instruction Fuzzy Hash: 35218175A00204AFD714EF65CD85EAEBBE9EF49750F048068F84A97752CB34AC04EF90

Function 00F6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F6CDE9

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F6CE0F
_free.LIBCMT ref: 00F6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F6CE31

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: ff0a92cf47cfbbb1118f4563c237212df8d3b7fb0ce512589ad8e7aa4685c9b4
Instruction ID: d07f85d726826827cc7ff66ebb54f9dfb4592d89d96b0c917592762a49e07802
Opcode Fuzzy Hash: ff0a92cf47cfbbb1118f4563c237212df8d3b7fb0ce512589ad8e7aa4685c9b4
Instruction Fuzzy Hash: 4A01D472A022157F232116BA6D89D7B797DDED6FA13150129F989C7200EA6A8D01B1F0

Function 00F49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
SelectObject.GDI32(?,00000000), ref: 00F496A2
BeginPath.GDI32(?), ref: 00F496B9
SelectObject.GDI32(?,00000000), ref: 00F496E2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bd08838dc90f2fa06c25a3eef665e6de7be1b2ae4b266160afe7e0b28ecdf777
Instruction ID: 1f833d71c485e68d8f4dbe77b5684db6c0cf6727c30a0e4627474b3d0ea8b4bd
Opcode Fuzzy Hash: bd08838dc90f2fa06c25a3eef665e6de7be1b2ae4b266160afe7e0b28ecdf777
Instruction Fuzzy Hash: 8721A73191A305EFDB229F25ED09BAA3F74BB50325F110215F854971E4D3B5D851EF90

Function 00F95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00F95726
_memcmp.LIBVCRUNTIME ref: 00F95744
_memcmp.LIBVCRUNTIME ref: 00F95757
_memcmp.LIBVCRUNTIME ref: 00F9576F
_memcmp.LIBVCRUNTIME ref: 00F95787

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a46967d6594a2b53ddfaa819e23b872cc96cb6ad52fc3c68fcc150d61baf5191
Instruction ID: c94f58478b8800250e259a2f2f448be6de9798ea3be1f5ed481c9ad06dc2d624
Opcode Fuzzy Hash: a46967d6594a2b53ddfaa819e23b872cc96cb6ad52fc3c68fcc150d61baf5191
Instruction Fuzzy Hash: 1B01DB6264160EBAFA0955509E92FBA735D9B617A5B004024FE045A141F730FF14B3A3

Function 00F62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F5F2DE,00F63863,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6), ref: 00F62DFD
_free.LIBCMT ref: 00F62E32
_free.LIBCMT ref: 00F62E59
SetLastError.KERNEL32(00000000,00F31129), ref: 00F62E66
SetLastError.KERNEL32(00000000,00F31129), ref: 00F62E6F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8c2e8feb4d63ce866bd3273c4920e55e6cec88047e890a0ac3ac345915e7ac47
Instruction ID: b5a1cd081173df500862646f7ca9595da4dcd0538bc4ef0a106afd0f69a09613
Opcode Fuzzy Hash: 8c2e8feb4d63ce866bd3273c4920e55e6cec88047e890a0ac3ac345915e7ac47
Instruction Fuzzy Hash: 8E012836A45E0467C75227357D86E2B366DEFE17B1B250038F425A32D2EF3A8C01B160

Function 00F9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?,?,00F9035E), ref: 00F9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?), ref: 00F90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F8FF41,80070057,?,?), ref: 00F90070

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8df11c1cdb20887e1529adc35e68a1c4fafd0a3c6bc93f4ea60481277f11266b
Instruction ID: 1ba4f4742c68d84245f5e6c315cd007b862d43f3d75a33e801c4c8ba48c819f7
Opcode Fuzzy Hash: 8df11c1cdb20887e1529adc35e68a1c4fafd0a3c6bc93f4ea60481277f11266b
Instruction Fuzzy Hash: 2B018F72A00208BFEF108F68DD05FAA7AEDEB44761F144124F909D3260DB71DD40ABA0

Function 00F910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F90B9B,?,?,?), ref: 00F91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F9114D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: c5592ab2a98ba22b2df340d2582a6c2f2775da9b13c23f9375efa234c3561d0b
Instruction ID: e7d7f97926d6eb8be0a351c720680409d9906bbc47a077e5f8cf1f53e15e5490
Opcode Fuzzy Hash: c5592ab2a98ba22b2df340d2582a6c2f2775da9b13c23f9375efa234c3561d0b
Instruction Fuzzy Hash: 3C016D75500209BFDB114F65DD4EE6A3B6EFF85360B150424FA49C3360DB31DC41AAA0

Function 00F90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F91002

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 400786bf12b0b6318772ca0ff069f850d3e347a8b572b9418a274bea4645dab5
Instruction ID: f0cf8b190df2e7fd07a609ea1ba6fd70d881e3ae1f76b1278bac349ab3bf2d3f
Opcode Fuzzy Hash: 400786bf12b0b6318772ca0ff069f850d3e347a8b572b9418a274bea4645dab5
Instruction Fuzzy Hash: 2EF06235540305EBDB214FA5DD4EF563B6DFF89761F144424F949C7261CA71DC40DAA0

Function 00F91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91062

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bb8e2d5f7e0b857f47de851a227f1b86b7c3ab85965eadb9510881d66aa13e4a
Instruction ID: b7070b0cbbfcab6e9c0f0112e945abd31922c6ebb920551d9e97fa2ff4f56800
Opcode Fuzzy Hash: bb8e2d5f7e0b857f47de851a227f1b86b7c3ab85965eadb9510881d66aa13e4a
Instruction Fuzzy Hash: D5F06235540305EBDB215FA5ED4AF563B6DFF89761F140424F949C7261CA72D8409AA0

Function 00FA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0324
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0331
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA033E
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA034B
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0358
CloseHandle.KERNEL32(?,?,?,?,00FA017D,?,00FA32FC,?,00000001,00F72592,?), ref: 00FA0365

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c3ad3fcc27041ec3c8cdd1eff83dc02a0b95e8cdeb02210087b47c7ee1f1b6fc
Instruction ID: 0aeb2e48c00258c130073634ea7236a5d4cf56cd13b74875ad27b74a8072f579
Opcode Fuzzy Hash: c3ad3fcc27041ec3c8cdd1eff83dc02a0b95e8cdeb02210087b47c7ee1f1b6fc
Instruction Fuzzy Hash: 3901A2B2800B159FCB309F66E880812F7F9BF613253158A3FD19652931C771A954EF80

Function 00F6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F6D752

Part of subcall function 00F629C8: HeapFree.KERNEL32(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F6D764
_free.LIBCMT ref: 00F6D776
_free.LIBCMT ref: 00F6D788
_free.LIBCMT ref: 00F6D79A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6b16d924ea5049960f3fec5e180d636768039d3bbca1a704d226523bad88477d
Instruction ID: eb0b73c048461cc04f4a29c0db57788a319b222139c097f566e2c5e39e875839
Opcode Fuzzy Hash: 6b16d924ea5049960f3fec5e180d636768039d3bbca1a704d226523bad88477d
Instruction Fuzzy Hash: EEF0FF32F4461CAB8669EB68FAC5C267BFDBF44760B940805F048D7501CB24FC80F6A5

Function 00F95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F95C6F
MessageBeep.USER32(00000000), ref: 00F95C87
KillTimer.USER32(?,0000040A), ref: 00F95CA3
EndDialog.USER32(?,00000001), ref: 00F95CBD

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c8e3826e29ff6584c379f69feebbe46623a4e50bc539cede09a22386945fcbb2
Instruction ID: b95e44192bcd50cf9ea1a4ee57d697b2df386b197944adf3b6e465246d4473a1
Opcode Fuzzy Hash: c8e3826e29ff6584c379f69feebbe46623a4e50bc539cede09a22386945fcbb2
Instruction Fuzzy Hash: 93016770500704ABFF255B20DF4FF9577B8BB00F05F000559E646A15E1D7F45944AB90

Function 00F622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F622BE

Part of subcall function 00F629C8: HeapFree.KERNEL32(00000000,00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000), ref: 00F629DE
Part of subcall function 00F629C8: GetLastError.KERNEL32(00000000,?,00F6D7D1,00000000,00000000,00000000,00000000,?,00F6D7F8,00000000,00000007,00000000,?,00F6DBF5,00000000,00000000), ref: 00F629F0

_free.LIBCMT ref: 00F622D0
_free.LIBCMT ref: 00F622E3
_free.LIBCMT ref: 00F622F4
_free.LIBCMT ref: 00F62305

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc6843ed631d07c22d3fad7460ac43cf1fbf492cd29d226e112c0598228b45c2
Instruction ID: aa2bbad4af0e0cb53714d3c12d2c0ca7e376937310798e4d4d601d83c32f7215
Opcode Fuzzy Hash: cc6843ed631d07c22d3fad7460ac43cf1fbf492cd29d226e112c0598228b45c2
Instruction Fuzzy Hash: 2EF030B09009248B8767AF58FC019283BB4BB187E1F00051AF450D2269C73E4411FBE5

Function 00F495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F495D4
StrokeAndFillPath.GDI32(?,?,00F871F7,00000000,?,?,?), ref: 00F495F0
SelectObject.GDI32(?,00000000), ref: 00F49603
DeleteObject.GDI32 ref: 00F49616
StrokePath.GDI32(?), ref: 00F49631

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1ec6558f40112519879b1ba33c22776beb45c59ed82277d4679148dc12c2ad04
Instruction ID: eb9a115fe45329663b6298e43f8977f86d12dd524ffa7f819700acd6cff3f37d
Opcode Fuzzy Hash: 1ec6558f40112519879b1ba33c22776beb45c59ed82277d4679148dc12c2ad04
Instruction Fuzzy Hash: 9AF03C31509208EBDB275F65EE0DB653F61BB00332F148214F9A9960F4CB7A8991EF60

Function 00F60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00F610F9
__freea.LIBCMT ref: 00F61117

Part of subcall function 00F61537: _free.LIBCMT ref: 00F6154F

Strings

a/p, xrefs: 00F611DE
am/pm, xrefs: 00F6117A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a9bd80f194cdf2b3e74ff5058b8fd7d63cf37508d7549c21de56218fbab196b8
Instruction ID: d204e4756f066e60072195444a80b3e5e6d37ab56c804836dc9940ecab1d33d3
Opcode Fuzzy Hash: a9bd80f194cdf2b3e74ff5058b8fd7d63cf37508d7549c21de56218fbab196b8
Instruction Fuzzy Hash: E0D10132D00206DADB289F68C856BFEB7B5FF06320F2C4159E906AB751D7359D80EB91

Function 00FB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F50242: EnterCriticalSection.KERNEL32(0100070C,01001884,?,?,00F4198B,01002518,?,?,?,00F312F9,00000000), ref: 00F5024D
Part of subcall function 00F50242: LeaveCriticalSection.KERNEL32(0100070C,?,00F4198B,01002518,?,?,?,00F312F9,00000000), ref: 00F5028A

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F500A3: __onexit.LIBCMT ref: 00F500A9

__Init_thread_footer.LIBCMT ref: 00FB7BFB

Part of subcall function 00F501F8: EnterCriticalSection.KERNEL32(0100070C,?,?,00F48747,01002514), ref: 00F50202
Part of subcall function 00F501F8: LeaveCriticalSection.KERNEL32(0100070C,?,00F48747,01002514), ref: 00F50235

Strings

Variable must be of type 'Object'., xrefs: 00FB7C3A
5, xrefs: 00FB7C78
G, xrefs: 00FB7C7F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: cbb3188b0553e0fdf50de000f4ad45c836a2d3df0cbb8671d553d60e427c785e
Instruction ID: e73325fed7b5483a56d0b0da1bdcd043bbe22ac84a628c038eafd21bdc741555
Opcode Fuzzy Hash: cbb3188b0553e0fdf50de000f4ad45c836a2d3df0cbb8671d553d60e427c785e
Instruction Fuzzy Hash: 70919A70A04209AFCB14EF56D891DEDBBB1BF88350F148049F846AB292DB75AE41EF51

Function 00F92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F921D0,?,?,00000034,00000800,?,00000034), ref: 00F9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F92760

Part of subcall function 00F9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F9B3F8

Part of subcall function 00F9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F9B355
Part of subcall function 00F9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F92194,00000034,?,?,00001004,00000000,00000000), ref: 00F9B365
Part of subcall function 00F9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F92194,00000034,?,?,00001004,00000000,00000000), ref: 00F9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F9281A

Strings

@, xrefs: 00F92832

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 471358b870f5b91ec497d7d39208cd6a4eac61b849f9089f32b277c66bd99a40
Instruction ID: d6cb8534c5b52ab299347c7e4ae2775eb6a40896fa800300e7069d01af4bdd28
Opcode Fuzzy Hash: 471358b870f5b91ec497d7d39208cd6a4eac61b849f9089f32b277c66bd99a40
Instruction Fuzzy Hash: 1A412A72900218BEEF10DFA4DD46EEEBBB8AF09310F004095EA55B7181DA716E45EBA1

Function 00F6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00F61769
_free.LIBCMT ref: 00F61834
_free.LIBCMT ref: 00F6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00F61760, 00F61767, 00F61796, 00F617CE

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: fcc38755f7fd9b6d9e25132d88d093264a89839740ed0bfdd77be7e4793b9189
Instruction ID: 2ababf98555e20861330bff6d60c9abdf0ad3c89aefdc6c4f64c2c242e78ecd5
Opcode Fuzzy Hash: fcc38755f7fd9b6d9e25132d88d093264a89839740ed0bfdd77be7e4793b9189
Instruction Fuzzy Hash: 3D3161B1E00218ABDB22DFA99C85D9EBBFCFB85360F184166F844D7201D6748E41EB90

Function 00F9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00F9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01001990,01506F50), ref: 00F9C395

Strings

0, xrefs: 00F9C2DF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0111b8111ad49048d5168acf27f0eec5cd3a84b4b2dc97f05815a2f8b041e251
Instruction ID: 98856ed0535e1aedee5d71d9d1d3a9417583b43fa1ab72c7d6088b911a5b2fe2
Opcode Fuzzy Hash: 0111b8111ad49048d5168acf27f0eec5cd3a84b4b2dc97f05815a2f8b041e251
Instruction Fuzzy Hash: F041C2716043019FEB24DF29DC85F1ABBE8AF85320F048A1DF9A5972D1D774E904EB92

Function 00FC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FCCC08,00000000,?,?,?,?), ref: 00FC44AA
GetWindowLongW.USER32 ref: 00FC44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC44D7

Strings

SysTreeView32, xrefs: 00FC447C

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: acc1eae5f9c6d8bf5037d5c9454dc52b60b8bacaa976c3aa3b820213c246d7d3
Instruction ID: bdd477db0b81f1f7be56d1f76947a04e94195ba3dacb5a677eb34868614cd78d
Opcode Fuzzy Hash: acc1eae5f9c6d8bf5037d5c9454dc52b60b8bacaa976c3aa3b820213c246d7d3
Instruction Fuzzy Hash: 4D31AD31610606AFDB248E38DD46FEA7BA9EB08334F244719F979931D0D775EC50AB50

Function 00FB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FB3077,?,?), ref: 00FB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FB307A
_wcslen.LIBCMT ref: 00FB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FB3106

Strings

255.255.255.255, xrefs: 00FB3095, 00FB309A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b23d50ddf5c4c8cdfcbfd5a5d8f9064b7b49653351afdb0dfff87beb7df71f92
Instruction ID: 9ece32de23d5a81e73eb6c4c169683459d7e9b15d8c8b0a07fbf64f13db7eb73
Opcode Fuzzy Hash: b23d50ddf5c4c8cdfcbfd5a5d8f9064b7b49653351afdb0dfff87beb7df71f92
Instruction Fuzzy Hash: BF313739A042059FCB10DF2EC881EEA77E0EF14368F248059E8158B392DB71EE41EF60

Function 00FC3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FC3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FC3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FC3F78

Strings

SysMonthCal32, xrefs: 00FC3F0B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 32f5cb36b08f654abde8c219bd4a42b275607480dbaaba9bf8c49cd250d49e64
Instruction ID: a2756aa35185654e690f1886b1f2dcf7e1bf9d8e6cb626c25787136e1aff731a
Opcode Fuzzy Hash: 32f5cb36b08f654abde8c219bd4a42b275607480dbaaba9bf8c49cd250d49e64
Instruction Fuzzy Hash: ED21EF32A0021ABBDF258F50CC42FEA3B79EF48764F114218FA096B1C0C6B5A950EB90

Function 00FC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FC471A

Strings

msctls_updown32, xrefs: 00FC4684

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7e8dbee1562d04f99203d0fafdbfacae28cc0133b424c25ff92261d75f59a344
Instruction ID: ae979b70d3dedf99ecba5009ce0ce6dc257f40f0041dcf2e904e49806b5dcff0
Opcode Fuzzy Hash: 7e8dbee1562d04f99203d0fafdbfacae28cc0133b424c25ff92261d75f59a344
Instruction Fuzzy Hash: 2D215CB5600209AFDB11DF64DD92EA737ADEF4A3A4B040059FA049B391CB35FC51EBA0

Function 00F995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F9961D

Strings

#notrayicon, xrefs: 00F995B7
#OnAutoItStartRegister, xrefs: 00F995F3
#requireadmin, xrefs: 00F995D9

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 16979358c757e3f0ba55100b71a43dcf01146cf3e3f82d5a7611e69283dfdc54
Instruction ID: c2b1b17625fdeac2479356f4cd9e8bcfbc23544161a30db31a5ea0e90bb62fb9
Opcode Fuzzy Hash: 16979358c757e3f0ba55100b71a43dcf01146cf3e3f82d5a7611e69283dfdc54
Instruction Fuzzy Hash: C321387250861166EB31AA2CDC03FB7B7E89F91320F16402EF94997041EBD6AD49F2D6

Function 00FC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FC3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FC3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FC3876

Strings

Listbox, xrefs: 00FC380F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9561a9ed0049f7a48ba6b2bd64ea106a0d96a0e76e3ddb9335a640f88bf5d2ff
Instruction ID: b52232ce7acc536ade3ec814c8c1c352961c27a2f302b7a83b3040033f1bbfe0
Opcode Fuzzy Hash: 9561a9ed0049f7a48ba6b2bd64ea106a0d96a0e76e3ddb9335a640f88bf5d2ff
Instruction Fuzzy Hash: 2621C572A041197BEF119F54CD42FBB376EEF897A0F118118F9049B190C675DC51A790

Function 00FA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00FCCC08), ref: 00FA4AD0

Strings

%lu, xrefs: 00FA4A6F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 84558129202e02ab0e26badab146f832dcef51c96398ccdf932705a516cd1dd1
Instruction ID: 4844c1a13d1e979ef8e6185e9c9014be76801a3aa8b03f8289a150f1e822ca1d
Opcode Fuzzy Hash: 84558129202e02ab0e26badab146f832dcef51c96398ccdf932705a516cd1dd1
Instruction Fuzzy Hash: 5831D271A00109AFDB10DF54C981EAA7BF8EF49318F1480A9F908DB352DBB5ED45DBA1

Function 00FC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FC424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FC4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FC4271

Strings

msctls_trackbar32, xrefs: 00FC4226

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: cfabb8449f954dcfce33adc1689eeace506d79970e5adde5e2b7e3f883490e14
Instruction ID: 465048f63100eb6ea05ee6fa38592b6844e21c97ee6df602f2d24b839a014652
Opcode Fuzzy Hash: cfabb8449f954dcfce33adc1689eeace506d79970e5adde5e2b7e3f883490e14
Instruction Fuzzy Hash: 19110632640209BEEF215F28CC07FEB3BACEF85B64F010118FA55E2090D271EC51AB10

Function 00F92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F36B57: _wcslen.LIBCMT ref: 00F36B6A

Part of subcall function 00F92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F92DC5
Part of subcall function 00F92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F92DD6
Part of subcall function 00F92DA7: GetCurrentThreadId.KERNEL32 ref: 00F92DDD
Part of subcall function 00F92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F92DE4

GetFocus.USER32 ref: 00F92F78

Part of subcall function 00F92DEE: GetParent.USER32(00000000), ref: 00F92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00F92FC3
EnumChildWindows.USER32(?,00F9303B), ref: 00F92FEB

Strings

%s%d, xrefs: 00F92FFF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 6a68c89fbe8085b73ebcd8546853e00f036716ad7b9169833f39c134f5de0ce7
Instruction ID: 200ea05bc1e4f80ba94e9b98c556b933312176d9683331a85250cf9e566f82d0
Opcode Fuzzy Hash: 6a68c89fbe8085b73ebcd8546853e00f036716ad7b9169833f39c134f5de0ce7
Instruction Fuzzy Hash: A311E4716002096BDF407F708D8AEED776AAF84314F048075FA0DDB252DE349909BB60

Function 00FC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FC58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FC58EE
DrawMenuBar.USER32(?), ref: 00FC58FD

Strings

0, xrefs: 00FC588F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 573cc8977f69ed65c0a571b3cf34a373d0c8fab1f1382853aaae8be3cb254093
Instruction ID: 971f4f2c90204e3e6f23c67cea8fdbb261c62d5bc6b4651536b7eb0faea4cce1
Opcode Fuzzy Hash: 573cc8977f69ed65c0a571b3cf34a373d0c8fab1f1382853aaae8be3cb254093
Instruction Fuzzy Hash: 0B018B32900219EEDB209F11DD46FAEBBB8FB45761F048099E848D6151DB309A88FF20

Function 00F8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F8D3BF
FreeLibrary.KERNEL32 ref: 00F8D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00F8D3B9
X64, xrefs: 00F8D2A8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: d27686f5e2e605ed7376e409a77e64eabd7294ef8a0285a6022128f787e478d3
Instruction ID: 172dc952ed4a04bd7e07173994fe51fc9cdf407a610ba4be07aa4342d8d01dc6
Opcode Fuzzy Hash: d27686f5e2e605ed7376e409a77e64eabd7294ef8a0285a6022128f787e478d3
Instruction Fuzzy Hash: D6F0AB33C02622EBD33232118C59FE9B310AF00701F598119F80AE30C5DB20CD40B3C2

Function 00F9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c007c858b434a6ad71b7f3f90c97feccc5e6965d9e7f80df4d1452e8f26b85
Instruction ID: 37154d77f25197aa91f4d7bfe25a4a65b797ddb586c17450675e663f5d632791
Opcode Fuzzy Hash: 91c007c858b434a6ad71b7f3f90c97feccc5e6965d9e7f80df4d1452e8f26b85
Instruction Fuzzy Hash: 2FC11B75A0021AEFEB14CF94C894EAEB7B5FF48714F208598E505EB251DB31DD81EB90

Function 00F63E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F63F0B
__alldvrm.LIBCMT ref: 00F6410C
__alldvrm.LIBCMT ref: 00F6412E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 3ed389782f5bb65d5dc2de8273a291c3a6ba9efb038f9df5db23cccda3cf183f
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 69A18E72E00356AFDB26DF18CC917AEBBF4EF62360F14416DE5559B282C238AD81E750

Function 00FB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FB3459
CoUninitialize.OLE32 ref: 00FB3463
VariantInit.OLEAUT32(?), ref: 00FB346E
VariantClear.OLEAUT32(?), ref: 00FB371B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: c335a1eb7459a300141b77ba537fac270589e995cd7a3faf4680db86eed4106d
Instruction ID: b39d47d2208e0af4756d68bfe410d5ffb296b27c51d78dcfbf7e9ea675f45a70
Opcode Fuzzy Hash: c335a1eb7459a300141b77ba537fac270589e995cd7a3faf4680db86eed4106d
Instruction Fuzzy Hash: 94A16D756043009FCB14EF29C985A5AB7E5FF88720F088859F9499B362DB34ED01EF91

Function 00F90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F90608
CLSIDFromProgID.OLE32(?,?,00000000,00FCCC40,000000FF,?,00000000,00000800,00000000,?,00FCFC08,?), ref: 00F9062D
_memcmp.LIBVCRUNTIME ref: 00F9064E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 92ae87863a495b29ef2d9bcff8561358fd805c13720f4551e46a7b9b59f57a4f
Instruction ID: 3be96a316969fd47948b5f153b0480f2a9617160e179b2de2673cb55748e5ac8
Opcode Fuzzy Hash: 92ae87863a495b29ef2d9bcff8561358fd805c13720f4551e46a7b9b59f57a4f
Instruction Fuzzy Hash: 2B810671A00109EFDF04DF94C984EEEB7B9FF89315F244598E506AB250DB71AE06DB60

Function 00F71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F714C0

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 45dd52bc277abc44171b19370028dbc6b263b63f58575fd09b55dbae38520e62
Instruction ID: 05494fe114e7ecd7b13d5a6bf4f518c400be1d326ba01e6b5c6a21c075082c78
Opcode Fuzzy Hash: 45dd52bc277abc44171b19370028dbc6b263b63f58575fd09b55dbae38520e62
Instruction Fuzzy Hash: A3414B72A001006BDB25EFBC9C46AAE3AA5FF42770F14C267F91DD3191E678484D7263

Function 00FC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FC62E2
ScreenToClient.USER32(?,?), ref: 00FC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FC6382

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1b5d700d0dfe11628755d150dddcad2f4e95233dacf4b28a84ffc6fe2c5469d2
Instruction ID: bf83720ceec6ca5109f84a9acb3aaa16d93d31e14db46e4f098114a5e3102ec3
Opcode Fuzzy Hash: 1b5d700d0dfe11628755d150dddcad2f4e95233dacf4b28a84ffc6fe2c5469d2
Instruction Fuzzy Hash: 35512974A0424AAFCF24DF54DA82EAE7BB5EB85360F10815DF855D7290D730ED41EB90

Function 00FB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FB1AFD
WSAGetLastError.WSOCK32 ref: 00FB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FB1B8A
WSAGetLastError.WSOCK32 ref: 00FB1B94

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: e88621152209e5ef7fa380af039d79caa9ebe4d1dc63a2c984a63505037064aa
Instruction ID: f063d57c0ef76b605c32fc25a43d85fd37c5de1175585ab9d38cb90267ea0ecc
Opcode Fuzzy Hash: e88621152209e5ef7fa380af039d79caa9ebe4d1dc63a2c984a63505037064aa
Instruction Fuzzy Hash: 7B41D175600200AFE720AF20CC86F6A7BE5AB84728F54C44CFA1A9F7D2D776DD419B90

Function 00F6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de933fc2a69f588e7fa42309e840968b18bd5b12c63ab7d53002d7bd5fb337b
Instruction ID: 6c3c73fe338719740ba25122972b498e1e4f57cf0753cbb5d6e54ddd09d620c5
Opcode Fuzzy Hash: 5de933fc2a69f588e7fa42309e840968b18bd5b12c63ab7d53002d7bd5fb337b
Instruction Fuzzy Hash: AD415C71A00314BFD724EF38CC41BAA7BE9EB84720F10852EF546DB282D775A941A790

Function 00FA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FA5783
GetLastError.KERNEL32(?,00000000), ref: 00FA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FA57FA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 988a562bf4042f3a6119665eaa9470cb38901522df2337f4ac197d54f6682959
Instruction ID: c4d1088c09934395c5e1108c997bcbc14161476c46c18b3feec1b7880874e4b1
Opcode Fuzzy Hash: 988a562bf4042f3a6119665eaa9470cb38901522df2337f4ac197d54f6682959
Instruction Fuzzy Hash: FA415079600614DFCF14EF15C545A5DBBE1EF49720F188488E94AAB365CB38FD00EB91

Function 00F6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F56D71,00000000,00000000,00F582D9,?,00F582D9,?,00000001,00F56D71,8BE85006,00000001,00F582D9,00F582D9), ref: 00F6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F6D9AB
__freea.LIBCMT ref: 00F6D9B4

Part of subcall function 00F63820: RtlAllocateHeap.NTDLL(00000000,?,01001444,?,00F4FDF5,?,?,00F3A976,00000010,01001440,00F313FC,?,00F313C6,?,00F31129), ref: 00F63852

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 610af1e008eadf5144d6936ea13cbe5f498beccbecf8cccf8deb520ec823ef2e
Instruction ID: 343bbbc2808ad964d4fa05fa913f449d35f20d184cc2418da1e1659ab40003a4
Opcode Fuzzy Hash: 610af1e008eadf5144d6936ea13cbe5f498beccbecf8cccf8deb520ec823ef2e
Instruction Fuzzy Hash: DF31AD72E0020AABDB249F65DC45EAF7BA5EB41760B054168FC08D7250EB39DD54EBA0

Function 00FC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00FC5352
GetWindowLongW.USER32(?,000000F0), ref: 00FC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FC53A8

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f330c96ec31f7fac195330eb1ec34079432ea5c990695ea256f4224f2cfc17e2
Instruction ID: 2f15c45d5230e1203f65f9ccce4913eeb304e6964b833b42361a5eee89fab928
Opcode Fuzzy Hash: f330c96ec31f7fac195330eb1ec34079432ea5c990695ea256f4224f2cfc17e2
Instruction Fuzzy Hash: 4831F431F55A4AAFEB349A54CE07FE83763AB04BA0F584109FA54861D1C7B5B9C0BB41

Function 00F9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00F9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F9AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00F9ACC6

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac7fb27e375aa883a92a70b4d75d9b030f516400b4c1bf5d635df5d49db35795
Instruction ID: 705542e6f9446113ed645ee0f96bda573398a2957e515c6cd753d3285f1a216b
Opcode Fuzzy Hash: ac7fb27e375aa883a92a70b4d75d9b030f516400b4c1bf5d635df5d49db35795
Instruction Fuzzy Hash: FE310530E04718AFFF35CB658C05BFA7BA5AB89321F04471AE4859A1D1C379C985B7E2

Function 00FC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FC769A
GetWindowRect.USER32(?,?), ref: 00FC7710
PtInRect.USER32(?,?,00FC8B89), ref: 00FC7720
MessageBeep.USER32(00000000), ref: 00FC778C

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 57f80ab76b4b377d76344c180b6a67b8dfdbd0873dc88378e98086c01b204c0e
Instruction ID: 2706c54389c97afd460ffaaf5805b87cd334c78682ba863188766b506fab85a8
Opcode Fuzzy Hash: 57f80ab76b4b377d76344c180b6a67b8dfdbd0873dc88378e98086c01b204c0e
Instruction Fuzzy Hash: 53419F34A0531AAFCB11EF68CA86FA9BBF4BF48310F1440ACE4549B251C335E941EF90

Function 00FC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FC16EB

Part of subcall function 00F93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F93A57
Part of subcall function 00F93A3D: GetCurrentThreadId.KERNEL32 ref: 00F93A5E
Part of subcall function 00F93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F925B3), ref: 00F93A65

GetCaretPos.USER32(?), ref: 00FC16FF
ClientToScreen.USER32(00000000,?), ref: 00FC174C
GetForegroundWindow.USER32 ref: 00FC1752

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: eaac3cd5f3c66db447d64c0b11e089de4fce33e396c2a38ec1774a330176d5e2
Instruction ID: c81cc2dbdc9121c65e2ef24a6afc1ade7a166ade41c80ec209fe53d5728002a5
Opcode Fuzzy Hash: eaac3cd5f3c66db447d64c0b11e089de4fce33e396c2a38ec1774a330176d5e2
Instruction Fuzzy Hash: B9316FB5D00209AFCB04EFA9C981DAEBBF9EF49314B5080A9E415E7212D735DE45DFA0

Function 00F9DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

_wcslen.LIBCMT ref: 00F9DFCB
_wcslen.LIBCMT ref: 00F9DFE2
_wcslen.LIBCMT ref: 00F9E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00F9E018

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: bd3810c524ad59ebd9cfe2612d2f8b080efeabe3405ec71a774e892958f45910
Instruction ID: f4baf9ce8b74a74d5755c9aa9d13bdbced03fed78760c7b16fd475423d02ae74
Opcode Fuzzy Hash: bd3810c524ad59ebd9cfe2612d2f8b080efeabe3405ec71a774e892958f45910
Instruction Fuzzy Hash: 0521E571D00214AFDF20DFA8CD82B6EB7F8EF85720F144065E905BB245D6749E45EBA1

Function 00F9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00F9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00F9D52F
CloseHandle.KERNEL32(00000000), ref: 00F9D5DC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2ebc3bda44476cb4995eaabe391839b9d0b2850b133ccec874c7adc05233b6f6
Instruction ID: b480a7dcbcd31ad065d48cf73f78da5fd6c4033d5d583559a1c02ec4f9b1769d
Opcode Fuzzy Hash: 2ebc3bda44476cb4995eaabe391839b9d0b2850b133ccec874c7adc05233b6f6
Instruction Fuzzy Hash: C53193711083009FD700EF54CC81AAFBBE8EFD9364F54092DF585871A1EBB19949EB92

Function 00FC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetCursorPos.USER32(?), ref: 00FC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F87711,?,?,?,?,?), ref: 00FC9016
GetCursorPos.USER32(?), ref: 00FC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F87711,?,?,?), ref: 00FC9094

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6ec8b9c1d8a60871e04ae01a5d36c1ceff41918a6dbb61b24890c8a92ddd5717
Instruction ID: da46561950884c40e9e33c2e754a0a8d6e17880cfdd9a247b78716adc36e45a0
Opcode Fuzzy Hash: 6ec8b9c1d8a60871e04ae01a5d36c1ceff41918a6dbb61b24890c8a92ddd5717
Instruction Fuzzy Hash: 4321A135A04018FFDB268FA4C95AFFA7BB9EF89360F044059F90547261C3759990FBA0

Function 00F9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FCCB68), ref: 00F9D2FB
GetLastError.KERNEL32 ref: 00F9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FCCB68), ref: 00F9D376

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 97040ad723ebd0b6d1df70264071991255904af57961bbcc0e5cf465db70b37a
Instruction ID: df3759248d71d8651e3de0c0996159e0b962174c1ad243e89a264bb905beadce
Opcode Fuzzy Hash: 97040ad723ebd0b6d1df70264071991255904af57961bbcc0e5cf465db70b37a
Instruction Fuzzy Hash: 8F21A370908201DF9B00DF24C981CAA77E4EF95375F604A1DF499C32A1D731D946EB93

Function 00F91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F9102A
Part of subcall function 00F91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F91036
Part of subcall function 00F91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91045
Part of subcall function 00F91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F9104C
Part of subcall function 00F91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F915BE
_memcmp.LIBVCRUNTIME ref: 00F915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F91617
HeapFree.KERNEL32(00000000), ref: 00F9161E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d1903b948c66c0b1005c146cb2111eef9e686bca703b2126e95ed651a1df688e
Instruction ID: bc1e9651343886d12b2cced1c69e201e80e31b4ea2c2869d1f33eb5c388694b6
Opcode Fuzzy Hash: d1903b948c66c0b1005c146cb2111eef9e686bca703b2126e95ed651a1df688e
Instruction Fuzzy Hash: 6D219D31E4010AEFEF10DFA5C945BEEB7B8FF44354F094469E445AB241E730AA05EBA0

Function 00FC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FC2840

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 325732e0f0628f7227ae079c9ff64e2a70b7e823c72626831a1ab47b00dfe133
Instruction ID: 90ae92ab2bbb8444204a605236d93b3d63febed4131398b61940ba9cb78cca3c
Opcode Fuzzy Hash: 325732e0f0628f7227ae079c9ff64e2a70b7e823c72626831a1ab47b00dfe133
Instruction Fuzzy Hash: 04212131204112AFD7549B24CD82FAA7B95EF85324F18810CF42A8B6E2CB75FC42DBD0

Function 00F978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?), ref: 00F98D8C
Part of subcall function 00F98D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00F98DB2
Part of subcall function 00F98D7D: lstrcmpiW.KERNEL32(00000000,?,00F9790A,?,000000FF,?,00F98754,00000000,?,0000001C,?,?), ref: 00F98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97923
lstrcpyW.KERNEL32(00000000,?), ref: 00F97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F98754,00000000,?,0000001C,?,?,00000000), ref: 00F97984

Strings

cdecl, xrefs: 00F9797B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9b618a4198559dddece548d39cc884744039edb8c99d4eb98ce79ad4ffc92b4b
Instruction ID: e13d125cff2f83cdf12a088fd1d69fa4a3122f83991e28a52f1150d143969185
Opcode Fuzzy Hash: 9b618a4198559dddece548d39cc884744039edb8c99d4eb98ce79ad4ffc92b4b
Instruction Fuzzy Hash: 8911E43A600305ABDF156F35DC45E7A77A5EF85390B10402AE906C7264EB319801E791

Function 00FC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00FC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FAB7AD,00000000), ref: 00FC7D6B

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 295fcb37e195882e8fa669e50a33072c1c41f015a857531f4bb5b80e677a9ed1
Instruction ID: a53be2344b31aa2d7f78641576fc39fdd5d3c63e610d7c18ee23b33130be92a0
Opcode Fuzzy Hash: 295fcb37e195882e8fa669e50a33072c1c41f015a857531f4bb5b80e677a9ed1
Instruction Fuzzy Hash: 03118C32A0461AAFCB11AF28DD05FA63BA5AF45370F154728F83AD72E0D7319950EF90

Function 00FC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00FC56BB
_wcslen.LIBCMT ref: 00FC56CD
_wcslen.LIBCMT ref: 00FC56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FC5816

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4301e5a4e433cdb4d53ad7624915f3e51e9b435dbd8b98dbd768a32db469c1bc
Instruction ID: 8c60a03d432a708cd8b4a1ad98ebe73b7198d40cbb72a1d0bc8aa6cc3799e551
Opcode Fuzzy Hash: 4301e5a4e433cdb4d53ad7624915f3e51e9b435dbd8b98dbd768a32db469c1bc
Instruction Fuzzy Hash: 9211D571A0060A96DF20DB618E86FEE376CAF10B74B10406EF905D6081D774E6C4EB60

Function 00F61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb6ea86a290ccee9b4b18be5c4b283ace8d800d54dfbcf5921a7fec86086f47
Instruction ID: 9c926f2455beb7f684b1754dfe9e0aa6b6c3b1a63d7bb371e58c5cf6df541965
Opcode Fuzzy Hash: deb6ea86a290ccee9b4b18be5c4b283ace8d800d54dfbcf5921a7fec86086f47
Instruction Fuzzy Hash: 4201D6B2A05A1A3EF62126786CC1F27762CEF817B8F380326F521522D2DB658C007170

Function 00F91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F91A8A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c95f1ae0b62abc97e428861f6881a217368176324097ae8309ec52497de6acfe
Instruction ID: 5b26874d3c5382e2365daeaecf66708e7217bf2de0668d02d439aedbe5874252
Opcode Fuzzy Hash: c95f1ae0b62abc97e428861f6881a217368176324097ae8309ec52497de6acfe
Instruction Fuzzy Hash: DF11F73AD01219FFEF119BA5CD85FADBB78FB08750F2000A1EA04B7290D6756E50EB94

Function 00F9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00F9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F9E24D

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 37d9a2322d1752aa4faca06535714c8d71d04dbca4bf3bf6fe426e3b1a74a177
Instruction ID: 1921e3bad3547f460dbda3462876c3ce3b452763af2d3c0434ef616eea5ba6e2
Opcode Fuzzy Hash: 37d9a2322d1752aa4faca06535714c8d71d04dbca4bf3bf6fe426e3b1a74a177
Instruction Fuzzy Hash: 08112672D04258BFDB11DFA8AC0AE9E7FACEB45320F148215F928E3281D6B5CD0497A0

Function 00F5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F5CFF9,00000000,00000004,00000000), ref: 00F5D218
GetLastError.KERNEL32 ref: 00F5D224
__dosmaperr.LIBCMT ref: 00F5D22B
ResumeThread.KERNEL32(00000000), ref: 00F5D249

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e543ae07f896ad487517e44655f8596fc7cd91413d29793d6ba16a916d5713fd
Instruction ID: e88086efaff1f943ff6face9ff8ae7ec90e14cbe71837f784065366db93005c4
Opcode Fuzzy Hash: e543ae07f896ad487517e44655f8596fc7cd91413d29793d6ba16a916d5713fd
Instruction Fuzzy Hash: A201F9768066087BD7315BA5DC05FAE7A69DF81332F100259FE25921D0DB75C909F7E0

Function 00FC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F49BB2

GetClientRect.USER32(?,?), ref: 00FC9F31
GetCursorPos.USER32(?), ref: 00FC9F3B
ScreenToClient.USER32(?,?), ref: 00FC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FC9F7A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 807a31659244b3d523127e8e04aafbda2f249ef1444096f0afa1c2d3614a3ff9
Instruction ID: 8b8e8524542221f470c02f9840c8587ae4f7304e5a95da9b74b65fa5a59deff6
Opcode Fuzzy Hash: 807a31659244b3d523127e8e04aafbda2f249ef1444096f0afa1c2d3614a3ff9
Instruction Fuzzy Hash: D711183290411AEBDB11DF68DA8AEEE77B9FB45311F000459F911E3140D775BA81EBA1

Function 00F3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F3604C
GetStockObject.GDI32(00000011), ref: 00F36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F3606A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 02f35ae8e1257679a0184536f9dff1ab0e26630b06375459997c9135c8245870
Instruction ID: 3d0c240a2a2bfcd2c35ad5f9558606803bbad6230347ea99749be680023897f3
Opcode Fuzzy Hash: 02f35ae8e1257679a0184536f9dff1ab0e26630b06375459997c9135c8245870
Instruction Fuzzy Hash: 4C116DB2501508BFEF164FA49D46EEABB69EF093B4F044216FA1892110D736DC60FBA0

Function 00F53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F53B56

Part of subcall function 00F53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F53AD2
Part of subcall function 00F53AA3: ___AdjustPointer.LIBCMT ref: 00F53AED

_UnwindNestedFrames.LIBCMT ref: 00F53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F53BA4

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 0c88a69af704ad1c8f587265d49967e995174b32f1cfcedfa479e9d3c69af7bc
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: A6012932500148BBDF125E99CC42EEB3B69EF887A9F044014FF4896121C736E965EBA0

Function 00F63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F313C6,00000000,00000000,?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue), ref: 00F630A5
GetLastError.KERNEL32(?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue,00FD2290,FlsSetValue,00000000,00000364,?,00F62E46), ref: 00F630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F6301A,00F313C6,00000000,00000000,00000000,?,00F6328B,00000006,FlsSetValue,00FD2290,FlsSetValue,00000000), ref: 00F630BF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 14e61367aea5ce794db5bc23aff2e5a84b8ebd65705f29ca6036771b69a4475f
Instruction ID: bf14876d1139bb4fa61cf9e37d8b4c7e771b245d9707dfa6b38a28994ea76be0
Opcode Fuzzy Hash: 14e61367aea5ce794db5bc23aff2e5a84b8ebd65705f29ca6036771b69a4475f
Instruction Fuzzy Hash: 3101F732701226BBCB314B79AC45E677B98EF45BB9B100720F909E3140C721D909E6E0

Function 00F97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F974CA

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 120ac3b9d499ae46067795d1c0a6b4050c884f0d13dfc1d7a682a2dd8fd85c23
Instruction ID: 218c2d95ff1a4f2a4597e9fcdf24f7476090667effa338d39bdc6cb4327dbbf3
Opcode Fuzzy Hash: 120ac3b9d499ae46067795d1c0a6b4050c884f0d13dfc1d7a682a2dd8fd85c23
Instruction Fuzzy Hash: BE117CB1615314DBFB20DF19DD09F927BB8EB00B00F108569E61AD7192D770E904AB90

Function 00F9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F9ACD3,?,00008000), ref: 00F9B126

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: bb53a9da0ab159c19e107a50e9bf73054b1c5af7597a3e5445d04957fa461273
Instruction ID: 9fe8d4fdb16d49c5076d3f6a9e7d471c27c3a49995ee0732e7db330947261856
Opcode Fuzzy Hash: bb53a9da0ab159c19e107a50e9bf73054b1c5af7597a3e5445d04957fa461273
Instruction Fuzzy Hash: C0115B31C0162CE7DF00AFE5EA69AEEBF78FF49711F114095D941B3181CB305690AB91

Function 00FC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FC7E33
ScreenToClient.USER32(?,?), ref: 00FC7E4B
ScreenToClient.USER32(?,?), ref: 00FC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FC7E8A

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: f4b712aacbdd29a9b24b8243c8c37e898a9bfc144ea35193784846a031a42314
Instruction ID: c0d0f4b62357bcf0236d9d663ba72efadd93a437388e007cdc9d813510399999
Opcode Fuzzy Hash: f4b712aacbdd29a9b24b8243c8c37e898a9bfc144ea35193784846a031a42314
Instruction Fuzzy Hash: 9A1143B9D0020AAFDB41DF98C985AEEBBF5FF08310F505056E915E3210D735AA55DF90

Function 00F92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F92DD6
GetCurrentThreadId.KERNEL32 ref: 00F92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F92DE4

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 44e4dbd15b1b616dd9f7fb305a2cb2d33b23498a9e6252eeb57a4e60a5161bc9
Instruction ID: 144dee92e64faa8a6624549b5f151be75f179b1a7d99048983155b2a260a818c
Opcode Fuzzy Hash: 44e4dbd15b1b616dd9f7fb305a2cb2d33b23498a9e6252eeb57a4e60a5161bc9
Instruction Fuzzy Hash: 2CE065715012287AEB2017639D0EFE73E5CEF42B61F000015F109D20409AA18445F6F0

Function 00FC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F49693
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496A2
Part of subcall function 00F49639: BeginPath.GDI32(?), ref: 00F496B9
Part of subcall function 00F49639: SelectObject.GDI32(?,00000000), ref: 00F496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FC8887
LineTo.GDI32(?,?,?), ref: 00FC8894
EndPath.GDI32(?), ref: 00FC88A4
StrokePath.GDI32(?), ref: 00FC88B2

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 95405e36052e4e5ad9e37b7c1c0df9d0fc9e25b668cc719f878a003f69f3baf9
Instruction ID: 9b63ccc69464b041c584f1f44f85084b2d9998bae0e21f412e6f42e7b647afa8
Opcode Fuzzy Hash: 95405e36052e4e5ad9e37b7c1c0df9d0fc9e25b668cc719f878a003f69f3baf9
Instruction Fuzzy Hash: 0AF05E36045259FADB225F94AD0AFDE3F59AF06310F048004FA55A60E1C7B95511EFE5

Function 00F498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F498CC
SetTextColor.GDI32(?,?), ref: 00F498D6
SetBkMode.GDI32(?,00000001), ref: 00F498E9
GetStockObject.GDI32(00000005), ref: 00F498F1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 96552f8f42157becf96a02fbaa393c25dfad74ce8a45c905fd37aa6f158082d6
Instruction ID: 5c1c4ceddffb8e5fd02ad80ee2e231ab27fad2f1d231e62b30bd7e67d193f91e
Opcode Fuzzy Hash: 96552f8f42157becf96a02fbaa393c25dfad74ce8a45c905fd37aa6f158082d6
Instruction Fuzzy Hash: B0E06531644284AEDB216B75BD0AFD93F10AB51735F188219F6FD590E1C3718640BB10

Function 00F9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F911D9), ref: 00F9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F911D9), ref: 00F91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F911D9), ref: 00F9164F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bca393a582915906600dd5a68e5298d5218136badb4826c3382f8c126f5301ba
Instruction ID: fe12c3bd0f2ca3a3df0fe1b138b698db01c2aa7ecb957ea13cd944e2b6fa2322
Opcode Fuzzy Hash: bca393a582915906600dd5a68e5298d5218136badb4826c3382f8c126f5301ba
Instruction Fuzzy Hash: FBE08671E41215DBEB201FA0AF0EF863B7CBF847A1F184818F249CA080D6358441E790

Function 00F8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F8D858
GetDC.USER32(00000000), ref: 00F8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F8D882
ReleaseDC.USER32(?), ref: 00F8D8A3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 674cf15e36a41e750dc82351f9c6450270ee939679fdbaa66f429d474ec3ba35
Instruction ID: 76a214a5b8b12438c8e0a5f1706fcfd5792bfbbde9d2bf25199ea6c5332c53dd
Opcode Fuzzy Hash: 674cf15e36a41e750dc82351f9c6450270ee939679fdbaa66f429d474ec3ba35
Instruction Fuzzy Hash: 1EE09AB5840209DFCB41AFA4DA0DA6DBBB5FB48311F148459E84EE7250C7399942BF90

Function 00F8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F8D86C
GetDC.USER32(00000000), ref: 00F8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F8D882
ReleaseDC.USER32(?), ref: 00F8D8A3

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a7a1b9e512ac22d0ca4b0a8023fe0e2fc676f5e90cf111d13c9f0095ab054513
Instruction ID: 1162f6728b65c86691595b0d65a79818ae836713465b2b0507efc878af7135cc
Opcode Fuzzy Hash: a7a1b9e512ac22d0ca4b0a8023fe0e2fc676f5e90cf111d13c9f0095ab054513
Instruction Fuzzy Hash: CCE092B5C00208EFCB51AFA4DA0DA6DBBB5BB48311F148449E94EE7250CB399902BF90

Function 00F3BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F3BEB3

Strings

D%, xrefs: 00F3BC2F
D%, xrefs: 00F3BC28

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%$D%
API String ID: 1385522511-485025506
Opcode ID: 3738c92ba9d45e618168756cf39bff34c91476b95b40f9e89446452b06fb443b
Instruction ID: 2e8cdb7c856792cddef04331c4262e98887227b240044b8142f20c7b13a7833d
Opcode Fuzzy Hash: 3738c92ba9d45e618168756cf39bff34c91476b95b40f9e89446452b06fb443b
Instruction Fuzzy Hash: A1911B75E00206DFCB28CF59C0A16A9B7F1FF58325F24416EDA85AB351D731E981EB90

Function 00FA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F37620: _wcslen.LIBCMT ref: 00F37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FA4ED4

Strings

LPT, xrefs: 00FA4DFB
*, xrefs: 00FA4E10

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7d059b9218b6b2828ee26413ae2b59708fc7b2e4b65e02b4a684006e5f319b03
Instruction ID: 11a1675128611ebb7451a58e27779045c30c2c71d7ce061ed7b57ee7681c0533
Opcode Fuzzy Hash: 7d059b9218b6b2828ee26413ae2b59708fc7b2e4b65e02b4a684006e5f319b03
Instruction Fuzzy Hash: 409161B5A00204DFCB14DF58C485EAABBF1BF85314F198099E80A9F3A2C775ED85DB91

Function 00F5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F5E30D

Strings

pow, xrefs: 00F5E2E5, 00F5E302

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 023a1bf50456337be355d760fd0149bb4c13f172e2e70535d91bca03659d9005
Instruction ID: 0d9bc7823350ded7b9a10e338e7994d098e8451abdb5872f95de85bef107a9db
Opcode Fuzzy Hash: 023a1bf50456337be355d760fd0149bb4c13f172e2e70535d91bca03659d9005
Instruction Fuzzy Hash: F3518E61E0C30196CB197724CD0137A7F94AB60766F304D99E8D5422EDEB358DCDBB86

Function 00F4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F4E1B1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f3e5af226cf4744c9ab6cd4a4d3835e92b1ac4f052f4ae7ea07c1a292d5f91e9
Instruction ID: b01389cc9061adf678ca0a7a0d2c8c4b74af5ce210c5fa4434a6d370a628fe42
Opcode Fuzzy Hash: f3e5af226cf4744c9ab6cd4a4d3835e92b1ac4f052f4ae7ea07c1a292d5f91e9
Instruction Fuzzy Hash: 2C51F235E04246DFDB15EF28C8816FE7BA8FF55320F244055ECA19B290D7789E42EB90

Function 00F4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F4F2BB

Strings

@, xrefs: 00F4F2AF

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9bc0238f8b4b1e576644f9e1fb9be883e4f1d92a634d6e1db54c38277f40d65d
Instruction ID: 9d882b8d41fcdfa7a3181e5d1932858686253ff690acd0059ad2a47548e15605
Opcode Fuzzy Hash: 9bc0238f8b4b1e576644f9e1fb9be883e4f1d92a634d6e1db54c38277f40d65d
Instruction Fuzzy Hash: B95137B140C7489BD320AF11DC86BAFBBF8FB84310F81885DF2D952195EB748529DB66

Function 00FB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FB57E0
_wcslen.LIBCMT ref: 00FB57EC

Strings

CALLARGARRAY, xrefs: 00FB57E6, 00FB57EB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: eb7963c0d8d822eb4a5f9bbb43f35146e48251c90f0c454a802ef1d44ef1416a
Instruction ID: 3dc8b9b62c3fb12eed21150cdf7ad36c66e92bbe5f23d8a3675c98f87961abe0
Opcode Fuzzy Hash: eb7963c0d8d822eb4a5f9bbb43f35146e48251c90f0c454a802ef1d44ef1416a
Instruction Fuzzy Hash: A3419F31E002099FCB14DFAAC882AEEBBB5EF59724F144029E505A7251E778DD81EF90

Function 00FAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FAD13A

Strings

|, xrefs: 00FAD10B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: f0b2c2aea5d41ad610cb2ebcc6b8f947a6f40f55f3303617beefbfe8ba816bab
Instruction ID: 3c3e24b0e313a9c1e000d4691af83ae882838879d596ca375fcbaa8b9e5a803f
Opcode Fuzzy Hash: f0b2c2aea5d41ad610cb2ebcc6b8f947a6f40f55f3303617beefbfe8ba816bab
Instruction Fuzzy Hash: 97313E71D00109EBDF15EFA4CC85AEE7FB9FF05310F104019F815A6161D735AA46EB64

Function 00FC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FC3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FC365C

Strings

static, xrefs: 00FC35BC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e2fa6d4dc0f2ddd3037a41476570ff1f58b4449d553257c94c457f374668d50a
Instruction ID: 46ca52c30f9570053b24cda39dde9094edb9ffdc4d396e4e760663fc571b7610
Opcode Fuzzy Hash: e2fa6d4dc0f2ddd3037a41476570ff1f58b4449d553257c94c457f374668d50a
Instruction Fuzzy Hash: 3C318171510205AADB10DF68DC42FFB73A9FF88760F00961DF99597280DA35AD81EB60

Function 00FC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00FC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FC4634

Strings

', xrefs: 00FC458E

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 324617a1965e0b82d2be3681b3fc854bdd4fd450c0dda0cc8d465c66b9bf87fe
Instruction ID: 04f453ed61a9012287b9bdcc55f16a289f42a13e948bd65ad1ac080fcd153758
Opcode Fuzzy Hash: 324617a1965e0b82d2be3681b3fc854bdd4fd450c0dda0cc8d465c66b9bf87fe
Instruction Fuzzy Hash: FF313975A0020A9FDB14CF69CA91FDABBB5FF49310F14446AE904AB385D770A941EF90

Function 00FC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FC3287

Strings

Combobox, xrefs: 00FC3249

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: dc7d7178ff97b112af1062aa60839d8961a44e29976a54a82e3781722ab77d2e
Instruction ID: 4bb80e7008905cd6f0f185c6a15de268f17b467753a9be9f46b4d57226114778
Opcode Fuzzy Hash: dc7d7178ff97b112af1062aa60839d8961a44e29976a54a82e3781722ab77d2e
Instruction Fuzzy Hash: A811E27170020A7FEF219E54DD82FFB376AEB943B4F108128F91897290D631DD51A760

Function 00FC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F3604C
Part of subcall function 00F3600E: GetStockObject.GDI32(00000011), ref: 00F36060
Part of subcall function 00F3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F3606A

GetWindowRect.USER32(00000000,?), ref: 00FC377A
GetSysColor.USER32(00000012), ref: 00FC3794

Strings

static, xrefs: 00FC3757

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1b4ed17c5977778253c9847517f4f4d82e76bf56a07dcb303d6501dae21fe7b4
Instruction ID: 01ebc738c8433eca1ebe2cf1e88fe83e12f8cc202819dc8302e5fbe443551ee9
Opcode Fuzzy Hash: 1b4ed17c5977778253c9847517f4f4d82e76bf56a07dcb303d6501dae21fe7b4
Instruction Fuzzy Hash: 1B1129B261020AAFDB01DFA8CD46EEA7BB8EF08354F004918F955E3250D735E951AB50

Function 00FACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FACDA6

Strings

<local>, xrefs: 00FACD66

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1efb0971847ed22c4c3ef3e778e2f9957dd375969a73a2059a4a0a5b2b057621
Instruction ID: d9033af4d6d3a068badd62f66f0eda61cdae57e31349da8564ea043a804d582b
Opcode Fuzzy Hash: 1efb0971847ed22c4c3ef3e778e2f9957dd375969a73a2059a4a0a5b2b057621
Instruction Fuzzy Hash: 8411A3B26156367AD7244B668C45FE7BE6CEF137B4F004226F12983180D7609840E6F0

Function 00FC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FC34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FC34BA

Strings

edit, xrefs: 00FC348F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0ebcd1a0647b91604b7dbbdb0a63db337530fa9ef2efa46dfb82da7d6a0d713f
Instruction ID: 3e72d1efa666c4e6ac74ba070b69db7176abe74a72a9df096bbf22fa3de285b2
Opcode Fuzzy Hash: 0ebcd1a0647b91604b7dbbdb0a63db337530fa9ef2efa46dfb82da7d6a0d713f
Instruction Fuzzy Hash: 3F11BF7150010AABEB168F64DE42FEB376AEB053B4F508328F964931D4C736DD51BB50

Function 00F96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00F96CB6
_wcslen.LIBCMT ref: 00F96CC2

Strings

STOP, xrefs: 00F96CBC, 00F96CC1

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7037d3262c2765224f4b3c141a971d56b61d883d949c79d045520ee352b5c99c
Instruction ID: 40d850fc4dd9e01afce3b2102aa4ac832e267dab023be549c44c86cd99108c35
Opcode Fuzzy Hash: 7037d3262c2765224f4b3c141a971d56b61d883d949c79d045520ee352b5c99c
Instruction Fuzzy Hash: 95010432A045278ADF219FBDDC819BF37A4EE60720B000525F862D3190EA75E840E650

Function 00F91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F91D4C

Strings

ListBox, xrefs: 00F91D16
ComboBox, xrefs: 00F91CEB

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ace332fe397bd5fc68e2fcc80f3b7d09884bf3a1cfce263f8df272968cf13764
Instruction ID: b3a8068ee0d18b4b04a8bb5850bda1e2aefa452bcf7da58f7c97388acd5997b4
Opcode Fuzzy Hash: ace332fe397bd5fc68e2fcc80f3b7d09884bf3a1cfce263f8df272968cf13764
Instruction Fuzzy Hash: FB012831E04219AB9F08EBA0CD11DFE73A8FF423A0F00051AF922573D1EAB45908F660

Function 00F91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F91C46

Strings

ListBox, xrefs: 00F91C10
ComboBox, xrefs: 00F91BE5

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d22880e4433ba87f5eab090a903db8bd02279c2b7da883cd020772b1280a807e
Instruction ID: 455b3196ffa1e9e4dda661e818fbe137dfd2925e5240b3dc813e3d95be3543c8
Opcode Fuzzy Hash: d22880e4433ba87f5eab090a903db8bd02279c2b7da883cd020772b1280a807e
Instruction Fuzzy Hash: 0701F771A8810966EF04EB90CE52EFF77A8AF51350F100029B90663281EAA59E08F6B1

Function 00F91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F91CC8

Strings

ListBox, xrefs: 00F91C94
ComboBox, xrefs: 00F91C69

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a546058634786fc42cd2f0f6d160e090df38f67543e6b43c2d1a330d3b465847
Instruction ID: efd387868d3981526ff41e826e1f807a56a92cf20bcde10fc1b08d2af3da6922
Opcode Fuzzy Hash: a546058634786fc42cd2f0f6d160e090df38f67543e6b43c2d1a330d3b465847
Instruction Fuzzy Hash: B601A775B4411966DF04E790CE01AFE77A8AF11350F540025B90573281EAA49F08F671

Function 00F91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F39CB3: _wcslen.LIBCMT ref: 00F39CBD

Part of subcall function 00F93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F91DD3

Strings

ListBox, xrefs: 00F91DA0
ComboBox, xrefs: 00F91D75

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f4b579fabfa515b30d32df19aef31b0cab2f032b20b8ef0c2b72c2a1a47c28ba
Instruction ID: 965e39a0fb02353086f94202bf488538f1ce6cb4876726f328dcf4cc98abb5dd
Opcode Fuzzy Hash: f4b579fabfa515b30d32df19aef31b0cab2f032b20b8ef0c2b72c2a1a47c28ba
Instruction Fuzzy Hash: 1FF0F471A4421966EF04E7A4CD52FFE77A8BF41360F040926B922A32C1DAE4990CA2A0

Function 00FB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FB7493
_wcslen.LIBCMT ref: 00FB74B9

Strings

3, 3, 16, 1, xrefs: 00FB7483

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 2371fb37b72f348a23aceaa28538e4b891f1b6702e596a54f3188ea55ef53470
Instruction ID: a88b14117881bc444a12f04ff2ceaedf2d26917dce0a07c57a68b0c9a7af1d1c
Opcode Fuzzy Hash: 2371fb37b72f348a23aceaa28538e4b891f1b6702e596a54f3188ea55ef53470
Instruction Fuzzy Hash: 3EE02B06A04320E09331327BDCC29BF7689CFC5762710182BFE81C2266EA98DDD1B3A1

Function 00F90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F90B23

Strings

Error allocating memory., xrefs: 00F90B1C
AutoIt, xrefs: 00F90B17

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 30fb6949e7a4d8b51af2d068c94a8e1e28b54db00b03e0a3285093dd1fba63b2
Instruction ID: 3bffe48aaabe928ba1d8c17a70365d6a4517bac35ffc52aa5ede24b31d18bf3f
Opcode Fuzzy Hash: 30fb6949e7a4d8b51af2d068c94a8e1e28b54db00b03e0a3285093dd1fba63b2
Instruction Fuzzy Hash: DEE0D8312443083AD21437547D03FC97E848F05F21F10042AFB9C959C38EE6649036E9

Function 00F50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F50D71,?,?,?,00F3100A), ref: 00F4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F3100A), ref: 00F50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F3100A), ref: 00F50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F50D7F

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 8e258f0e16443c7adc37d65c1d7d48f0d40a7357dd90576b763490de58492a6a
Instruction ID: d8f19f91606a04279657718a7caebcbbbb70cdfd4c7b74361df04726444c09b9
Opcode Fuzzy Hash: 8e258f0e16443c7adc37d65c1d7d48f0d40a7357dd90576b763490de58492a6a
Instruction Fuzzy Hash: 42E06D702003418BD3309FB8DA05B82BBF0AF00741F00892DE986C7656DFB9E44CAB91

Function 00FA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FA3044

Strings

aut, xrefs: 00FA3038

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 86ab9fcdbfd95065f24c0c177adc42a6765273236df75a6d7e307cc73427dc52
Instruction ID: 5fd49ccb54fad145c54ea93e5c068728c20152ae94c8e4b4b43d6195310f80f3
Opcode Fuzzy Hash: 86ab9fcdbfd95065f24c0c177adc42a6765273236df75a6d7e307cc73427dc52
Instruction Fuzzy Hash: FDD05E7250032C67DA20E7A4AD0EFDB3A6CDB04750F0002A1B659E30A1DAB4D984CAD0

Function 00F8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F8D220

Strings

X64, xrefs: 00F8D2A8
%.3d, xrefs: 00F8D22B

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d40b073e54bc2aa37d24d9c43ed005dfb1834f2e07e27fff0907c3f6b23d0bac
Instruction ID: 31203d498f5cfe12c2427302e164e10b8d4915e3da72cbf3302a72d895cd4282
Opcode Fuzzy Hash: d40b073e54bc2aa37d24d9c43ed005dfb1834f2e07e27fff0907c3f6b23d0bac
Instruction Fuzzy Hash: 80D06262C49119F9CB50BAD4DD4AEF9B77CEF59341F508452FD0AD2080D628D5487761

Function 00FC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC236C
PostMessageW.USER32(00000000), ref: 00FC2373

Part of subcall function 00F9E97B: Sleep.KERNELBASE ref: 00F9E9F3

Strings

Shell_TrayWnd, xrefs: 00FC2365

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4768484a9c454a9331a02d43dd86a2b938f11b3f1f10fa0d32872b687691a449
Instruction ID: c2a51021c431737ce0207b6e84e449734411e9f03029dcceb887d7b07198b14b
Opcode Fuzzy Hash: 4768484a9c454a9331a02d43dd86a2b938f11b3f1f10fa0d32872b687691a449
Instruction Fuzzy Hash: 43D0C9327813147AE664B7719E0FFC676149B04B14F004916B74AEA1E0C9A4A801AA94

Function 00FC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FC233F

Part of subcall function 00F9E97B: Sleep.KERNELBASE ref: 00F9E9F3

Strings

Shell_TrayWnd, xrefs: 00FC2325

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 79b903cc82d38c3216d47125392fd4b8aff05f3270197776ad1ae4264b531914
Instruction ID: f9bbeba68b68980550c66e8ee35171ead03d99d67503762cc617969e5b009a5e
Opcode Fuzzy Hash: 79b903cc82d38c3216d47125392fd4b8aff05f3270197776ad1ae4264b531914
Instruction Fuzzy Hash: BDD0C936794314B6E664B7719E0FFD67A149B00B14F004916B74AEA1E0C9A4A801AA94

Function 00F6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F6BE93
GetLastError.KERNEL32 ref: 00F6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F6BEFC

Memory Dump Source

Source File: 00000000.00000002.2497668437.0000000000F31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000000.00000002.2497551460.0000000000F30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FCC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2497943414.0000000000FF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498155136.0000000000FFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2498228778.0000000001004000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: aa605880860a04613c2cb0492c8aa5807a3ea2aa1d593daab5a73f34587878ed
Instruction ID: c61bfd96316b9ab7ee47d7bccf754ee254a42abc415ce1a205446e4adc5a56ad
Opcode Fuzzy Hash: aa605880860a04613c2cb0492c8aa5807a3ea2aa1d593daab5a73f34587878ed
Instruction Fuzzy Hash: 17410635A04206AFCF218FA5CC44BBA7BA5EF51320F144169F959DB1B1DB318C85FB60

Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 23.44.133.57 23.44.133.57

Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /ppsecure/deviceaddcredential.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 7642Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4710Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 51.124.78.146
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.76
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.76
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.76
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.76
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bc6CtTpXTMAAZX4&MD=+7Vvyzgs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=bc6CtTpXTMAAZX4&MD=+7Vvyzgs HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1e3aa896-79e9-4e37-8cc0-2d513c39b4b6.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\430dfcb9-cf19-4e76-b1ab-75fa27c079d3.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\46666afe-26d7-4aa1-93e9-67eeedd6a750.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\54321731-e14e-481e-86fd-9faf279b4386.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\c8881dda-bd4b-4ca5-806f-3152e23da470.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CDFC8E-1B28.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CDFC8F-12C8.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\007bdf9d-32d5-46dc-8026-ea04ef039bdc.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\1325f8b3-d282-4d45-b7d7-24c3a08e034e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\275430f7-1f81-4309-a71e-8bd29de34161.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\477983c4-6fec-4d81-8488-247c11ba8ed4.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\47f826ca-7d4f-48a1-9c26-109b6adc4f1b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5055eadf-8703-4466-a20a-5a6b1ce1cfa7.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre