Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1500131
MD5:	0f6e42568e2e9bcb953e5b0c17c5bb11
SHA1:	978cd202710711fb80a6ef59185429a9873ad538
SHA256:	2f75aacea07851e0995882ab103708362678370e688dc20dc25f77af5a5c94d3
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0F6E42568E2E9BCB953E5B0C17C5BB11)

msedge.exe (PID: 6024 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6848 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2044,i,14278123788458138025,17047087662670107384,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4228 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2604 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7676 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7176 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7684 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=3432 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5532 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8308 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8756 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1832 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9124 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8404 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2572 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: file.exe, 00000000.00000002.3271213323.0000000001260000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3271213323.0000000001230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: file.exe, 00000000.00000002.3271119525.0000000001070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/passwordC:
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49752 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0093EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0093EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0093ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0093ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0093EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0092AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00959576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00959576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2001472982.0000000000982000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_965ff4f4-6
Source: file.exe, 00000000.00000000.2001472982.0000000000982000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_184406cc-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f8fc4673-4
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fcf58193-f

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0092D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00921201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00921201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0092E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00932046	0_2_00932046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C8060	0_2_008C8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00928298	0_2_00928298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FE4FF	0_2_008FE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F676B	0_2_008F676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954873	0_2_00954873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008ECAA0	0_2_008ECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CCAF0	0_2_008CCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DCC39	0_2_008DCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F6DD9	0_2_008F6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C91C0	0_2_008C91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DB119	0_2_008DB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E1394	0_2_008E1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E1706	0_2_008E1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E781B	0_2_008E781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E19B0	0_2_008E19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008C7920	0_2_008C7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D997D	0_2_008D997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E7A4A	0_2_008E7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E7CA7	0_2_008E7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E1C77	0_2_008E1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F9EEE	0_2_008F9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094BE44	0_2_0094BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E1F32	0_2_008E1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008E0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008DF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 008C9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@71/318@12/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009337B5 GetLastError,FormatMessageW,

0_2_009337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009210BF AdjustTokenPrivileges,CloseHandle,		0_2_009210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0094A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0094A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0093648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0093648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008C42A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\7a920a7e-7965-4944-b6db-4882bfe2b747.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2044,i,14278123788458138025,17047087662670107384,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7176 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=3432 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1832 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2572 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2044,i,14278123788458138025,17047087662670107384,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7176 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=3432 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7176 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=3432 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1832 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2572 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E0A76 push ecx; ret

0_2_008E0A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008DF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00951C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97299

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6609

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe TID: 5748

Thread sleep time: -66090s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6609 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0092DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FC2A2 FindFirstFileExW,	0_2_008FC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009368EE FindFirstFileW,FindClose,	0_2_009368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0093698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0092D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0092D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0092D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00939642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00939642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00939B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00939B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00935C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00935C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-97399

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0093EAA2 BlockInput,

0_2_0093EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008F2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E4CE8 mov eax, dword ptr fs:[00000030h]

0_2_008E4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00920B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00920B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008E083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E09D5 SetUnhandledExceptionFilter,	0_2_008E09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008E0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00921201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00902BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00902BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0092B226 SendInput,keybd_event,

0_2_0092B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009422DA

Source: C:\Users\user\Desktop\file.exe

0_2_00920B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00921663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00921663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E0698 cpuid

0_2_008E0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00938195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00938195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0091D27A GetUserNameW,

0_2_0091D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008FB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00941204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00941204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00941806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00941806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/passwordC:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	unknown
s-part-0039.t-0009.t-msedge.net	13.107.246.67	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bzib.nelreports.net/api/report?cat=bingbusiness	false	URL Reputation: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://myaccount.google.com/signinoptions/passwordC:	file.exe, 00000000.00000002.3271119525.0000000001070000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.67	s-part-0039.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.40.206	unknown	United States	15169	GOOGLEUS	false
142.250.64.68	unknown	United States	15169	GOOGLEUS	false
142.250.80.99	unknown	United States	15169	GOOGLEUS	false
172.253.122.84	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
23.54.161.105	unknown	United States	20940	AKAMAI-ASN1EU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.32.110	unknown	United States	15169	GOOGLEUS	false
20.96.153.111	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500131
Start date and time:	2024-08-27 23:34:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@71/318@12/12
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 173.194.76.84, 13.107.21.239, 204.79.197.239, 13.107.6.158, 2.19.126.152, 2.19.126.145, 142.250.185.131, 142.250.186.131, 2.23.209.185, 2.23.209.186, 2.23.209.177, 2.23.209.179, 2.23.209.176, 2.23.209.135, 2.23.209.182, 2.23.209.187, 2.23.209.183, 104.115.83.107, 104.115.83.49, 104.115.83.90, 104.115.83.97, 104.115.83.74, 104.115.83.106, 104.115.83.43, 104.115.83.66, 104.115.83.96, 216.58.206.35, 216.58.206.67, 199.232.214.172, 192.229.221.95, 142.250.65.227, 142.250.80.3, 142.251.32.99
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, dual-a-0036.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
23:35:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
23:35:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
23.54.161.105	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	RmwvP67C7X.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
239.255.255.250	https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTu	Get hash	malicious	Phisher	Browse
	https://bx1f04.na1.hubspotlinks.com/Ctc/2D+113/bX1F04/VWNJB36hmH_dW5B6f4M3tvNPkW6wcfC_5kfpqkN8pR4CT3qn9gW8wLKSR6lZ3lWW4RH0pD8cfc9fW1F_Bh_64Dbx_W8NP5442K_JLsW7VR2DZ6lXzbTW28cFfX9gXt3BW7kls0H2y2hq_W3ngTnJ28DTx_W6DvQHq8CwpszW2lLgbg3Q_MrpW2nSqGh8-5CjqW8mVvJw37-m1FW7tfJZm8wSKY9W920ndF61Cm7DW9fdnsh4qV1mzW6pLzrc94r10SW7SD62m3Qvv5jW87mYgh1YRjnYVKpmxr6B_xWTW3fp6Zx8jLGfWW7jL-y0457X8VN1TltTwsBPcYW7WJ-FL8qLjSdW7qm5WN8GZBkfW95bMcn6zJPqCVf27963J_4FxV1TfBP8XznlQW4GzPL-176L_NW72HRpV192F4df1YJ3TM04	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://ketoryyby.cloud	Get hash	malicious	Unknown	Browse
	https://www.gxtfinance.com/english.php	Get hash	malicious	Unknown	Browse
	DOC-71275297.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://2n8w.app.link/?~channel=Email&~feature=ConfirmationEmail--BenerailETicket&~campaign=WebToApp&~tags=locale%3Dnl_NL&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.thetrainline%26hl%3Dnl-NL&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes.apple.com%2FNL%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=//pub-f6244fe9c7374698a595b626f3787308.r2.dev/serverDCCCCCCC.html#mhebert@vib.tech	Get hash	malicious	HTMLPhisher	Browse
	DOC-80697077.pdf	Get hash	malicious	HTMLPhisher	Browse
	infected.html	Get hash	malicious	HTMLPhisher	Browse
13.107.246.67	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://www.coredc.com	Get hash	malicious	Unknown	Browse
	http://esc-dot-wind-blade-416540.uk.r.appspot.com	Get hash	malicious	HTMLPhisher	Browse
	OneCasino.xlsx	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	6rfHnQpz6K.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0039.t-0009.t-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	http://www.coredc.com	Get hash	malicious	Unknown	Browse	13.107.246.67
	http://esc-dot-wind-blade-416540.uk.r.appspot.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.67
	OneCasino.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.67
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	6rfHnQpz6K.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.67
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTu	Get hash	malicious	Phisher	Browse	52.98.177.2
	https://bx1f04.na1.hubspotlinks.com/Ctc/2D+113/bX1F04/VWNJB36hmH_dW5B6f4M3tvNPkW6wcfC_5kfpqkN8pR4CT3qn9gW8wLKSR6lZ3lWW4RH0pD8cfc9fW1F_Bh_64Dbx_W8NP5442K_JLsW7VR2DZ6lXzbTW28cFfX9gXt3BW7kls0H2y2hq_W3ngTnJ28DTx_W6DvQHq8CwpszW2lLgbg3Q_MrpW2nSqGh8-5CjqW8mVvJw37-m1FW7tfJZm8wSKY9W920ndF61Cm7DW9fdnsh4qV1mzW6pLzrc94r10SW7SD62m3Qvv5jW87mYgh1YRjnYVKpmxr6B_xWTW3fp6Zx8jLGfWW7jL-y0457X8VN1TltTwsBPcYW7WJ-FL8qLjSdW7qm5WN8GZBkfW95bMcn6zJPqCVf27963J_4FxV1TfBP8XznlQW4GzPL-176L_NW72HRpV192F4df1YJ3TM04	Get hash	malicious	Unknown	Browse	150.171.28.10
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.42
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	DOC-71275297.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	DOC-80697077.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse	52.108.66.1
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse	52.108.66.1
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://www.coredc.com	Get hash	malicious	Unknown	Browse	13.107.246.67
CLOUDFLARENETUS	https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTu	Get hash	malicious	Phisher	Browse	172.67.215.161
	https://bx1f04.na1.hubspotlinks.com/Ctc/2D+113/bX1F04/VWNJB36hmH_dW5B6f4M3tvNPkW6wcfC_5kfpqkN8pR4CT3qn9gW8wLKSR6lZ3lWW4RH0pD8cfc9fW1F_Bh_64Dbx_W8NP5442K_JLsW7VR2DZ6lXzbTW28cFfX9gXt3BW7kls0H2y2hq_W3ngTnJ28DTx_W6DvQHq8CwpszW2lLgbg3Q_MrpW2nSqGh8-5CjqW8mVvJw37-m1FW7tfJZm8wSKY9W920ndF61Cm7DW9fdnsh4qV1mzW6pLzrc94r10SW7SD62m3Qvv5jW87mYgh1YRjnYVKpmxr6B_xWTW3fp6Zx8jLGfWW7jL-y0457X8VN1TltTwsBPcYW7WJ-FL8qLjSdW7qm5WN8GZBkfW95bMcn6zJPqCVf27963J_4FxV1TfBP8XznlQW4GzPL-176L_NW72HRpV192F4df1YJ3TM04	Get hash	malicious	Unknown	Browse	104.16.160.168
	is it legal to kill a peacock in california 93889.js	Get hash	malicious	GookitLoader	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	http://ketoryyby.cloud	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.gxtfinance.com/english.php	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	x64_x32_installer__v4.4.9.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
AKAMAI-ASN1EU	https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTu	Get hash	malicious	Phisher	Browse	23.54.139.47
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.38
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse	72.247.153.153
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse	23.46.238.97
	file.exe	Get hash	malicious	Unknown	Browse	23.55.235.170
	file.exe	Get hash	malicious	Vidar	Browse	23.197.127.21
	https://kjppartners.cmfr.cloud/	Get hash	malicious	HTMLPhisher	Browse	172.233.57.59
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTu	Get hash	malicious	Phisher	Browse	52.98.177.2
	https://bx1f04.na1.hubspotlinks.com/Ctc/2D+113/bX1F04/VWNJB36hmH_dW5B6f4M3tvNPkW6wcfC_5kfpqkN8pR4CT3qn9gW8wLKSR6lZ3lWW4RH0pD8cfc9fW1F_Bh_64Dbx_W8NP5442K_JLsW7VR2DZ6lXzbTW28cFfX9gXt3BW7kls0H2y2hq_W3ngTnJ28DTx_W6DvQHq8CwpszW2lLgbg3Q_MrpW2nSqGh8-5CjqW8mVvJw37-m1FW7tfJZm8wSKY9W920ndF61Cm7DW9fdnsh4qV1mzW6pLzrc94r10SW7SD62m3Qvv5jW87mYgh1YRjnYVKpmxr6B_xWTW3fp6Zx8jLGfWW7jL-y0457X8VN1TltTwsBPcYW7WJ-FL8qLjSdW7qm5WN8GZBkfW95bMcn6zJPqCVf27963J_4FxV1TfBP8XznlQW4GzPL-176L_NW72HRpV192F4df1YJ3TM04	Get hash	malicious	Unknown	Browse	150.171.28.10
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.42
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	DOC-71275297.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	DOC-80697077.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse	52.108.66.1
	San Xavier District of the Tohono O#U2019odham Nation.pdf	Get hash	malicious	Unknown	Browse	52.108.66.1
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://www.coredc.com	Get hash	malicious	Unknown	Browse	13.107.246.67

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://bx1f04.na1.hubspotlinks.com/Ctc/2D+113/bX1F04/VWNJB36hmH_dW5B6f4M3tvNPkW6wcfC_5kfpqkN8pR4CT3qn9gW8wLKSR6lZ3lWW4RH0pD8cfc9fW1F_Bh_64Dbx_W8NP5442K_JLsW7VR2DZ6lXzbTW28cFfX9gXt3BW7kls0H2y2hq_W3ngTnJ28DTx_W6DvQHq8CwpszW2lLgbg3Q_MrpW2nSqGh8-5CjqW8mVvJw37-m1FW7tfJZm8wSKY9W920ndF61Cm7DW9fdnsh4qV1mzW6pLzrc94r10SW7SD62m3Qvv5jW87mYgh1YRjnYVKpmxr6B_xWTW3fp6Zx8jLGfWW7jL-y0457X8VN1TltTwsBPcYW7WJ-FL8qLjSdW7qm5WN8GZBkfW95bMcn6zJPqCVf27963J_4FxV1TfBP8XznlQW4GzPL-176L_NW72HRpV192F4df1YJ3TM04	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	DOC-71275297.pdf	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	https://2n8w.app.link/?~channel=Email&~feature=ConfirmationEmail--BenerailETicket&~campaign=WebToApp&~tags=locale%3Dnl_NL&~tags=version%3D1&~tags=marketing_code%3DBSH3675&$android_url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.thetrainline%26hl%3Dnl-NL&$android_deepview=false&$android_passive_deepview=false&$ios_url=https%3A%2F%2Fitunes.apple.com%2FNL%2Fapp%2Fthetrainline%2Fid334235181&$ios_deepview=false&$ios_passive_deepview=false&$fallback_url=//pub-f6244fe9c7374698a595b626f3787308.r2.dev/serverDCCCCCCC.html#mhebert@vib.tech	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	DOC-80697077.pdf	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	infected.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	infected.html	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	New Document from Highland Township Building Department.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	https://sysadmononnu.ru/BW0W/	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24068
Entropy (8bit):	6.055065712289867
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NG7kymIWqdFVEQizt9xm5VZ00jGX4KV:LM7X2zt1jKYqHkZeMlPXIQizt9xm5VZy
MD5:	2F3D88CDEE606B297E1E3E7AA787B4B7
SHA1:	DE047CFE57770C2C1A7D5F7796E6F1E20500C4D8
SHA-256:	BAF495E279B443A8645FDC1FCAFE1E2E818A4272867799382940B477A91A39ED
SHA-512:	58C7EE43CE80492CAEB0FEDAF577346DA6B39AD5B2784D39988D009789A8E06621A03BCC106FA17873654DA6DD342DCD31254C6D20E4F41F9FA420698CE1AC70
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\16b15956-486a-4f24-a986-1aad6ac13a11.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3334
Entropy (8bit):	5.602029747574557
Encrypted:	false
SSDEEP:	96:0q8NkC1fDM3FtcOfB+hvedmHI7Jk/cuSDS4S4SDSs1I4a:/8Nb5M3FtZ4HIdk/nQ
MD5:	BB84CE562D8FB95ED6C88532927A44FC
SHA1:	FABE2D0DF4A192D7F85A731EFCBE0D55BB179004
SHA-256:	3E18C7B345B806473A606436B92AB77D281587C2661933C85A8691D0B1A2F92D
SHA-512:	D70E96F421AA2D1B62768D7B6344E43587FA76587D946CE5CDF9B46D2673530FE2FE3A6074F31737039E0D7B82A02C4EC5D777DA2AD0B93CB57F27604176E24E
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\301f0f04-1448-4445-b0c9-e7239fb90a05.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4234
Entropy (8bit):	5.489943727526894
Encrypted:	false
SSDEEP:	96:0q8NkGS1fDM3Ftc58rh/cI9URoDoto/tB+hvedmHI7Jk/cuSDS4S4SDSs1I4a:/8NBS5M3FtteoDU04HIdk/nQ
MD5:	A5360C43576B7D1D642E94F819B2389A
SHA1:	9015C1DC52550ED9CDDF3F8B6F192EC4977037D1
SHA-256:	96A0D05431AA5E9CD8D5B0A2284E023AAFE554A3B8F589FE209C24D36E35C6DB
SHA-512:	C54DEAEF7E3EA537D1E7022CD008BF9AD2EEFF79DD95FD11A27938F2F056554A55B6E0EE0417BEBAC89788A32778FA0DFD1F867644389E919B1D2A2F672B2F89
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GF

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3397d546-6aa4-4a80-803a-7046983e2934.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2957
Entropy (8bit):	5.578707347020847
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afDMaPWFSwShdO6kHB+ItGdrxvvBsd/dRH56+aJkXvc0dwlRZ:Xq8NkC1fDM3FtcwB+hvedDH5qJk/cPRX
MD5:	189153B71B61FB9D96615BF3618E139E
SHA1:	5A36C14A267C982B2204E2328631E3DD5374BE26
SHA-256:	2D6B491CEDDC32822CF53B1C7D948F3B6916755120CA27C8803879F806223EC2
SHA-512:	53280EC013D1D894A4164077FD2AE540F33AF666C5D898B248CAB3B46C3D8BC85629C244B35860A9D3B5C9D65954AE2E6EA6C4F359E63C4FD43AB92C269595A4
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"policy":{"last_statistics_update":"13369268091412957"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\423315f3-586b-4f7b-acf4-09d59a3de992.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	67758
Entropy (8bit):	6.072799753053495
Encrypted:	false
SSDEEP:	1536:LMSzvKYqstlbScC0fLdF3UP+DbycpjUaqnWyMboQizZm5hy:LMS2dKYbKbBHycp0WypQizZm5hy
MD5:	E5BD99F57D74BF7B7E36F8F873302C5A
SHA1:	081B949765C4E1FC9BB16213475775C382922C8E
SHA-256:	949DE83651C5CBDD5B3B4AF67C48D41D01BA0C9D48C6492BCB78185677DBE2C7
SHA-512:	6ABE559F8D5B2F841E04FECD7537C06BC8E90FF8B59521E24D3BDAF846CF1AF29ED8333C732F54B3609DE37798DE3734E69F25D8FA5CD289B43B7633B23C7E1B
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\831fd321-0bfd-4d69-9daf-4909a7820883.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2957
Entropy (8bit):	5.578707347020847
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afDMaPWFSwShdO6kHB+ItGdrxvvBsd/dRH56+aJkXvc0dwlRZ:Xq8NkC1fDM3FtcwB+hvedDH5qJk/cPRX
MD5:	189153B71B61FB9D96615BF3618E139E
SHA1:	5A36C14A267C982B2204E2328631E3DD5374BE26
SHA-256:	2D6B491CEDDC32822CF53B1C7D948F3B6916755120CA27C8803879F806223EC2
SHA-512:	53280EC013D1D894A4164077FD2AE540F33AF666C5D898B248CAB3B46C3D8BC85629C244B35860A9D3B5C9D65954AE2E6EA6C4F359E63C4FD43AB92C269595A4
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"policy":{"last_statistics_update":"13369268091412957"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9f5ab39f-0ba2-4158-8aa0-3394a8b4e068.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	67797
Entropy (8bit):	6.072871532533514
Encrypted:	false
SSDEEP:	1536:LMSzvKYqstMbScC0fLdF3UP+DbycpjUaqnWyMboQizZm5hy:LMS2dKfbKbBHycp0WypQizZm5hy
MD5:	B06E57F95155082026798A2C33536B17
SHA1:	F78663A6B74D3E9EF375B76FAE83341784512318
SHA-256:	FBB60A5145DF6B049C38C2E9F5CD1A15849E1375517E4AAA91F1B3C0794EB665
SHA-512:	8A3FEAC1FD97CE3C4DC9DEF9AFF1CE4DF423FFD5061CA7D3DBE617B1073AFB091698D97A9926FF90E55D2E27A5EFC629834E5228F467FF92B357B467317123F2
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640169812365318
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7g:fwUQC5VwBIiElEd2K57P7g
MD5:	D317A1069717AF45FC861714DD0A22C5
SHA1:	35541055A1413A913A3367FBEC466E4B7ABC21A6
SHA-256:	5575BEA8664FF1D946BDF20A229510DB85D24B8722CBFBD0DC77583D93900EF3
SHA-512:	ABDDB701867F9D4322511ED7E2DC8EF0596C11CE6573F0CF1469C527B27CD13BADCA877E53050200FFAF4CC0269CDAA1AF4B885A1BE30364C44026DBD89667F3
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\db4ea3ad-184b-4f57-92f8-17dac850b0c2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640169812365318
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7g:fwUQC5VwBIiElEd2K57P7g
MD5:	D317A1069717AF45FC861714DD0A22C5
SHA1:	35541055A1413A913A3367FBEC466E4B7ABC21A6
SHA-256:	5575BEA8664FF1D946BDF20A229510DB85D24B8722CBFBD0DC77583D93900EF3
SHA-512:	ABDDB701867F9D4322511ED7E2DC8EF0596C11CE6573F0CF1469C527B27CD13BADCA877E53050200FFAF4CC0269CDAA1AF4B885A1BE30364C44026DBD89667F3
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CE467B-1084.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4486697188619445
Encrypted:	false
SSDEEP:	3072:+GqQKjSx0WFVaXMpfVyYOLDQif3EXPRRHbnhHg1HFuR2qGXPenXRqETrvrejfnrk:SjjKpnhHaHvl9Sw4aH8J23
MD5:	FF331F564DFD221A45983E6594D66625
SHA1:	047AB03D1EC97564658FC572B40364639A99C720
SHA-256:	CBA755F0B3CFB445C6D2A24224CE9EB4C9F713D969110750297C851526B5C724
SHA-512:	EC9BAD169695EE0BE86D3DE3A5C379ED7AE4EB6E31CE9BDF1C77EB5BEA3D627E8924EFF374604F85B0E8E5DF47C780BD5BDB198E4DE089200BECA36EB7435A4A
Malicious:	false
Preview:	...@..@...@.....C.].....@................$...#..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".ysualb20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CE467B-1788.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04050243065781808
Encrypted:	false
SSDEEP:	192:TZUjLYiVWK+ggCdlRJtD+FX9XookgV8vYhafvNEfbcRQM9/5Xn8y08Tcm2RGOdB:tUjjlFqRnhIuQV5X08T2RGOD
MD5:	2A1D734E8EDAF826090B4A37600D066F
SHA1:	0F513EA3B9CF291243B4FAC0332E311C1CE26774
SHA-256:	9DAE1709D3BE0EA35696DF5E867CC6BE2D4A7B31956154FEAC59252F0A7C773E
SHA-512:	01BC3313FED295FEEBCB4CED0272C8FBCDDD3F6BBE548DA0EB9EA2C3CC4E147DBE749E270B89B442A88E4DC44665C85694E9AF70C23E578B1533C59CD272A10C
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".ysualb20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.................................8..$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....Zd;..&@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.145174893212346
Encrypted:	false
SSDEEP:	3:FiWWltlo8c5f3ViHSRqOFhJXI2EyBl+BVP/Sh/JzvLCu20VI6fBlitl:o1o8c9liyRqsx+BVsJDWRsI6pliX
MD5:	F0EA4F55795ED9222058C607B0AF61D7
SHA1:	F5C613F0BAA0F58D551A4C8F78FAD456CDDE209A
SHA-256:	C8F785587E312A771A91F1D426C9ECC1E1BAC6BB2D51ACDD7556DAB5651B19A2
SHA-512:	E41CFB6ADD47186B06AE7548F370F14A41EABE8B56B5CB852A0BA3AF374212372C23F72EE1590F4722BF241EF87E86F179A9A9E0BD22F536385352C3DBCB4F18
Malicious:	false
Preview:	sdPC....................o.#.%"oJ.)...."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................47ed0aa0-cc78-42b4-a140-9cc707d453fd............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0cdb8624-f31d-4456-9aac-ac1421d7a32e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6527
Entropy (8bit):	4.979985908127492
Encrypted:	false
SSDEEP:	96:st6qfEFis1mb9OSrN8z21ts85eh6Cb7/x+6MhmuecmAe8/Qb2Mk/EJ:st60sOrNkCts88bV+FiA8PkMJ
MD5:	881C86F1A35B58CC65EDC507969415B4
SHA1:	B8934278957F797A760D348F41D7C19DE5045F4E
SHA-256:	124EA2D27D927948E4906C95C82D3ABB7FD2FFCED87904B75F7CFFC86478A53E
SHA-512:	4B2046E11ECAA011D5B1F2FC26D68AA571D3FD290403F759725A4167B78307D5797CCC408F0C74FABD5924A0FD148C868F31F55CA73EC935C0AB48D8A86CAB14
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268094028485","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369268094029196"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\57867539-7f33-4a34-8921-87470ea51ba2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6425
Entropy (8bit):	4.977974817047452
Encrypted:	false
SSDEEP:	96:st6qfEFis1mb9OSrN8z21ts85eh6Cb7/x+6MhmuecmAe8dQb2Mk/EJ:st60sOrNkCts88bV+FiACPkMJ
MD5:	30D3CE78526F78BF563E2A5DF1325074
SHA1:	4CC2E0F0E67D9ED349EE5161CCAA182FC76C646B
SHA-256:	1476F1253103B0C34952E98098A36D49CE1273644985F37E2586FD00FD8548E8
SHA-512:	CADAA49BB192FF47523F2335F579111A6ED024B473C153924BC6AEF05020F7B6EA0BC5FD3C05CBE04CD4143C2546F6253FD79F1353201416FF9E8B2D86678770
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268094028485","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369268094029196"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7460913b-ef39-4495-b818-e3c7458e9b0f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566332880684663
Encrypted:	false
SSDEEP:	768:ia1q+dWPJBf2d8F1+UoAYDCx9Tuqh0VfUC9xbog/OVzWMSXrw/RTpGtuc:ia1q+dWPJBf2du1jaGBSE5ktj
MD5:	F73020241DB74797920FBD95DB1C84EF
SHA1:	93DDB73435681681A953C7F7372FC727A030B98E
SHA-256:	F74435A5270951D91DA9EDA505D9F210D6226F6B9BF5B3BD7D35CAACD8446751
SHA-512:	C058A6B2C4DBE6185BFB0CE58832716B105D6C1084FAE0A3842EF9E3B26009889A2C4D9CACDF67D895ACCEAF72D5AAC0222A0D25DF03B041A9490A6781E3D4C7
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369268092140937","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369268092140937","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.321303384132656
Encrypted:	false
SSDEEP:	192:AgAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:ATOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	7BC5CF01070957B8EE9A81C9F06A1531
SHA1:	440E48A8AA0199B9C589DAD8E1B92FEF32FDDA0E
SHA-256:	388CD8F8FACFC9E93FFA5F81DF25BAF7401655DCA10108E88A727E27BD6DF7A8
SHA-512:	4E10EBE14E879F74A12ACF1F8E50CC9CAFDCBF080390E4F76F39E80E5D57E0FF3CE1BDE71EF2FAA177C61A279863C5A80DFDFB38C8816B56B927B54AEDE30954
Malicious:	false
Preview:	...m.................DB_VERSION.10...................QUERY_TIMESTAMP:arbitration_priority_list4...13369268098700262.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.171332425432254
Encrypted:	false
SSDEEP:	6:N7SfHNR1923oH+TcwtOEh1ZB2KLlL7SfHtqM+q2P923oH+TcwtOEh1tIFUv:N7sWYebOEh1ZFL17scM+v4YebOEh16F2
MD5:	F8C9F26271FFBCEFFD5EDED1E813CF2B
SHA1:	A02755F5303C913A2C8A03FE4DCFE097C93CAE92
SHA-256:	D278DC3F98638F5A9B181710CF942AAB424DCBF43184C4BA38E051300EAE81AD
SHA-512:	D712E2EC7238798E7591A7D5641C06CCE35199E3D11EEC7E052A0B039B82AC6701B1EAE3E5D10FB86F5BC5D9849030494140452BEB90D221247D10143C5E9EEC
Malicious:	false
Preview:	2024/08/27-17:34:57.645 b6c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/27-17:34:57.681 b6c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.04458875690848441
Encrypted:	false
SSDEEP:	6:/Fii26iCkM/lGA/p21l3Mtwxt5KF+kllAf1bybR/li:dAEG2OEstUFz/0yPi
MD5:	9EA2466813431F16BE629954D49F4B7B
SHA1:	AE6DB469D1D2A31E5EB5E1D177359172BD0AB9C5
SHA-256:	52D112170356DCD5CA8B646FC779A420D65A0CE04FEEABBFE678B51180FCC2CE
SHA-512:	771ED2C1AE0869E2FDB4E68A91CFE99CA87AF2F8B0E43C2912CE1CE3DDE955F51A85F59095D07AC9F9CC9E47B05F20F2CA29E30051866A4853436D2EB0575E2C
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09572726440199159
Encrypted:	false
SSDEEP:	48:QV4A3es8LHV4XesrA76Q6NUeGNgT3lWp4:QV4A33AV4X3rA+Q6NLGQ3L
MD5:	01E6B121668CDA2996CA07D94354B7B3
SHA1:	9FFA70D150EA7FF5713020B1C2606DB66F8BBA8C
SHA-256:	F809C3FA5E78B17918013366A1626167D37DBDE1B63A0050D9883ECDDA31739E
SHA-512:	43B020C7A57B48916EB84AF2CBDFAF2AD26CA21A221E048D8BEA5A8CD7BFA5BE1A35E2AAACB213163D07388D82F3F15D05FC753FBFCFE0984544695F5B853BEC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.2832685827262797
Encrypted:	false
SSDEEP:	192:/2OSDleGJZbtMXE2OSDleGJZbtMX9c7JZbtMXUXJZbtMX+7lAFJZbtMFjUqHH:/AwGJtMEAwGJtMqJt0eJt0MCjJtyJ
MD5:	87E5EFD189EF1B088553DBBE5CD9B381
SHA1:	852782B799DB9CF7C228293694BC57608FC326B4
SHA-256:	FAFA26A772A11ACC5C5A011CB627FD98A349866999BE1F0FE3EF738C8C6B31AA
SHA-512:	AD3F9FF408110D767EA9F6B55F9F4046A26387D57F1E9C7E446B31A3F086FF310116AA0FD75DB2A0AC56BF0FDC414E6911B40EECC7D4AC6BFABAA965197AD200
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulpJ:Ls
MD5:	DC3434258CBDD34E18DAE4D4FCC11D8E
SHA1:	EF0F6DFA41FF20ED249472811AAFB165A5FB1CD1
SHA-256:	5DA49C0689CEC5992638BA93E35DB7D6C62D93944DA1F69C0ED2F93C9F1476A9
SHA-512:	E61C880C6F00D40E07BB9056571E7043726D3716C8240B75697AF263E77ACAE81CC0100197BEA9574D1BA6195307947811BAD8E990B0B060C5BD4D4A8CEBD223
Malicious:	false
Preview:	..........................................KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:T+R0QyECv8:yR0Q9P
MD5:	1940927412DE0835EFA2275EBBD4D4B0
SHA1:	A863311D0AAB6861946807A374CF4C29312F8969
SHA-256:	72401EC2ACDA08C2F3FB9026DAC43EFA036FF7AB1D925FD5E12031A71978B232
SHA-512:	E9049E5445426A2FA513AFB423FB001258A3218A10232C4BFBB8FFFA7655D8EF370D82A938A65668A37AB61C9AFC992341E8CBC0983ABA705716807DE83E5F3E
Malicious:	false
Preview:	(.....p.oy retne........................^..KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:T+R0QyECv8:yR0Q9P
MD5:	1940927412DE0835EFA2275EBBD4D4B0
SHA1:	A863311D0AAB6861946807A374CF4C29312F8969
SHA-256:	72401EC2ACDA08C2F3FB9026DAC43EFA036FF7AB1D925FD5E12031A71978B232
SHA-512:	E9049E5445426A2FA513AFB423FB001258A3218A10232C4BFBB8FFFA7655D8EF370D82A938A65668A37AB61C9AFC992341E8CBC0983ABA705716807DE83E5F3E
Malicious:	false
Preview:	(.....p.oy retne........................^..KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:aFbuTEeXTl:aFqgITl
MD5:	4BD08ADE62EDB43A641F4F550DD29993
SHA1:	44B538223B586119A26F4BCFD643A59240D09BE5
SHA-256:	3049BDC9648ED8DB4BB075D2ADFA8F6A040132BEBC2338E2AC630C5CBEB9444C
SHA-512:	391E37F5466101F068EA8C37A6C1A84B11A6B958AFC0CA1F61FECE7002F6DF45E5998D73786608CDB54E4EF15C4FC7F526CE67A0804EB6B9ED53704BB29C0C32
Malicious:	false
Preview:	(....`..oy retne...........................KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:aFbuTEeXTl:aFqgITl
MD5:	4BD08ADE62EDB43A641F4F550DD29993
SHA1:	44B538223B586119A26F4BCFD643A59240D09BE5
SHA-256:	3049BDC9648ED8DB4BB075D2ADFA8F6A040132BEBC2338E2AC630C5CBEB9444C
SHA-512:	391E37F5466101F068EA8C37A6C1A84B11A6B958AFC0CA1F61FECE7002F6DF45E5998D73786608CDB54E4EF15C4FC7F526CE67A0804EB6B9ED53704BB29C0C32
Malicious:	false
Preview:	(....`..oy retne...........................KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlwLBlll:Ls3wF
MD5:	74B982E5D4E60D5673E5EE8B7FB19A99
SHA1:	B2329015B754336F41FAF3390EE13763CC6348C0
SHA-256:	5B9F7F686D06A47FC920177F436F0A9911732891A615A3C7266C8178BE518796
SHA-512:	FD4CC2BCE6F599CED126B8BD2BDE3805C5788350A4BFC2DEA2A28ECD585650856FDEE703A30F5568F1B921C48773B3D2CCE7602C2664A21651269C87EBB5C843
Malicious:	false
Preview:	.........................................*.KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354053198035941
Encrypted:	false
SSDEEP:	6144:9A/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:9FdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	78F50CD344835C50ADD3934763074140
SHA1:	BB1CB03BD19E48B85BC5E7648D67D1BC8B60D0D8
SHA-256:	612ACE86CC84F8C9F4CCE50FEEC3D727EB113A382DE19E57B147F032C97EBA38
SHA-512:	3E6DF709867678A20A8EFDCF3E658BD6B070F042FA2DC26D5B3B2AB8C0D26B28D1D977167F8A2FB62745309C5DE3F60447DA0CA699E6004A5C76F39BB2278118
Malicious:	false
Preview:	...m.................DB_VERSION.1,n,.q...............&QUERY_TIMESTAMP:domains_config_gz2...13369268098707843..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.220849657624266
Encrypted:	false
SSDEEP:	6:N7SfHyq1923oH+Tcwtj2WwnvB2KLlL7SfdQL+q2P923oH+Tcwtj2WwnvIFUv:N7saYebjxwnvFL17sdQyv4YebjxwnQF2
MD5:	D5C1F34DC66839F71A3301FA469541A7
SHA1:	D01702F0A70250D791E5E51B7063942C352C61EA
SHA-256:	5AE1EA81882382F4AF74F5CBB9B004D4172CF9CF31010DBD45F5B99B5EC7A7C7
SHA-512:	5F713E19B5749C11A518067BF90BF643EE2ED09EED2C83822F9F3789B3FB817C10330BDB9A739C7798049360AC8AC95DA80601D1667BAA269F963FE952CF8889
Malicious:	false
Preview:	2024/08/27-17:34:57.673 1ba8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/27-17:34:57.702 1ba8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.324621081989254
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RX:C1gAg1zfv/
MD5:	880496DC8E498DC14D4C62FF1809444B
SHA1:	49E9D4BB7C62BEB02C5BF1839E70D3FBAC0E1E5F
SHA-256:	6BFCE834C5518592A719F7726DCC37E8409D0CA8F3A50CF98BA7B248462E3BE6
SHA-512:	FAB4D6A7C8383F4F74B963278F162F0EB8FAEBBDD24266E6C64F58E30AF6AEE501FE6A0E2332AC5415633308A5C914B86CD3E0E3929347BD75C210D881AD526E
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.193072345841079
Encrypted:	false
SSDEEP:	6:N7SfBHUp1923oH+TcwttaVdg2KLlL7SfDsN+q2P923oH+TcwttaPrqIFUv:N7sRUEYebDL17sDsN+v4Yeb83FUv
MD5:	B559DEC7E1E3B31C1BFC49053926C3F9
SHA1:	0F01412C133018C2615E972C1883F4A4783E8ED3
SHA-256:	2E68974335059788DD0ACB6FBF1F5B9D33514F0E573F7B25CDA328EA2C9C76F9
SHA-512:	EBDBB6231AE33E2E1A2FBE694E731EF94F0CE60AD918596206145E89E83725FCE0B3434419316C304E66CE50F1D9E3CFABE00F3EF37CAF2A295A899ABEBE9E77
Malicious:	false
Preview:	2024/08/27-17:34:52.308 147c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/27-17:34:52.322 147c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.193519241630812
Encrypted:	false
SSDEEP:	6:N7Sfsw51923oH+Tcwtt6FB2KLlL7SfKqM+q2P923oH+Tcwtt65IFUv:N7s+Yeb8FFL17sW+v4Yeb8WFUv
MD5:	42E0EF2C4B1F03CDBED9922AE3503CC5
SHA1:	AD19294AF06588EDB103362EAF79F996B692DAC9
SHA-256:	44C731ABFDD6FBCF0DFCC7379C2AC4D74561A42CBEB04962A51EB1DEF9ED6404
SHA-512:	3C73B1B3CC321CB430218AE25B49F7A927720F259F6255CD5C478173E71118BD338076583B8A5A6E09649C1B732FB84405A9E48172859133905127EA066A5A4A
Malicious:	false
Preview:	2024/08/27-17:34:52.405 11ac Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/27-17:34:53.676 11ac Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	293
Entropy (8bit):	5.204036984054282
Encrypted:	false
SSDEEP:	6:N7SfvS4q1923oH+TcwttYg2KLlL7Sfo9+q2P923oH+TcwttNIFUv:N7svHYebJL17sXv4Yeb0FUv
MD5:	74E45763A5EE9CB42D76F81CA08EC7C7
SHA1:	2BF6D4FD17F8933711696CC49793293124643DBC
SHA-256:	E7A537F4F6E0568F7D1017913F2D8F54634D5FA6A54FE491261BC4540215EB76
SHA-512:	0CFFFD3DD78CC27C191F823A10BB2DCCDF9D41AC9C541FAF6F7240D0D8BC1B523EAFBC257E99211C3F1ACBDA583E1430FF3AF190B329704449FDE51D561AB078
Malicious:	false
Preview:	2024/08/27-17:34:54.237 9c8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/27-17:34:54.246 9c8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlwu:Ls3w
MD5:	0FE94E04F3E0C015C1183CF0AE58E70B
SHA1:	22DB9DAEF0B4ED05094B6454F00A71C38C74F921
SHA-256:	44F39D5F247EEFD352FECB64C4BA4AC91E0433EBD8FF0C5EF3F76562E866E7A2
SHA-512:	5ECAB9A7F0E864D609F79CBFA9A5560EC447ADEEE0EAE3878557D8661CB50173584C042E92F488C6C85DA0EFC9A6A4763C2A0F22C4C0DE5F6DD188E0920D980B
Malicious:	false
Preview:	..........................................KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21848828281205318
Encrypted:	false
SSDEEP:	3:md859tFlljq7A/mhWJFuQ3yy7IOWU22lllotdweytllrE9SFcTp4AGbNCV9RUIJ2:mS5G75fOQ2/l4d0Xi99pEY32
MD5:	C567DFAAAA588348E4B7DDDDD20EFDCE
SHA1:	24B7F244BDEF313AD45145C3C75AF7CFD289C26A
SHA-256:	58CE1C122DB4E07F774E1DAA12D3CD75EA4AE5236A576CE9D50A32CF7D0475E3
SHA-512:	685B12945A0943DC83DA723C3E104E12FCAC15B818B2D2AF9A028EA423E733E71A4A713336DA1CDE76A4D2FC8D4F187A6AC1198363937AD929E05B22D819F79D
Malicious:	false
Preview:	...................&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.241935283607753
Encrypted:	false
SSDEEP:	6:N7SfuIzD1923oH+TcwtRage8Y55HEZzXELIx2KLlL7SfylL+q2P923oH+TcwtRai:N7s/zmYebRrcHEZrEkVL17sC+v4YebRz
MD5:	C025A7D306E67233A19A4AB2BB3EE5AA
SHA1:	67F7BE0B71C46A0EC5A3EB72D55D4294B6A9472B
SHA-256:	7AF147491E10B92D30B72ED56F8D3CD8826E9CC1E700A066DFE8CB9F60EAC757
SHA-512:	A64BCAE66305E27F85438D429EED5B4D970AC75115592E6547E185BEAFCBA3A7F73C7CAD89C6797243C2B6E841E3619944C5CE6F4A266B215D1C2874B3EF942F
Malicious:	false
Preview:	2024/08/27-17:34:55.157 1b3c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/27-17:34:55.170 1b3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.225399770037996
Encrypted:	false
SSDEEP:	6:N7Sfu7CRM1923oH+TcwtRa2jM8B2KLlL7Sfhlyq2P923oH+TcwtRa2jMGIFUv:N7suGhYebRjFL17sXyv4YebREFUv
MD5:	B52D339504958B5D620894DC1121A273
SHA1:	4B4B71F8813475B024481B509E35BEA6FC736086
SHA-256:	38B3EC801A027FCC03D8BD66FD239723353DB02CFC152D2E98CBA77E5B6AD5BB
SHA-512:	88E97ACDF1DB89242EB26A21D6D47604DD67BBCE98E63BCA64E4134A570360C85523B7E0C3903575E2B816AE18A02FDCEDFB7F64FA0B42636C27487B472E4B09
Malicious:	false
Preview:	2024/08/27-17:34:52.698 1c74 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/27-17:34:54.202 1c74 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\10b1cbbe-d45c-4d6f-8e07-7999598180e7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\2697eb85-50ad-46ec-8af7-f362fe465421.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.89042451592505
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbQpwhYMKWKWMS7PMVKJq0nMb1KKqk1Yn:YHpo03h6ubQ+a4MS7PMVKJTnMRKXk1Yn
MD5:	D12E99D60125EDECF0D7D37F9142A486
SHA1:	131115940F711F1AF225BE5CC16E5B78193A4E83
SHA-256:	E36A9921DF8029CE482C15A4022555C85E4F9268DEA6A437A154761A4B13FDD3
SHA-512:	74C13A55117C222D7974FC7F28BDFF0C535719046E91418A149A899BF0D8D5A840EE6765123978D2A6FF08A8F9CAEA12D3DA82F343F29EC1854404E62FF1FB2E
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\91dc5e9d-7ef4-4e52-80a7-b8f7d59fb379.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF44041.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7595202995282898
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBkfT:uIEumQv8m1ccnvS6BGt
MD5:	C91C7DE02BC232767105EC9A27FD5F05
SHA1:	72309AD7BD487CC9E0CEFFDF30E46E219854263C
SHA-256:	D028A1E73C201551E351A662471672526E261F41A14CA82F1147285148EA747B
SHA-512:	6F88F257345ACD65C0BCAC6B09A1403459B4E90170E1246579A2A66EACB55505D7F43C0841693E4248473B3B3FF6D2B004A09FA219021CE985353988B8B118C1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF31f12.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\e10def90-eb14-435a-9614-c3e36fe9dd46.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\fc104aad-65ee-422d-a132-20ebde7b6a72.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97131621606519
Encrypted:	false
SSDEEP:	96:st6qfEFis1mb9OSrN8z21ts85eh6Cb7/x+6MhmuecmAe8vC2Mk/EJ:st60sOrNkCts88bV+FiAyPkMJ
MD5:	4B4CEEA901ECFCD05113D4C2C709B256
SHA1:	D27FCE7801A11D42BC2D9BB4CB0E65DA5ACDD5D6
SHA-256:	68C3795EF91808B445E06925B1E050F2FA86474A35032CF8436741E4873494AA
SHA-512:	932EC68BA6F3AE0E6C8A53F58C9F13F3000FD622FAC1D2EE5EE1C381FD55201056939563C8DB873DC71F14AAA04FDF6255BD933F08C8E5410735A739E48EEDD1
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268094028485","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369268094029196"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3ae42.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97131621606519
Encrypted:	false
SSDEEP:	96:st6qfEFis1mb9OSrN8z21ts85eh6Cb7/x+6MhmuecmAe8vC2Mk/EJ:st60sOrNkCts88bV+FiAyPkMJ
MD5:	4B4CEEA901ECFCD05113D4C2C709B256
SHA1:	D27FCE7801A11D42BC2D9BB4CB0E65DA5ACDD5D6
SHA-256:	68C3795EF91808B445E06925B1E050F2FA86474A35032CF8436741E4873494AA
SHA-512:	932EC68BA6F3AE0E6C8A53F58C9F13F3000FD622FAC1D2EE5EE1C381FD55201056939563C8DB873DC71F14AAA04FDF6255BD933F08C8E5410735A739E48EEDD1
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268094028485","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369268094029196"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF42334.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97131621606519
Encrypted:	false
SSDEEP:	96:st6qfEFis1mb9OSrN8z21ts85eh6Cb7/x+6MhmuecmAe8vC2Mk/EJ:st60sOrNkCts88bV+FiAyPkMJ
MD5:	4B4CEEA901ECFCD05113D4C2C709B256
SHA1:	D27FCE7801A11D42BC2D9BB4CB0E65DA5ACDD5D6
SHA-256:	68C3795EF91808B445E06925B1E050F2FA86474A35032CF8436741E4873494AA
SHA-512:	932EC68BA6F3AE0E6C8A53F58C9F13F3000FD622FAC1D2EE5EE1C381FD55201056939563C8DB873DC71F14AAA04FDF6255BD933F08C8E5410735A739E48EEDD1
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268094028485","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369268094029196"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566332880684663
Encrypted:	false
SSDEEP:	768:ia1q+dWPJBf2d8F1+UoAYDCx9Tuqh0VfUC9xbog/OVzWMSXrw/RTpGtuc:ia1q+dWPJBf2du1jaGBSE5ktj
MD5:	F73020241DB74797920FBD95DB1C84EF
SHA1:	93DDB73435681681A953C7F7372FC727A030B98E
SHA-256:	F74435A5270951D91DA9EDA505D9F210D6226F6B9BF5B3BD7D35CAACD8446751
SHA-512:	C058A6B2C4DBE6185BFB0CE58832716B105D6C1084FAE0A3842EF9E3B26009889A2C4D9CACDF67D895ACCEAF72D5AAC0222A0D25DF03B041A9490A6781E3D4C7
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369268092140937","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369268092140937","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF37f24.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566332880684663
Encrypted:	false
SSDEEP:	768:ia1q+dWPJBf2d8F1+UoAYDCx9Tuqh0VfUC9xbog/OVzWMSXrw/RTpGtuc:ia1q+dWPJBf2du1jaGBSE5ktj
MD5:	F73020241DB74797920FBD95DB1C84EF
SHA1:	93DDB73435681681A953C7F7372FC727A030B98E
SHA-256:	F74435A5270951D91DA9EDA505D9F210D6226F6B9BF5B3BD7D35CAACD8446751
SHA-512:	C058A6B2C4DBE6185BFB0CE58832716B105D6C1084FAE0A3842EF9E3B26009889A2C4D9CACDF67D895ACCEAF72D5AAC0222A0D25DF03B041A9490A6781E3D4C7
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369268092140937","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369268092140937","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.137523386664003
Encrypted:	false
SSDEEP:	6:N7GLRM1923oH+TcwtSQM72KLlL7GPrjyq2P923oH+TcwtSQMxIFUv:N7GlhYeb0L17Gjjyv4YebrFUv
MD5:	2A20B0B5D31F493EC3DB12891F0E0740
SHA1:	3E78774BBD38152FB3CAD1A505BD4E9361A67C98
SHA-256:	A4A4C4947021FC97292B9C7928CD23C54D24F1441A6BDBBC6E1A10B8A0A906A3
SHA-512:	C7A86F96F039D44DF4E3000DE1F97F9C8DD970AF8F39855E0C572E28EA8C7A2A3D134DAAFF65F4FA9FF7E2562ACFAF77544517942E9B97D518B0609C0B30A1BA
Malicious:	false
Preview:	2024/08/27-17:35:10.088 1c74 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/27-17:35:10.201 1c74 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.120204326906961
Encrypted:	false
SSDEEP:	6:N7Sfqr1923oH+TcwtgUh2gr52KLlL7SfQjM+q2P923oH+TcwtgUh2ghZIFUv:N7sq+Yeb3hHJL17smM+v4Yeb3hHh2FUv
MD5:	DC9159929DAE9D1AE622C58579E2B3A1
SHA1:	3679C8F0DAACBAE3E4F7A332922C024334ACE6A9
SHA-256:	EAEA369BF6041B2A048E199808593A45EAC60E03924D02A21411A2580AF89C22
SHA-512:	2D43B20B08BB81E03B561BA90A76FD5097F1D5F171E08A516BD02D5ACDF93439DFA6AA4E7C586D9DCF62D78FC0C1E02C584CEC734AAC94640F41E93DC6970532
Malicious:	false
Preview:	2024/08/27-17:34:52.298 28c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/27-17:34:52.312 28c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:Lsulcau:Lsj
MD5:	6BCCCA27733BAB02AF4270FD2B181F16
SHA1:	E75CD835AD6285D43D6DC9C14007E4D131A4F514
SHA-256:	67303AC188DDA25ADB78372CD4106E2184EABA9F942E47BACA632ECEBD75FF5A
SHA-512:	D14A42E5D19D2DD60A6DB558CF5FDC177DAED1BE1D3410BA6A60AE17A716DEF79C36AD490AA165C26889C04BDF73A0F5A692F57A0989B7990EBB6923E326AF53
Malicious:	false
Preview:	...........................................KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:3W0Ecv8Ul:+e8Ul
MD5:	8847A5CCB1002F83C56BFE6768E7C9D6
SHA1:	E00AE493DD1557E180C521B9DC42A6A8DE65E875
SHA-256:	FFE99BF760EEC3CEEA5C1D89DAFCBEC8B3AE30188156571B2D5DEEE003CD11D3
SHA-512:	FB3782D88760895CD7D10AE4D453ABD858234DF124E17928DE14A7E0366D1DC1EA2C670155F39EA14E90D7ADF1E59997CC5AD4037E1E783D440A21D1935CED7E
Malicious:	false
Preview:	(...*X..oy retne........................@.KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:3W0Ecv8Ul:+e8Ul
MD5:	8847A5CCB1002F83C56BFE6768E7C9D6
SHA1:	E00AE493DD1557E180C521B9DC42A6A8DE65E875
SHA-256:	FFE99BF760EEC3CEEA5C1D89DAFCBEC8B3AE30188156571B2D5DEEE003CD11D3
SHA-512:	FB3782D88760895CD7D10AE4D453ABD858234DF124E17928DE14A7E0366D1DC1EA2C670155F39EA14E90D7ADF1E59997CC5AD4037E1E783D440A21D1935CED7E
Malicious:	false
Preview:	(...*X..oy retne........................@.KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:Lkk9EyXzaKln:QdEtl
MD5:	58BC60023E23845B77ED374DCB05C374
SHA1:	CEBA8F6B3D2389F9DFEAA90755B4CF9C48EEF1C2
SHA-256:	840B427E86D935CCF16A5B171C190BFC6B09853B0D017A1DE4DDAF93ABF33420
SHA-512:	56105765422BAFA3D1CC9734CCE7BEDAF6C6A7317E584E36063B8CCE287944AB76764DCD290ED56DB984C105085F2606E3DCE2B940777BFE61B771EDC8C35CE3
Malicious:	false
Preview:	(.......oy retne..........................KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:Lkk9EyXzaKln:QdEtl
MD5:	58BC60023E23845B77ED374DCB05C374
SHA1:	CEBA8F6B3D2389F9DFEAA90755B4CF9C48EEF1C2
SHA-256:	840B427E86D935CCF16A5B171C190BFC6B09853B0D017A1DE4DDAF93ABF33420
SHA-512:	56105765422BAFA3D1CC9734CCE7BEDAF6C6A7317E584E36063B8CCE287944AB76764DCD290ED56DB984C105085F2606E3DCE2B940777BFE61B771EDC8C35CE3
Malicious:	false
Preview:	(.......oy retne..........................KG./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlVYu:Ls3m
MD5:	40469B23973803B3313B5AFD94C97844
SHA1:	1D093C2F2A31DC3241E6BDAFDA8F1EA3E6E048E0
SHA-256:	08ED9DA77EA38EF505C1E5B00029CE729F1CC8FEFE6390414E3E7380A6599F6E
SHA-512:	889464B4D8F51C7E4A055353BA7D8DE32E487887A453BC9312ACA470D22189C5F6C8C6692BC31A852FD9291B5FB931E15D3399155208434F9FEEF5D25AF645E0
Malicious:	false
Preview:	.........................................u.KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNleUu0l:Ls3e
MD5:	E3B5597BF5465D933D0CD1F0BFEF69DD
SHA1:	289AAABB9FC8AFD53F2C3EC69FC1EFD8B91B17A2
SHA-256:	EDE3EDD5BCEB5EDFE5108DD673128041C7BBCA4A3BF7C8106870A1EA9AE64D50
SHA-512:	5FEA68400479C288B92B1A8785C0A37DE0014A35FEC436BB7ED86927E2AF652DFC143441C481A9575A93EF1F268866D845DD8C6ABFD2EE6E985F5E45C2F11A97
Malicious:	false
Preview:	..........................................KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.2249113493243495
Encrypted:	false
SSDEEP:	6:N7Sf8M1923oH+Tcwt0jqEKj3K/2jM8B2KLlL7SfhfIq2P923oH+Tcwt0jqEKj3Kk:N7s8hYebqqBvFL17stIv4YebqqBQFUv
MD5:	67627FF3047478F19C9D635FA7F7DB44
SHA1:	6D85B062EC38E5CA0799313B92AEAF27D62BDE4B
SHA-256:	8CEAEFBB1F045E36C82C8FFD3203820724B7327BC11D71CA3F147FC5393C2AC1
SHA-512:	93BE378FD7E8156CBB2E78BCFDFB67C657C414731D8C1F1DE095EB619CAF90B642AE87631C031A3D07F93AF648E2E41634DAE8D6404A08BF22CBDE6B56ED4EC2
Malicious:	false
Preview:	2024/08/27-17:34:54.244 1c94 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/27-17:34:54.341 1c94 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\4bc7010c-8dd9-42f8-9692-a644a95bfdea.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7776d1de-e232-417c-94af-e1e3b64b1db4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF44080.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\afe974d7-f9a8-4d5b-85a0-eb9d79c3ff0e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKqk1Yn:YHpoeS7PMVKJTnMRKXk1Yn
MD5:	807419CA9A4734FEAF8D8563A003B048
SHA1:	A723C7D60A65886FFA068711F1E900CCC85922A6
SHA-256:	AA10BF07B0D265BED28F2A475F3564D8DDB5E4D4FFEE0AB6F3A0CC564907B631
SHA-512:	F10D496AE75DB5BA412BD9F17BF0C7DA7632DB92A3FABF7F24071E40F5759C6A875AD8F3A72BAD149DA58B3DA3B816077DF125D0D9F3544ADBA68C66353D206C
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\bc3fbdb7-a68c-45e9-8dda-a3ce0ed1a7d4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.217567969288414
Encrypted:	false
SSDEEP:	6:N7GPoM1923oH+Tcwt0jqEKj0QM72KLlL7GK5Iq2P923oH+Tcwt0jqEKj0QMxIFUv:N7GQhYebqqB6L17GeIv4YebqqBZFUv
MD5:	CF8B66464E08A3DE57C0C672C5A75A72
SHA1:	FCEF2FB9FC0AD1671197DFCC72772E25C99C6075
SHA-256:	7DCABDF9446F9E1357BCC99D196216D610558D2AE70EBAC8378DFFE0549DA652
SHA-512:	0E338C22A095B3CC114FE02CF749B4B2AE159533EDAA313F4DDAEBB4B47334686BC35E1FC46AFCE0BE174AED81E0923883F5C257B975BB351098FC62B42269B6
Malicious:	false
Preview:	2024/08/27-17:35:10.085 1c94 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/27-17:35:10.161 1c94 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.235641658535423
Encrypted:	false
SSDEEP:	6:N7Sf5dFi1923oH+Tcwtkx2KLlL7SfqTaN+q2P923oH+TcwtCIFUv:N7s1YebkVL17sqTK+v4YebLFUv
MD5:	0D51895916862F8C7CC1BFC39883CF58
SHA1:	8445F4C5503D283CC91D115FE6AD55722EBD1781
SHA-256:	69DA5CC10D2CB6951354777DF9B3485489085878402999FC266DE4BCA72D72E1
SHA-512:	0F59374CB3A323D37808ED24839D5244812CA83AA462D638A19BE749DCC5805F5530D2DAECC9F59CA028F70CD06E8F48FF4ADE7CF3E041871EB00065ED9B98AA
Malicious:	false
Preview:	2024/08/27-17:34:52.128 147c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/27-17:34:52.295 147c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVG:IiVG
MD5:	9915760F384D0D7FA2FDD3099FA128A2
SHA1:	3DAA343B299B5C98872F608999508C35FAF96171
SHA-256:	BB91DF982F47C1C670ED8D13AD710148C828456853B2BEA4050138496D0265C8
SHA-512:	AE69628B92F44864A0F3F85BB50CDDF7E7C7B0956E81FC2A1D05D2BB868B0A38CEE0332DCC58E4208D63A5927F1DD45313DB482622B382F7DDB140CC67E757B8
Malicious:	false
Preview:	VLnk.....?............Y/................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0770449098331525
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkOeSAE+WslKOMq+vVumYjDNn66:e/2qOB1nxCkOeSAELyKOMq+vVumqpp
MD5:	65EF3F4B9569C233148E45577CA6093A
SHA1:	D682BC8F39CFC038EF2E17E42613663A2CCDA704
SHA-256:	8E44E820CA980EB51DA414B7EA2CDFDD0DC3B98B724EC8C47BF356409EDFF3B5
SHA-512:	5020906A9C8C5F6C7398F04944EECECDE8F51F71B766AA2134430287D1B493BCC7498B0C43CC9C84FD265750BC3276C92705D8DECD25D896166053643B453C05
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\a38c883f-c6fe-4f59-89a5-fbc07aa67ebb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ac6d94ea-1120-4f73-a396-269a1c2e6593.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97131621606519
Encrypted:	false
SSDEEP:	96:st6qfEFis1mb9OSrN8z21ts85eh6Cb7/x+6MhmuecmAe8vC2Mk/EJ:st60sOrNkCts88bV+FiAyPkMJ
MD5:	4B4CEEA901ECFCD05113D4C2C709B256
SHA1:	D27FCE7801A11D42BC2D9BB4CB0E65DA5ACDD5D6
SHA-256:	68C3795EF91808B445E06925B1E050F2FA86474A35032CF8436741E4873494AA
SHA-512:	932EC68BA6F3AE0E6C8A53F58C9F13F3000FD622FAC1D2EE5EE1C381FD55201056939563C8DB873DC71F14AAA04FDF6255BD933F08C8E5410735A739E48EEDD1
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268094028485","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369268094029196"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c1de02e4-51af-4022-ae61-82834378885a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\d9604528-489a-4207-890b-31922992095c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566221234697119
Encrypted:	false
SSDEEP:	768:ia1q+dWPJBf5d8F1+UoAYDCx9Tuqh0VfUC9xbog/OVzWMSXrw/R5pGtuB:ia1q+dWPJBf5du1jaGBSE52tS
MD5:	D7F29EE57ABB5A1D0F1B2605B8BDF3CF
SHA1:	BB974428279A1637E5628BCD41365DB3600FBE75
SHA-256:	BBE4508F58EB1B5A538778D7714E6F46FBBF8C9411CCF3EC896BF5E2DFA481A9
SHA-512:	DB4DF1365DD14699385E0959141846BF3923FFAA43C1B370D982F9E94BDBDAB618C4433E80A0B8E0CD6015856B749CA19F86003136075C2B048C2C283F8E0F61
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369268092140937","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369268092140937","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/R8l/FlFll:7+/l/R0
MD5:	A232727A3184B54D2F39DD95AA5897CB
SHA1:	5CB9941AB5471001F9E2A0438664F432029E0DB4
SHA-256:	C4FE36989780E8B2FA266768F2A6F246FC80BACA7B1E364C540943DC3B5734A0
SHA-512:	F0B86BE7B7E6377C4B2AB325A24EFF6E6A054612D429ED9C1A65977AC0010C0B9159BB14B48877F481DD87C916DADDC75D98D5C7E7B0F7D517C968ADB548D9D3
Malicious:	false
Preview:	.... .c.....t!.j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04977582011274481
Encrypted:	false
SSDEEP:	6:GLW0SpffBUW0SpffBcL9X8hslotGLNl0ml/XoQDeX:aSpf5aSpf5oGEjVl/XoQ
MD5:	4DA871F979343E9DF21BD170EBBD51CD
SHA1:	B8278D1BF26F633893C1CA4D553D3FCEA8EF8909
SHA-256:	C2B6A207DE0C29B4E53A4AD78887A5DB7AC506EC19339A9306E4BCF9E35427D0
SHA-512:	B419FD6DB554E50BA54E175CC3FF106970A3A2F92CC880BCF3D808CFB8DCC74CCA4B5567C4E320BA7676645135531F9AACCB569F077091FF61A6310FB4728F16
Malicious:	false
Preview:	..-.....................r&...9..#..+..x..p...J\|..-.....................r&...9..#..+..x..p...J\|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9976888813735925
Encrypted:	false
SSDEEP:	48:nBOzxfhRklO+CkhcbX+YRSn9VAKAFXX+DEGH2VAKAFXX+erixOqVAKAFXX+t6nUt:MxIBgNs1NsesO5NszNs4O0
MD5:	49211B126343A2165A6380EF19E7A083
SHA1:	4659A36B5C5774357565F2C56C8C1D5775890AC9
SHA-256:	059AF97B2520E1CF4047F2427626DEE80079C335B8D6749BBA921B9B53DBE581
SHA-512:	FE6A8E4051E50113283441D851ED2516DEDFD483C266E9A28BE94C4F2C6C0246F804894078478DEBB673B44DA3755D17B11F0EAFFBA12C9F02C8E758F95A309E
Malicious:	false
Preview:	7....-..........#..+..x...60.t.........#..+..xzX+..Ly.SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.505467611827696
Encrypted:	false
SSDEEP:	48:r8GSBSRNQQEPPHRHrxRIYjIYfzPqkiMYjMYDyAAlkfAlkE3:Q0EQAIYjIYfzPbiMYjMYRYcYR3
MD5:	298DE19F1A7BBA6445BBDBDADACB0D3C
SHA1:	99BF3F958C4A772FD336BD93C354D2ABD3C2F487
SHA-256:	9D5404D7CC130DDB4D0C51B958081D80EE215A4547B12370C49C93E9DD537BB3
SHA-512:	5BE931C304C6C4C3C8E84309AB479904827C01883A7AA33B1884FE28D91BE7B61D3F508F736DE2B05A26B5C119F1CA4ABDBCBFEA9227A425B133F70972939DF2
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1.....................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFeature......4_IPH_De

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	293
Entropy (8bit):	5.242138855697994
Encrypted:	false
SSDEEP:	6:N7Sf3VAB1923oH+Tcwt0rl2KLlL7Sfl3+q2P923oH+Tcwt0rK+IFUv:N7s3qMYebeL17sl3+v4Yeb13FUv
MD5:	7E13B64FCD68E024F35849CD4B8F1510
SHA1:	9E1BEB2BF49B6C94E15032719E7748F68CD70332
SHA-256:	AAC9B9E655BAA67C98C8E50D971B67572FC7A80DA1613E0FAEDC910E641A7D2F
SHA-512:	1816DA104E4E42C7183853F53CD89229B03BE7298D67B7DB6F56F04232563E8AC1AF6FEBD0D0C565186E697C47F6EB1EABD92B8426951B01C9DB5079583FDA38
Malicious:	false
Preview:	2024/08/27-17:34:54.055 e0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/27-17:34:54.067 e0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.9306638263621148
Encrypted:	false
SSDEEP:	12:G0nYUteza//z3p/Wu2XZmh/U/ct2b/GnIwg/RG0lbANqa:G0nYUtezaD3ROmhCp5m
MD5:	9E5713FE872845EBADBEBEDA9380EAFE
SHA1:	DF545D01DF07ED668457257906CAEAD29295A038
SHA-256:	5D1554995CEA9D0F83513017BAD2083822815EFD41F74C616AB3021572810392
SHA-512:	7990DC37F7064E9FFD1FD380E508C676DB8CC0D8E078C78AFE9EC636E8617707BE5EAA86540A3C4703AA074B31E22D01D59E70AB9095DD046DDA1E222EA385D6
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................21_.....n[.=.................33_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................20_........].................20_.....{a...................19_.....f.F..................18_.....7*X..................3_.....X....................4_.....eE,..................37_......0...................38_........'.................39_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.2047953639389135
Encrypted:	false
SSDEEP:	6:N7SfrqAB1923oH+Tcwt0rzs52KLlL7Sf3E+q2P923oH+Tcwt0rzAdIFUv:N7sXMYeb99L17s3E+v4YebyFUv
MD5:	0BFF3A91705D163E6085341B5C890695
SHA1:	9966ABCDA8B2E16C05F72086A3C4026C65D94BF5
SHA-256:	BB59F92C107F25A1AB289C3EE73877DCB3FD87E4A3CB50005B3E34DDDE1CAB74
SHA-512:	6639CA76DE9E6D44192FBFB3A4D47499843E27E8A4FE92838879D940421DD199DE61692E2F0EE65521586BDC6A1DF80554F872D8B84059336D325A7CDD3227BF
Malicious:	false
Preview:	2024/08/27-17:34:54.029 e0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/27-17:34:54.053 e0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlXBlll:Ls3R
MD5:	D3DA584F2FB46C793C98E872E9F0AD35
SHA1:	136A9BCA377661FBA50B99E4EDC1A531E41EFA05
SHA-256:	CC05EC6FCF284C7C45949A7091D3ED4B67A3869F23038162AA5D66D96E214882
SHA-512:	BCA1F96E95D8F3DEE060D40C12AA9EC0935BDFC61D50642D4BC5AF6D2DBAA6E73B5B619486F70A183E6D6E4E1C65FFAEDFE265CEBF9599693DF3926CFBE69600
Malicious:	false
Preview:	........................................p..KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl9SB/l:Ls3s
MD5:	484E10E63D01452E0FBC2EA5FB054DE4
SHA1:	9FA45E3264974BCE9D0BC68C507826BB99AD6B4A
SHA-256:	AFE96F9126DF72372F17CC7FF6E346ED4FA92CA64A4543BA44C5C912EBB11C30
SHA-512:	32D0010E9E18270CA67B2B67358EAFC4C2E1F1DBB5382BE6707E7CBEE78EC1CB4DB2EF26E7448B97C95C5286368C8B9FF125E4D0F5284329D068935B0C5B6AD0
Malicious:	false
Preview:	.........................................;.KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF30fef.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3127f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF33970.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3807c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3fbd6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF42305.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF48624.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlT4aal:Ls3M
MD5:	15DAB7458E4CA630FF3BA29105DEFAD8
SHA1:	74FA04DDA4DFF3DE7802E1EC111B008D98795E07
SHA-256:	FC92C1B65CE60E42B76CA9E3351C2F62CDD1A9575354072BCC8717A6DA6F7330
SHA-512:	C4738433D2E428929C99AB53BF12B1DFB9FCCE071EE4096389D6F0A1D91EC528DA436EA3A6EB051CF8B6011FEC9B99D02472A8BDF87570E4F10F5760FEB6DDFA
Malicious:	false
Preview:	.........................................k.KG./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\b077c5b7-8f08-44cd-a1db-f50b9cba49f9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.516297084176941
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtRL5+AzPWQaSw7ayikqOcJdXBuBuwBsaMyNhBHFXqWQQRCYfYg:YuBqDPafDMaPWFSwcdO6gBzBsdEBHF6a
MD5:	C16FB878C685742CE603017B67816632
SHA1:	216FE8FE75FA1C0716D8AF3A71D2342CE2EB8B03
SHA-256:	AF88120E485ECA38301B4798400E26B8CA7900A70355C248404CDBE577DC1937
SHA-512:	5AF2937DDDDBF7C023B2387F311205BF35C7F697BA81726ACA21D9B9733B001E786F9C5CE7896FA93EF67B3AF82D1E7D8D10E3ED2A292567145ABAFC3D572921
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAG4syPNaXzQYvzIbbO+ncLEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACNCD02XUuFkTVvlD5l7/ioTuw7IiAhVk1ZikxUUlfcoAAAAAAOgAAAAAIAACAAAAA8xFgEG9CUGgT83L6xAhMksohXHP9XGAyaYQAz894EPzAAAADbN9YrKq2l4ob9R1N60hrUDcTEp4n2hzuePSiyT13S0cIgBS9v01RrDGM0ogY/kTFAAAAA1FbcQ8fUluBS+FUCCh/KRE/8igjOeFKlXtAlPz8mCDKOZoV/peB+7gsqyfMUopPw0ozC9acwwMQlvo9GFUP4Ng=="},"profile":{"info_cache":{},"profile_counts_reported":"13369268091375826","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724794491"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\b4550c3d-ff57-4b80-91d1-234f13cf3871.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20785
Entropy (8bit):	6.065141285093782
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NBS7ky6Iu/I00jGX4KXl:LM7X2zt1jKYqHkZeMnPDu/I034KV
MD5:	EE95939AA72E8FB33938371E8426E7E2
SHA1:	9F4CD8A3BFDD4DD89765195B6874406D085354C9
SHA-256:	91F0C8A7E64D4D6DCFC6362B98DD4C144281B0211A0726ECCFDD7D3570966C7C
SHA-512:	AE63029DDFFB4364233AD1A07C6E4236E3B554FEF07FA5AA6B480606CA207A5E2A8EBA84DDE54B02A4C316C60DFBE0A12742CA7ED4CAE652FD01FF32C5FF04FA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\eae31e7c-34ae-4f22-8fcf-68b2e6a73053.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20786
Entropy (8bit):	6.06517160677736
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NBS7Py6Iu/I00jGX4KXl:LM7X2zt1jKYqHkZeMn6Du/I034KV
MD5:	B87B6778251A224EB53227437A2F85F4
SHA1:	673ED92D90EE62671E1E50808E52E87BD6D3AA30
SHA-256:	D53D5F8B6C9006E738F4042F92BFE5ED67E9568FFFF9813DBAA25CD22569FBA5
SHA-512:	48DCE30BBAFD6337D7AC488FBBD9D5F14C7DD9D312177E9B4F80E95D6E3DE697ABA7094C0D218C22F5972EBFB5C5C55417B8624D30E69D441BC169CD4D3A97C7
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\47e3d59d-eead-4261-bf67-30d5dbb38d13.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44664
Entropy (8bit):	6.095332661709662
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBsFuphDO6vP6O6jTR/sPBlQuPcGoup1Xl3jVzXr4z:z/Ps+wsI7yOE46aj2chu3VlXr4CRo1
MD5:	89CC5ABD22D7764120319E5046DD43FB
SHA1:	0559CADC218943946D77CD13302C2E93636CE467
SHA-256:	8EB2B4E5B7BD71FDC200BFBB99E7A0737F26E546FCD19AEE9CCDC5A0DC443F99
SHA-512:	646832FEE2C6DF1BD142B4E8C9163ACEA50A8288AFAFD988EAFBB9A4C9C069B208734944794093FBBA0DCE85CCC71A9AB9ACE3ADBB02B0749C37959DF66DD308
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\61effcde-f00f-4556-a153-45807b56dff0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44664
Entropy (8bit):	6.095771663050547
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBsFuphDO6vP6O6j3O/pP8UcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOE46aj2chu3VlXr4CRo1
MD5:	A83C486E9A214DCF9C9B0B71AA07458D
SHA1:	A9EC5DBE30978E35E90719CFE7FBCD4F81997F70
SHA-256:	E4DF42FEC7B4CAC19AB9933B6E1F2EF686A6DDCD2E61FF0CFFE59B4C43323D82
SHA-512:	738DB87DDA6ACDFAE7AE3CCD34DD96C354FDD158A3B9E9ECEA2E7F38E567C2D6CB6A224202A7EE6BC08BEB9199D217A80A5AE13A635561DD7AE7C31B515B6E1E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66CE4697-23A4.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1296601727988438
Encrypted:	false
SSDEEP:	768:UMbtyQCxEnZ+mzOOqxQycvkigRGOrlIW16emF0HnuRGO:UMhyQuEQmzOOwuvkigRGOrLmF0HnuRG
MD5:	8E5BA8A584E3C3E34F411AF0422D7563
SHA1:	DF3B25E0EB58953CEDED2AA698F5A416D9EDE112
SHA-256:	72F2179E6DB9C7C5BB71B00316321871BE0A8AC4117A23888EBBB2180D37FB43
SHA-512:	3E0A1B77159DB32A7068251A7608312D92E274EA7FB341F45F89C5CDFB8FE7549CC1EE6A4B9B467EB8C49F2C49A1321B7C12B91F802CF80C43B6A6A615A2C01A
Malicious:	false
Preview:	...@..@...@.....C.].....@................'..8...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".ysualb20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U].0r........>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2..........I...... .`2.......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\418cfbc7-238a-486d-8e2e-88e1d79e48a8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\54893093-2a0f-461e-b66f-1bf9e85be201.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.567468052296026
Encrypted:	false
SSDEEP:	768:bifzVmWPEzf/S8F1+UoAYDCx9Tuqh0VfUC9xbog/OVHGl3lrwyppjtuG:bifzVmWPEzf/Su1jaG03OAt5
MD5:	84CF43C700D3E8D88670C996F7DA7319
SHA1:	F9C6AFF28E843FA387DDFEF16755F89665190825
SHA-256:	5F86081E7714351B2BA567CAD695C490651C17C1F0B53B474122E3DA40693908
SHA-512:	EAF3508E630EC4D81A754AD3C8DA87F68D730B386257E28AFA67C670010D18E0246B2EDA2FEEFDB56182FA9122FE41D6AE9FF2ECC0372C609FF4B12DEAC7F455
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369268111142646","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369268111142646","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7bcd25bc-da32-4372-80a6-13b9c1799f8d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\95ab0ba7-aeda-4fdf-a7fb-be4b58f1c4a6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\960aa297-d63d-4cac-9351-7818f236fb89.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089514081667295
Encrypted:	false
SSDEEP:	192:stOksxx8CZihnk1sY8bV+FiA66WbfaFIMY8bLMJ:stOksxx8xhRbGix6WbfaTYr
MD5:	765FBF8632757C95C4C8156FF11E2CA2
SHA1:	E3E5DA444F5E2FB18689701A1F7541E5872E05AA
SHA-256:	8FCC0131DF548D1FF3CFF5C19366E1A35E03FB31D299BC9DFC1BB87A145A25B0
SHA-512:	4334C5ED5A55360D0544355CF66F7959F708D0C24B88E4F316FA622CD960AB92DBD39292ECED5BAA26BB8ADFA34CB54BEF8BB53B4ED71D08415C74F00E3CC7F0
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268111390633","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369268111391368"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEflSA:/M/xT02z5A
MD5:	7949972CDFCB02FE97A1C20F9F2BFAB8
SHA1:	27CA42362A366C7855A6F13A89DC016AA78B0DE0
SHA-256:	D2EE9A5AA36B8DA9DB940E5D002CDDCAD212136EE980125D14C246776AF1D596
SHA-512:	BAEF95B340AB9C0D65B8238CB37D9241A92999FAEEC56439F66AFAA075BA4F00625F9E43B3193D6CA6745A83F3EC3D4498F3BA3621D945376AE874FC11C12DA5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.189050669115901
Encrypted:	false
SSDEEP:	6:N78QP/i+q2P923oH+TcwtnG2tMsIFUt8878QcvSmWZmw+878QYVkwO923oH+Tcwj:N7BPa+v4Yebn9GFUt887BTZ/+87BYV5l
MD5:	4EFF936B1D5F1A66781AEF1792CA7A7E
SHA1:	3969A79484AB3621EF8B8EDFACE88437FAC3BB4A
SHA-256:	833BFFDAF94086877411F4A397EF1570801A9A74AF64DA93E565574577DCAB2D
SHA-512:	9E5E5AD46AEA5AC731E844880BE17AE9A3917CBD8180BD50A621F3D107DA5EF47114C332A15AE0C170B4C5452FEDD378B0359512025C2FF6A025AD928410882C
Malicious:	false
Preview:	2024/08/27-17:35:11.350 200c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/27-17:35:11.351 200c Recovering log #3.2024/08/27-17:35:11.352 200c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.189050669115901
Encrypted:	false
SSDEEP:	6:N78QP/i+q2P923oH+TcwtnG2tMsIFUt8878QcvSmWZmw+878QYVkwO923oH+Tcwj:N7BPa+v4Yebn9GFUt887BTZ/+87BYV5l
MD5:	4EFF936B1D5F1A66781AEF1792CA7A7E
SHA1:	3969A79484AB3621EF8B8EDFACE88437FAC3BB4A
SHA-256:	833BFFDAF94086877411F4A397EF1570801A9A74AF64DA93E565574577DCAB2D
SHA-512:	9E5E5AD46AEA5AC731E844880BE17AE9A3917CBD8180BD50A621F3D107DA5EF47114C332A15AE0C170B4C5452FEDD378B0359512025C2FF6A025AD928410882C
Malicious:	false
Preview:	2024/08/27-17:35:11.350 200c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/27-17:35:11.351 200c Recovering log #3.2024/08/27-17:35:11.352 200c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF37bc8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.189050669115901
Encrypted:	false
SSDEEP:	6:N78QP/i+q2P923oH+TcwtnG2tMsIFUt8878QcvSmWZmw+878QYVkwO923oH+Tcwj:N7BPa+v4Yebn9GFUt887BTZ/+87BYV5l
MD5:	4EFF936B1D5F1A66781AEF1792CA7A7E
SHA1:	3969A79484AB3621EF8B8EDFACE88437FAC3BB4A
SHA-256:	833BFFDAF94086877411F4A397EF1570801A9A74AF64DA93E565574577DCAB2D
SHA-512:	9E5E5AD46AEA5AC731E844880BE17AE9A3917CBD8180BD50A621F3D107DA5EF47114C332A15AE0C170B4C5452FEDD378B0359512025C2FF6A025AD928410882C
Malicious:	false
Preview:	2024/08/27-17:35:11.350 200c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/27-17:35:11.351 200c Recovering log #3.2024/08/27-17:35:11.352 200c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.180510805397705
Encrypted:	false
SSDEEP:	6:N7Q3+q2P923oH+Tcwt8aPrqIFUt887WWZmw+87WSVkwO923oH+Tcwt8amLJ:N7Q3+v4YebL3FUt887WW/+87WSV5LYeo
MD5:	67096C02769DE4E38A1F0B6EE2F5DF82
SHA1:	544EE293129D6E17CA356CC92B6EBD8E6F4C8135
SHA-256:	0C15512AACDF532C1435730A14A75292132FA8198C9F8E6165FEFDD866023CFC
SHA-512:	3FBE149A6E0F5BE34D97A324A1BCCCF014B361D68DB5B27EBCDA148207F58B35328765CFAB88F8D5C9D54A4152860A8343475674890E5072016FA2CFEFC445D9
Malicious:	false
Preview:	2024/08/27-17:35:11.428 202c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/27-17:35:11.429 202c Recovering log #3.2024/08/27-17:35:11.429 202c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.180510805397705
Encrypted:	false
SSDEEP:	6:N7Q3+q2P923oH+Tcwt8aPrqIFUt887WWZmw+87WSVkwO923oH+Tcwt8amLJ:N7Q3+v4YebL3FUt887WW/+87WSV5LYeo
MD5:	67096C02769DE4E38A1F0B6EE2F5DF82
SHA1:	544EE293129D6E17CA356CC92B6EBD8E6F4C8135
SHA-256:	0C15512AACDF532C1435730A14A75292132FA8198C9F8E6165FEFDD866023CFC
SHA-512:	3FBE149A6E0F5BE34D97A324A1BCCCF014B361D68DB5B27EBCDA148207F58B35328765CFAB88F8D5C9D54A4152860A8343475674890E5072016FA2CFEFC445D9
Malicious:	false
Preview:	2024/08/27-17:35:11.428 202c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/27-17:35:11.429 202c Recovering log #3.2024/08/27-17:35:11.429 202c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.184577930390748
Encrypted:	false
SSDEEP:	6:N7gQ+q2P923oH+Tcwt865IFUt887+ZZmw+87+NVkwO923oH+Tcwt86+ULJ:N7F+v4Yeb/WFUt887+Z/+87+NV5LYebD
MD5:	F19A5CCE635D8238233F5409AA99C132
SHA1:	E0782B01F21703724AA15D1F5A32BE93E7FBD405
SHA-256:	8BF8DD413CE9DEAE6E43F930CD1C334E2777D00009BB985AFAD9F6304E42A2B6
SHA-512:	AAB55C842F71244DEEC23E5474B656D59F4E7AEEB9473B499CA20356707EDA46FBB2721A036A7D6D4B7B45E3D94944CB4FEB07486A6E14E8AF3CFA3DD3184A87
Malicious:	false
Preview:	2024/08/27-17:35:11.434 202c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/27-17:35:11.435 202c Recovering log #3.2024/08/27-17:35:11.435 202c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.184577930390748
Encrypted:	false
SSDEEP:	6:N7gQ+q2P923oH+Tcwt865IFUt887+ZZmw+87+NVkwO923oH+Tcwt86+ULJ:N7F+v4Yeb/WFUt887+Z/+87+NV5LYebD
MD5:	F19A5CCE635D8238233F5409AA99C132
SHA1:	E0782B01F21703724AA15D1F5A32BE93E7FBD405
SHA-256:	8BF8DD413CE9DEAE6E43F930CD1C334E2777D00009BB985AFAD9F6304E42A2B6
SHA-512:	AAB55C842F71244DEEC23E5474B656D59F4E7AEEB9473B499CA20356707EDA46FBB2721A036A7D6D4B7B45E3D94944CB4FEB07486A6E14E8AF3CFA3DD3184A87
Malicious:	false
Preview:	2024/08/27-17:35:11.434 202c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/27-17:35:11.435 202c Recovering log #3.2024/08/27-17:35:11.435 202c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.229238802491334
Encrypted:	false
SSDEEP:	6:N7rmS39+q2P923oH+Tcwt8NIFUt887q9JZmw+87q99VkwO923oH+Tcwt8+eLJ:N7rmE9+v4YebpFUt887iJ/+87i9V5LYN
MD5:	442BF110C609F405D70908BF898A429C
SHA1:	71612155656FD187A5777E780265CF4D0D1362A4
SHA-256:	A1F39FA5D6FDD682E076BB658DA86DF967D84FC10BB7F9614F7BE659A077E102
SHA-512:	CC97D6FB786B76E2B2BFD9057F267E7C746B38B2C6EC4FDB160AF44BDEED22D1DAD6D17961421BA25508018FDC80104FA00AD52185A207C03E75053829277DCB
Malicious:	false
Preview:	2024/08/27-17:35:19.385 209c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/27-17:35:19.386 209c Recovering log #3.2024/08/27-17:35:19.386 209c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.229238802491334
Encrypted:	false
SSDEEP:	6:N7rmS39+q2P923oH+Tcwt8NIFUt887q9JZmw+87q99VkwO923oH+Tcwt8+eLJ:N7rmE9+v4YebpFUt887iJ/+87i9V5LYN
MD5:	442BF110C609F405D70908BF898A429C
SHA1:	71612155656FD187A5777E780265CF4D0D1362A4
SHA-256:	A1F39FA5D6FDD682E076BB658DA86DF967D84FC10BB7F9614F7BE659A077E102
SHA-512:	CC97D6FB786B76E2B2BFD9057F267E7C746B38B2C6EC4FDB160AF44BDEED22D1DAD6D17961421BA25508018FDC80104FA00AD52185A207C03E75053829277DCB
Malicious:	false
Preview:	2024/08/27-17:35:19.385 209c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/27-17:35:19.386 209c Recovering log #3.2024/08/27-17:35:19.386 209c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF37c26.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.229238802491334
Encrypted:	false
SSDEEP:	6:N7rmS39+q2P923oH+Tcwt8NIFUt887q9JZmw+87q99VkwO923oH+Tcwt8+eLJ:N7rmE9+v4YebpFUt887iJ/+87i9V5LYN
MD5:	442BF110C609F405D70908BF898A429C
SHA1:	71612155656FD187A5777E780265CF4D0D1362A4
SHA-256:	A1F39FA5D6FDD682E076BB658DA86DF967D84FC10BB7F9614F7BE659A077E102
SHA-512:	CC97D6FB786B76E2B2BFD9057F267E7C746B38B2C6EC4FDB160AF44BDEED22D1DAD6D17961421BA25508018FDC80104FA00AD52185A207C03E75053829277DCB
Malicious:	false
Preview:	2024/08/27-17:35:19.385 209c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/27-17:35:19.386 209c Recovering log #3.2024/08/27-17:35:19.386 209c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEfl:/M/xT02z
MD5:	1D398A6AA838A4E28DA47AE52901891F
SHA1:	389A75E59EB00BA4F5A285C59D96D11E08F1748F
SHA-256:	A8A19E1F6BABF4F13E6905B30614A0F5D17468962C21A60667870F2CAE9E013B
SHA-512:	4549CBEC5F9C10AB72872654DC7D60E752E7697B9A2EF92B7FAE6611F5957B8A9BF38C54A581E88A5970FE723791635992BB5CE36D2F3DAE312F93E77E898E2F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.1321275306681535
Encrypted:	false
SSDEEP:	6:N7g8lVN4q2P923oH+Tcwt8a2jMGIFUt887gy3JZmw+87gqDkwO923oH+Tcwt8a23:N7yv4Yeb8EFUt887t/+87B5LYeb8bJ
MD5:	9E2F34D10A5263760B22C40498787BCD
SHA1:	01B5A95622E4E8D2F0BF173E8D1259186D193465
SHA-256:	4ACFF821F9CE526115B4E85B2823DA66473ECCFABCF86E45E8C20F8AFE85D966
SHA-512:	809B8DA7B39922D0C458CFF0DF226B15D785427C62C81FEEDDEC86B269523DF8E4AD671C37BB2ACEEF86366C22C179DD44B1285945573DDFF8C8A18BFDD6D720
Malicious:	false
Preview:	2024/08/27-17:35:12.030 21a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/27-17:35:12.043 21a0 Recovering log #3.2024/08/27-17:35:12.045 21a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.1321275306681535
Encrypted:	false
SSDEEP:	6:N7g8lVN4q2P923oH+Tcwt8a2jMGIFUt887gy3JZmw+87gqDkwO923oH+Tcwt8a23:N7yv4Yeb8EFUt887t/+87B5LYeb8bJ
MD5:	9E2F34D10A5263760B22C40498787BCD
SHA1:	01B5A95622E4E8D2F0BF173E8D1259186D193465
SHA-256:	4ACFF821F9CE526115B4E85B2823DA66473ECCFABCF86E45E8C20F8AFE85D966
SHA-512:	809B8DA7B39922D0C458CFF0DF226B15D785427C62C81FEEDDEC86B269523DF8E4AD671C37BB2ACEEF86366C22C179DD44B1285945573DDFF8C8A18BFDD6D720
Malicious:	false
Preview:	2024/08/27-17:35:12.030 21a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/27-17:35:12.043 21a0 Recovering log #3.2024/08/27-17:35:12.045 21a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\0e1606e9-1930-46d1-81fc-fa4ca6464a1f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\1be78368-6904-454c-bf60-82b6940f6c0a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\3723a46e-14d6-469d-94fc-501547f43132.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\97e6b8ad-4f73-49db-870b-7f94abbef94f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF37d01.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF3612c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF37d01.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\b21d7873-346b-4ef5-8177-7a9a4d4114be.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089514081667295
Encrypted:	false
SSDEEP:	192:stOksxx8CZihnk1sY8bV+FiA66WbfaFIMY8bLMJ:stOksxx8xhRbGix6WbfaTYr
MD5:	765FBF8632757C95C4C8156FF11E2CA2
SHA1:	E3E5DA444F5E2FB18689701A1F7541E5872E05AA
SHA-256:	8FCC0131DF548D1FF3CFF5C19366E1A35E03FB31D299BC9DFC1BB87A145A25B0
SHA-512:	4334C5ED5A55360D0544355CF66F7959F708D0C24B88E4F316FA622CD960AB92DBD39292ECED5BAA26BB8ADFA34CB54BEF8BB53B4ED71D08415C74F00E3CC7F0
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268111390633","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369268111391368"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF37c74.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089514081667295
Encrypted:	false
SSDEEP:	192:stOksxx8CZihnk1sY8bV+FiA66WbfaFIMY8bLMJ:stOksxx8xhRbGix6WbfaTYr
MD5:	765FBF8632757C95C4C8156FF11E2CA2
SHA1:	E3E5DA444F5E2FB18689701A1F7541E5872E05AA
SHA-256:	8FCC0131DF548D1FF3CFF5C19366E1A35E03FB31D299BC9DFC1BB87A145A25B0
SHA-512:	4334C5ED5A55360D0544355CF66F7959F708D0C24B88E4F316FA622CD960AB92DBD39292ECED5BAA26BB8ADFA34CB54BEF8BB53B4ED71D08415C74F00E3CC7F0
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369268111390633","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369268111391368"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.567468052296026
Encrypted:	false
SSDEEP:	768:bifzVmWPEzf/S8F1+UoAYDCx9Tuqh0VfUC9xbog/OVHGl3lrwyppjtuG:bifzVmWPEzf/Su1jaG03OAt5
MD5:	84CF43C700D3E8D88670C996F7DA7319
SHA1:	F9C6AFF28E843FA387DDFEF16755F89665190825
SHA-256:	5F86081E7714351B2BA567CAD695C490651C17C1F0B53B474122E3DA40693908
SHA-512:	EAF3508E630EC4D81A754AD3C8DA87F68D730B386257E28AFA67C670010D18E0246B2EDA2FEEFDB56182FA9122FE41D6AE9FF2ECC0372C609FF4B12DEAC7F455
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369268111142646","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369268111142646","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.122134663756408
Encrypted:	false
SSDEEP:	6:N7g81q2P923oH+TcwtrQMxIFUt887gTZZmw+87gAzkwO923oH+TcwtrQMFLJ:N7hv4YebCFUt887yZ/+87Z5LYebtJ
MD5:	54B827126CA423517B3DCFD75CDA1341
SHA1:	915990D4EA28BA35C868B3D1D5497FC0C91AAA3B
SHA-256:	4A4DD8E9AF5B1E16C748FD8567A1373E8AED90ED9D0ED19603232285BC47297E
SHA-512:	80300E9FE7FD12DE32FCB88F58D6397D47C60D7877F7FC5AAC7EF695F82A4FCA572BB7E708A34B9712092F47359F4C195F7878B977374EF682BF9B58C66E7E8E
Malicious:	false
Preview:	2024/08/27-17:35:12.030 2180 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/08/27-17:35:12.043 2180 Recovering log #3.2024/08/27-17:35:12.048 2180 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.122134663756408
Encrypted:	false
SSDEEP:	6:N7g81q2P923oH+TcwtrQMxIFUt887gTZZmw+87gAzkwO923oH+TcwtrQMFLJ:N7hv4YebCFUt887yZ/+87Z5LYebtJ
MD5:	54B827126CA423517B3DCFD75CDA1341
SHA1:	915990D4EA28BA35C868B3D1D5497FC0C91AAA3B
SHA-256:	4A4DD8E9AF5B1E16C748FD8567A1373E8AED90ED9D0ED19603232285BC47297E
SHA-512:	80300E9FE7FD12DE32FCB88F58D6397D47C60D7877F7FC5AAC7EF695F82A4FCA572BB7E708A34B9712092F47359F4C195F7878B977374EF682BF9B58C66E7E8E
Malicious:	false
Preview:	2024/08/27-17:35:12.030 2180 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/08/27-17:35:12.043 2180 Recovering log #3.2024/08/27-17:35:12.048 2180 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.156726162577675
Encrypted:	false
SSDEEP:	6:N7863+q2P923oH+Tcwt7Uh2ghZIFUt8878lZmw+878JVkwO923oH+Tcwt7Uh2gnd:N7nOv4YebIhHh2FUt887c/+87c5LYebs
MD5:	9526F9C216655A4E6BB1B8FF797E762A
SHA1:	808AC10DE6D9DF40847539B135D35F86FB16A359
SHA-256:	F668DDA307E1014710341F3968526BDFF90EBADAA8FBF9C9F7543BFDE5E8F4CF
SHA-512:	F131BF0D88D9E27E643B65B0CDCD10DB7D7CC8ADEBC91DA8A9A3755BC1CCDB9CD0C8841FC4C1657ABEFFE56469E262D73F57D3059392DD449B4E3054288C8883
Malicious:	false
Preview:	2024/08/27-17:35:11.345 2028 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/27-17:35:11.348 2028 Recovering log #3.2024/08/27-17:35:11.348 2028 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.156726162577675
Encrypted:	false
SSDEEP:	6:N7863+q2P923oH+Tcwt7Uh2ghZIFUt8878lZmw+878JVkwO923oH+Tcwt7Uh2gnd:N7nOv4YebIhHh2FUt887c/+87c5LYebs
MD5:	9526F9C216655A4E6BB1B8FF797E762A
SHA1:	808AC10DE6D9DF40847539B135D35F86FB16A359
SHA-256:	F668DDA307E1014710341F3968526BDFF90EBADAA8FBF9C9F7543BFDE5E8F4CF
SHA-512:	F131BF0D88D9E27E643B65B0CDCD10DB7D7CC8ADEBC91DA8A9A3755BC1CCDB9CD0C8841FC4C1657ABEFFE56469E262D73F57D3059392DD449B4E3054288C8883
Malicious:	false
Preview:	2024/08/27-17:35:11.345 2028 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/27-17:35:11.348 2028 Recovering log #3.2024/08/27-17:35:11.348 2028 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF37ba9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.156726162577675
Encrypted:	false
SSDEEP:	6:N7863+q2P923oH+Tcwt7Uh2ghZIFUt8878lZmw+878JVkwO923oH+Tcwt7Uh2gnd:N7nOv4YebIhHh2FUt887c/+87c5LYebs
MD5:	9526F9C216655A4E6BB1B8FF797E762A
SHA1:	808AC10DE6D9DF40847539B135D35F86FB16A359
SHA-256:	F668DDA307E1014710341F3968526BDFF90EBADAA8FBF9C9F7543BFDE5E8F4CF
SHA-512:	F131BF0D88D9E27E643B65B0CDCD10DB7D7CC8ADEBC91DA8A9A3755BC1CCDB9CD0C8841FC4C1657ABEFFE56469E262D73F57D3059392DD449B4E3054288C8883
Malicious:	false
Preview:	2024/08/27-17:35:11.345 2028 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/27-17:35:11.348 2028 Recovering log #3.2024/08/27-17:35:11.348 2028 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.231563604592956
Encrypted:	false
SSDEEP:	12:N7J4Av4YebvqBQFUt887JUn/+87JS75LYebvqBvJ:N34YebvZg88WNaLYebvk
MD5:	C1DD8FBDD5FFFF8FE06CF9637A0A9117
SHA1:	E300312C1A582410D591A5B6332DCD1F584DCD8D
SHA-256:	2C1131F4F6E9A37DAEB0CA0546E7D3C781BA057FC510FB4C39F7D1866F4D2360
SHA-512:	D30540CCCDCD3B210FB9C39C7B7AC0A6A58DABE5E02EEAEEA2DDC45AC35F55E069BE01B55B14C7813815DACE7E3A4C03D5916788B4D3BEE75BDB613E243072FD
Malicious:	false
Preview:	2024/08/27-17:35:12.091 21a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/08/27-17:35:12.093 21a0 Recovering log #3.2024/08/27-17:35:12.097 21a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	434
Entropy (8bit):	5.231563604592956
Encrypted:	false
SSDEEP:	12:N7J4Av4YebvqBQFUt887JUn/+87JS75LYebvqBvJ:N34YebvZg88WNaLYebvk
MD5:	C1DD8FBDD5FFFF8FE06CF9637A0A9117
SHA1:	E300312C1A582410D591A5B6332DCD1F584DCD8D
SHA-256:	2C1131F4F6E9A37DAEB0CA0546E7D3C781BA057FC510FB4C39F7D1866F4D2360
SHA-512:	D30540CCCDCD3B210FB9C39C7B7AC0A6A58DABE5E02EEAEEA2DDC45AC35F55E069BE01B55B14C7813815DACE7E3A4C03D5916788B4D3BEE75BDB613E243072FD
Malicious:	false
Preview:	2024/08/27-17:35:12.091 21a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/08/27-17:35:12.093 21a0 Recovering log #3.2024/08/27-17:35:12.097 21a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\121bd99c-751e-4a64-8f06-a93d8f4f9934.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7b6915be-8739-4a93-8c9f-588019f594e2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.225511321202977
Encrypted:	false
SSDEEP:	12:N77pv4YebvqBZFUt887b1/+87Fs05LYebvqBaJ:Nl4Yebvyg88n7hs+LYebvL
MD5:	A5B8A791F8A3B3546FC2AA4040202971
SHA1:	5BEE2407307D7A5FF4AF2E7D70291CC4BE9AC3E6
SHA-256:	30E61917F2A68A0B376D336F5AC40E8A1F61200BA646972E067006956E56BB7F
SHA-512:	21A8FCC758BF1A4E59673DE293DDBD3CF9AB49E2E0C66930DB33237E6407FD1DD62DCC8D92E30B2463195D22C70460D981E165D62354ED1E69C86771A9815578
Malicious:	false
Preview:	2024/08/27-17:35:12.040 21a4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/08/27-17:35:12.043 21a4 Recovering log #3.2024/08/27-17:35:12.050 21a4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.225511321202977
Encrypted:	false
SSDEEP:	12:N77pv4YebvqBZFUt887b1/+87Fs05LYebvqBaJ:Nl4Yebvyg88n7hs+LYebvL
MD5:	A5B8A791F8A3B3546FC2AA4040202971
SHA1:	5BEE2407307D7A5FF4AF2E7D70291CC4BE9AC3E6
SHA-256:	30E61917F2A68A0B376D336F5AC40E8A1F61200BA646972E067006956E56BB7F
SHA-512:	21A8FCC758BF1A4E59673DE293DDBD3CF9AB49E2E0C66930DB33237E6407FD1DD62DCC8D92E30B2463195D22C70460D981E165D62354ED1E69C86771A9815578
Malicious:	false
Preview:	2024/08/27-17:35:12.040 21a4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/08/27-17:35:12.043 21a4 Recovering log #3.2024/08/27-17:35:12.050 21a4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.22869366581118
Encrypted:	false
SSDEEP:	6:N780AM+q2P923oH+TcwtpIFUt8878PUSZZmw+878PUSMMVkwO923oH+Tcwta/WLJ:N7Jp+v4YebmFUt887eZ/+87eNV5LYeb7
MD5:	1E01656E41207DB1D6FA6574792ACB62
SHA1:	9ABE51F49A24012F4B37373C16DD623D94712D79
SHA-256:	BE2749C22C21F13E87FE228C4B955F6A1A5531F200B8626B9F645ADC67673E57
SHA-512:	0828D191DC529EDEEB25661C19D51BC68D9522FAF472A87C4564EE0F0149A7DE11847EA3B2283806B248693E206166F77C95DED8973DB5F9F2770DC1B74A5B01
Malicious:	false
Preview:	2024/08/27-17:35:11.365 201c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/27-17:35:11.366 201c Recovering log #3.2024/08/27-17:35:11.366 201c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.22869366581118
Encrypted:	false
SSDEEP:	6:N780AM+q2P923oH+TcwtpIFUt8878PUSZZmw+878PUSMMVkwO923oH+Tcwta/WLJ:N7Jp+v4YebmFUt887eZ/+87eNV5LYeb7
MD5:	1E01656E41207DB1D6FA6574792ACB62
SHA1:	9ABE51F49A24012F4B37373C16DD623D94712D79
SHA-256:	BE2749C22C21F13E87FE228C4B955F6A1A5531F200B8626B9F645ADC67673E57
SHA-512:	0828D191DC529EDEEB25661C19D51BC68D9522FAF472A87C4564EE0F0149A7DE11847EA3B2283806B248693E206166F77C95DED8973DB5F9F2770DC1B74A5B01
Malicious:	false
Preview:	2024/08/27-17:35:11.365 201c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/27-17:35:11.366 201c Recovering log #3.2024/08/27-17:35:11.366 201c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF37ba9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.22869366581118
Encrypted:	false
SSDEEP:	6:N780AM+q2P923oH+TcwtpIFUt8878PUSZZmw+878PUSMMVkwO923oH+Tcwta/WLJ:N7Jp+v4YebmFUt887eZ/+87eNV5LYeb7
MD5:	1E01656E41207DB1D6FA6574792ACB62
SHA1:	9ABE51F49A24012F4B37373C16DD623D94712D79
SHA-256:	BE2749C22C21F13E87FE228C4B955F6A1A5531F200B8626B9F645ADC67673E57
SHA-512:	0828D191DC529EDEEB25661C19D51BC68D9522FAF472A87C4564EE0F0149A7DE11847EA3B2283806B248693E206166F77C95DED8973DB5F9F2770DC1B74A5B01
Malicious:	false
Preview:	2024/08/27-17:35:11.365 201c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/27-17:35:11.366 201c Recovering log #3.2024/08/27-17:35:11.366 201c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1222131067622534
Encrypted:	false
SSDEEP:	384:b2qOB1nxCkjSAELyKOMq+8yC8F/YfU5m+OlT:Kq+n0o9ELyKOMq+8y9/Ow
MD5:	BACCEC105C35016ADDBA5E204F12CB20
SHA1:	58B342D57F99F7F5020375376045FEDDBAA4595E
SHA-256:	11431BBE6EC4A91678F0745358B70C2016AE54E994BF8E3627C72F0FAB282142
SHA-512:	347032AED7F6480B169D8A2B6658C5FE7C19FC44B51D7A9CE5773F8DD41AA6D8B6D83CE8139241F394AA24A17260DBAEC05170F3E5E09C3083749D56178D4233
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\daf6f1ac-9718-424c-beae-e5b45b55c7ec.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049731726990245535
Encrypted:	false
SSDEEP:	6:Gd0JAmu8jH0JAmu8rtCL9XCChslotGLNl0ml/XoQDeX:zJXsJXQpEjVl/XoQ
MD5:	C54B3D1870E84B11D259971CBC7B34F7
SHA1:	5F3D7D108711BA075CC8DFD4A079363B4F36DADB
SHA-256:	AC3A97348BF70C13B6BA0618708EE0F39FCA5644BAC0D2CD12CD9B5647D18F15
SHA-512:	4A0033E46E0309DC121922D795DC011FF830BA85FA02681A80C1FC1F145820526C328980034B21F20DFE4F83FA15F8D9D7FBB6F85024A614021E73AD24CFEFAD
Malicious:	false
Preview:	..-.....................:Db.W.v..4..}..tT...l...-.....................:Db.W.v..4..}..tT...l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.19938960894767
Encrypted:	false
SSDEEP:	6:N7TAq2P923oH+TcwtfrK+IFUt887oZmw+87wkwO923oH+TcwtfrUeLJ:N7Uv4Yeb23FUt887o/+87w5LYeb3J
MD5:	C64C50AD440ABAAA0246154B6A7C5655
SHA1:	504BAEE9982FDDA659F416EB9C5929347A6CC23F
SHA-256:	78E4AADECFA7294A56FDEF5C6BAB39352C538402E3DA540CE839D60D7B8F3E28
SHA-512:	B9116C0B06B9E2A4EDE8A090F1566B8882B5FC2E808406B1D1942E5D11BFA3FEC03745CB55357FE97298D1ADD65F9EAF55298FECC19F3B75FECD3960EF112825
Malicious:	false
Preview:	2024/08/27-17:35:11.413 2020 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/27-17:35:11.414 2020 Recovering log #3.2024/08/27-17:35:11.414 2020 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.19938960894767
Encrypted:	false
SSDEEP:	6:N7TAq2P923oH+TcwtfrK+IFUt887oZmw+87wkwO923oH+TcwtfrUeLJ:N7Uv4Yeb23FUt887o/+87w5LYeb3J
MD5:	C64C50AD440ABAAA0246154B6A7C5655
SHA1:	504BAEE9982FDDA659F416EB9C5929347A6CC23F
SHA-256:	78E4AADECFA7294A56FDEF5C6BAB39352C538402E3DA540CE839D60D7B8F3E28
SHA-512:	B9116C0B06B9E2A4EDE8A090F1566B8882B5FC2E808406B1D1942E5D11BFA3FEC03745CB55357FE97298D1ADD65F9EAF55298FECC19F3B75FECD3960EF112825
Malicious:	false
Preview:	2024/08/27-17:35:11.413 2020 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/27-17:35:11.414 2020 Recovering log #3.2024/08/27-17:35:11.414 2020 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF37c26.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.19938960894767
Encrypted:	false
SSDEEP:	6:N7TAq2P923oH+TcwtfrK+IFUt887oZmw+87wkwO923oH+TcwtfrUeLJ:N7Uv4Yeb23FUt887o/+87w5LYeb3J
MD5:	C64C50AD440ABAAA0246154B6A7C5655
SHA1:	504BAEE9982FDDA659F416EB9C5929347A6CC23F
SHA-256:	78E4AADECFA7294A56FDEF5C6BAB39352C538402E3DA540CE839D60D7B8F3E28
SHA-512:	B9116C0B06B9E2A4EDE8A090F1566B8882B5FC2E808406B1D1942E5D11BFA3FEC03745CB55357FE97298D1ADD65F9EAF55298FECC19F3B75FECD3960EF112825
Malicious:	false
Preview:	2024/08/27-17:35:11.413 2020 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/27-17:35:11.414 2020 Recovering log #3.2024/08/27-17:35:11.414 2020 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.059252238767438
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvB1ys:G0nYUtypD3RUovhC+lvBOL+t3IvB8s
MD5:	D8D8899761F621B63AD5ED6DF46D22FE
SHA1:	23E6A39058AB3C1DEADC0AF2E0FFD0D84BB7F1BE
SHA-256:	A5E0A78EE981FB767509F26021E1FA3C506F4E86860946CAC1DC4107EB3B3813
SHA-512:	4F89F556138C0CF24D3D890717EB82067C5269063C84229E93F203A22028782902FA48FB0154F53E06339F2FDBE35A985CE728235EA429D8D157090D25F15A4E
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.186368544100265
Encrypted:	false
SSDEEP:	6:N7eOq2P923oH+TcwtfrzAdIFUt887SHZmw+87SVkwO923oH+TcwtfrzILJ:N7eOv4Yeb9FUt887SH/+87SV5LYeb2J
MD5:	3FCECDAFCF4BC835543F524F3999786A
SHA1:	3AD692DB64F5D25BA422F6903764CF12EB80613F
SHA-256:	CC242867B1579471B7BD16F0364539504A6A49FA4B4776FA31C6B5CAD8E9BB9D
SHA-512:	D769C1225E448C831A534E347868634411BB569F408627DB72D9024F3DE2FBF2761258227FE49D6836A2A1011298E6CF96734EB734DCF0830F0ECB0160A3C40C
Malicious:	false
Preview:	2024/08/27-17:35:11.409 2020 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/27-17:35:11.410 2020 Recovering log #3.2024/08/27-17:35:11.410 2020 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.186368544100265
Encrypted:	false
SSDEEP:	6:N7eOq2P923oH+TcwtfrzAdIFUt887SHZmw+87SVkwO923oH+TcwtfrzILJ:N7eOv4Yeb9FUt887SH/+87SV5LYeb2J
MD5:	3FCECDAFCF4BC835543F524F3999786A
SHA1:	3AD692DB64F5D25BA422F6903764CF12EB80613F
SHA-256:	CC242867B1579471B7BD16F0364539504A6A49FA4B4776FA31C6B5CAD8E9BB9D
SHA-512:	D769C1225E448C831A534E347868634411BB569F408627DB72D9024F3DE2FBF2761258227FE49D6836A2A1011298E6CF96734EB734DCF0830F0ECB0160A3C40C
Malicious:	false
Preview:	2024/08/27-17:35:11.409 2020 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/27-17:35:11.410 2020 Recovering log #3.2024/08/27-17:35:11.410 2020 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF37c26.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.186368544100265
Encrypted:	false
SSDEEP:	6:N7eOq2P923oH+TcwtfrzAdIFUt887SHZmw+87SVkwO923oH+TcwtfrzILJ:N7eOv4Yeb9FUt887SH/+87SV5LYeb2J
MD5:	3FCECDAFCF4BC835543F524F3999786A
SHA1:	3AD692DB64F5D25BA422F6903764CF12EB80613F
SHA-256:	CC242867B1579471B7BD16F0364539504A6A49FA4B4776FA31C6B5CAD8E9BB9D
SHA-512:	D769C1225E448C831A534E347868634411BB569F408627DB72D9024F3DE2FBF2761258227FE49D6836A2A1011298E6CF96734EB734DCF0830F0ECB0160A3C40C
Malicious:	false
Preview:	2024/08/27-17:35:11.409 2020 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/27-17:35:11.410 2020 Recovering log #3.2024/08/27-17:35:11.410 2020 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35cb7.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35d82.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35e9c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37be8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37c45.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37c74.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zET:/M/xT02z8
MD5:	AC81EF9540AC3DDCC4546B82AC3801BD
SHA1:	1AC27855FABFA8AF62752DA91E2A6EADC815CBBC
SHA-256:	4A2C8BA05BE86A2182B9BCC9AEC916588CC9502F4F505CD79991AF8326EC11E4
SHA-512:	D27635D446F0AEA20E138F96BEDEDF118CCF0BC8560CB2E11AB0AACE9D320E989164E2971DAB20571A9B6D9A1B4A52CAAF78084D2141372D77516F52ABD222AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\aec2ae36-a184-44d0-b4f8-754450c3805e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44663
Entropy (8bit):	6.09533036988569
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBswuphDO6vP6O6jTJ/sPBlQuPcGoup1Xl3jVzXr4z:z/Ps+wsI7yOE16aj2chu3VlXr4CRo1
MD5:	5551621AACC527435C68D03C25C40932
SHA1:	BD4ECF77EBA04CDDC4431B2B96E6956D84F9774D
SHA-256:	2D104D9C5063BFF2E7CCD8A218CD5CB970CDED8FF25024BAD9E5F4B0DE4E3430
SHA-512:	D033A7910C38722CE740DE4C93118A8AD001FA7A05643006148921785DC145A711A920AE78A33454A4C16B7BFDAD7ED304B7BD4A024DEB3E3117D5EE089E4FBD
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d68924b6-dbb1-4e8c-94fc-5ea3c6b757a6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44664
Entropy (8bit):	6.095332661709662
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBsFuphDO6vP6O6jTR/sPBlQuPcGoup1Xl3jVzXr4z:z/Ps+wsI7yOE46aj2chu3VlXr4CRo1
MD5:	89CC5ABD22D7764120319E5046DD43FB
SHA1:	0559CADC218943946D77CD13302C2E93636CE467
SHA-256:	8EB2B4E5B7BD71FDC200BFBB99E7A0737F26E546FCD19AEE9CCDC5A0DC443F99
SHA-512:	646832FEE2C6DF1BD142B4E8C9163ACEA50A8288AFAFD988EAFBB9A4C9C069B208734944794093FBBA0DCE85CCC71A9AB9ACE3ADBB02B0749C37959DF66DD308
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ebacc84e-d7f2-40f1-8575-4b905ef030ca.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44664
Entropy (8bit):	6.095775398320748
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBsFuphDO6vP6O6j3R/pP8UcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOE46ajbchu3VlXr4CRo1
MD5:	3D852C5AF1DE094879DA6E77135D0CB2
SHA1:	87B62089D5AD6D3E8C2668C5B79A87EFFEDD6936
SHA-256:	8AA6CBC4C1C50CE0A4D2EEFCE1E1BCC3E601872E4A70DCFA0FE5012F6CFDA631
SHA-512:	4C18F2E6DB6D34F71B772048D3DC6622B9D1496FCFAD07580F7D25B7AFFD2A2CD55C58DCFC75E2898D1B2572F4D6062D99834C264F340B25ADA23E33B2B5230F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\fe969aae-e560-45e9-b7c7-addb77fb6918.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090682972702823
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMfwuF9hDO6vP6O+Otbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE76ntbz8hu3VlXr4CRo1
MD5:	30A1BFEDD1DD0BDA778ED4FEDB76B26B
SHA1:	A78245E15100AA1CA7145F773A79221BC540476C
SHA-256:	B444DCBB57895B1340A5B6BC848DD869BA278938E85430F3578527AB2EE7DB89
SHA-512:	FC5FEFFF882DEAA04D9B6B48E4381009661D3AC45128556B0B2A459B3C4DB168587D69F048573B741CC41675A4CF4B29085046C1B43C2F59E1CB5654AAB9CAE4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.855548380064107
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxyxl9Il8u/0Zt+mvrcrd2jNKrBZRd1rc:mbYEomvrcrRrBZy
MD5:	A43652425E7211C8DE312FB782BF0D52
SHA1:	496AFF14A0931CCE479A535A59E52848C50CB248
SHA-256:	10D3274B8394AA3C39EDD1A44C143ECB86D9FB79CEB62F63729C9CAA4BA0E64E
SHA-512:	A87CA998DB873FD0889483EE83824B31DDAB2F038C6C10593F31D5BEBEAC18ECFF3C297A17C5342BE0CA6CA02B95A483B6AEE39E684107434E1AF535CEF2B58D
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.J.H.c.V.t.H.4.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.u.L.M.j.z.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.000755565733589
Encrypted:	false
SSDEEP:	96:dYsRybBHTqS791Zt3VyIPUV/WpjBDrFufdga:d5gbBHeMB3VVMSVedb
MD5:	9AB207EA7011CC59DBFC8E577B608C93
SHA1:	30535AF30DF16806DEAF1F83FE3DFBDC86996857
SHA-256:	321409ABAD7DF2F1E3E6082206FD8937DDC27C0C639CE8F479A1508C43091DA3
SHA-512:	8C1F052B751C7CB9BE35D7FF3F7450915E8F20C13914FFD0C0EABE4A35E5062831374FF8F3B0CD8574F9485FA20865AD964DF534A58FC725C80F80E3D588B91D
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".7.S.v.z.P.M.n.4.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.B.u.L.M.j.z.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.397068563035204
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854RrY:8e2Fa116uCntc5toYH4
MD5:	7AE449482E178154E24715EBF751469F
SHA1:	6D1769FD774B2EF9A9EFA689CF17CAE2F3B5F141
SHA-256:	EA8121C7D8265B226C9364586750C97CE849EA662A7BC1365BEEF69BDFDDC764
SHA-512:	D812D726C95809C2A4F61FA3993D271189D93507EF1BFFA875A8F60330C330A5884925FA49043F4E4DB22181E79948683B72E53E86FCFA98070339FC618C046A
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.525194951256619
Encrypted:	false
SSDEEP:	48:l0XEJndOfO+DsJf0rWzBdLXuHJkDpX0X2AN6tdOfsDsJf0rWzngdLXuHJk+21:lND3upkDZlTUnIupkz
MD5:	4873EE7281891421B9CF5F52EFF3E8B0
SHA1:	DCA4FE2EC38E6497FB4ABE4559B285AD2378127A
SHA-256:	141D10E6127181E4BC8D811C04AF9882CF69965129F3FEE7B340121D28EFA423
SHA-512:	8A62D16C4F592D1B05871F2A68540078E6AB69DA8A883B698DC4DD012834F33624AA21B8DB6A9FC25241B82F4C39F252C57CE8D65CF7DF6873FBBB7CD3B6C4AB
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....k.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V......w..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y[........................... u..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YZ...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YZ.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8IQRJB5LH2AX27B262KG.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5257641981779937
Encrypted:	false
SSDEEP:	48:l0XEN6tdOfsDsJf0rWzBdLXuHJkDpX0X2AN6tdOfsDsJf0rWzngdLXuHJk+21:luU3upkDZlTUnIupkz
MD5:	95B28D41B4B8DEFE4D4E1B322204704B
SHA1:	A95DFB3C34CA933AECF48C53B88534A177BEEDF6
SHA-256:	C566A8790DB6A71BC2B075AE5F1F14E3E22534F5227FD797A6DF432D12C4AC22
SHA-512:	E05F312C89D44A260DD6F7E7F6B3E5065A1295C1FA33D055FB79CD35625FB2F8EA5EF0A6CBEE31602EEB7D1A08FAFED4A01E95A219F79E04E8B7C99EF62A8C7F
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....k.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......YX...PROGRA~2.........O.I.YX.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y[........................... u..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y]............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YZ...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YZ.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8SMIYA51MPB02DPR4DMA.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.525194951256619
Encrypted:	false
SSDEEP:	48:l0XEJndOfO+DsJf0rWzBdLXuHJkDpX0X2AN6tdOfsDsJf0rWzngdLXuHJk+21:lND3upkDZlTUnIupkz
MD5:	4873EE7281891421B9CF5F52EFF3E8B0
SHA1:	DCA4FE2EC38E6497FB4ABE4559B285AD2378127A
SHA-256:	141D10E6127181E4BC8D811C04AF9882CF69965129F3FEE7B340121D28EFA423
SHA-512:	8A62D16C4F592D1B05871F2A68540078E6AB69DA8A883B698DC4DD012834F33624AA21B8DB6A9FC25241B82F4C39F252C57CE8D65CF7DF6873FBBB7CD3B6C4AB
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....k.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V......w..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y[........................... u..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YZ...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YZ.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5257641981779937
Encrypted:	false
SSDEEP:	48:l0XEN6tdOfsDsJf0rWzBdLXuHJkDpX0X2AN6tdOfsDsJf0rWzngdLXuHJk+21:luU3upkDZlTUnIupkz
MD5:	95B28D41B4B8DEFE4D4E1B322204704B
SHA1:	A95DFB3C34CA933AECF48C53B88534A177BEEDF6
SHA-256:	C566A8790DB6A71BC2B075AE5F1F14E3E22534F5227FD797A6DF432D12C4AC22
SHA-512:	E05F312C89D44A260DD6F7E7F6B3E5065A1295C1FA33D055FB79CD35625FB2F8EA5EF0A6CBEE31602EEB7D1A08FAFED4A01E95A219F79E04E8B7C99EF62A8C7F
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....k.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......YX...PROGRA~2.........O.I.YX.....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y[........................... u..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y]............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YZ...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YZ.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579774375886675
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	0f6e42568e2e9bcb953e5b0c17c5bb11
SHA1:	978cd202710711fb80a6ef59185429a9873ad538
SHA256:	2f75aacea07851e0995882ab103708362678370e688dc20dc25f77af5a5c94d3
SHA512:	1da298c32d42b5d3995f11de3f6bea760b526421d91ec23611c1c15cbc712c071065bfe34a3bd84de251ca460205d88a85b6c9e21ec68a8ed1cf9a5fadba5617
SSDEEP:	12288:4qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacT0:4qDEvCTbMWu7rQYlBQcBiT6rprG8as0
TLSH:	88159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CE3B44 [Tue Aug 27 20:47:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F5894C393B3h
jmp 00007F5894C38CBFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5894C38E9Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F5894C38E6Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F5894C3BA5Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F5894C3BAA8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F5894C3BA91h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	c30f9a9d6da25e204ea08a4787f733bb	False	0.286953125	data	5.1659462670210585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 23:34:49.439412117 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:34:49.439445019 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:34:49.548827887 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:34:59.044451952 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:34:59.128607035 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:34:59.340193987 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:34:59.988250017 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:34:59.988285065 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:34:59.988411903 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:34:59.988442898 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:34:59.988442898 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:34:59.988503933 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:34:59.988748074 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:34:59.988759041 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:34:59.988928080 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:34:59.988940954 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.238861084 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.238877058 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.239049911 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.239398956 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.239423990 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.239507914 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.239835024 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.239846945 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.240158081 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.240170956 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.240457058 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.240463018 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.240509033 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.240981102 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.240991116 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.241049051 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.241194963 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.241206884 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.241441965 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.241452932 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.301671982 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.301701069 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.301755905 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.303122044 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.303133011 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.641046047 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.641083956 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.641329050 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.641340017 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.641483068 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.641496897 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.642405033 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.642472982 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.642534018 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.642591953 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.643650055 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.643707991 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.643985033 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.644046068 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.644102097 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.644108057 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.644182920 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.644188881 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.698456049 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.698679924 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.698689938 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.699282885 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.699718952 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.699774027 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.700905085 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.701252937 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.702421904 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.702487946 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.704056025 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.704062939 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.704603910 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.704611063 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.704714060 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.704734087 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.705620050 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.705691099 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.705919981 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.705967903 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.707070112 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.707132101 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.707376003 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.707382917 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.708837986 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.708908081 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.709062099 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.709069014 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.710937023 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.711107016 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.711112976 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.711956024 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.712030888 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.712975979 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.713026047 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.713251114 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.713254929 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.742662907 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.742705107 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.742727995 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.742727995 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.742775917 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.743877888 CEST	49723	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.743892908 CEST	443	49723	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.746113062 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.748543024 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748565912 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748574018 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748598099 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748616934 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748627901 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748639107 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.748657942 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.748672009 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.748697042 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.761744022 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.763355017 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.763355970 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.764834881 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.765090942 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.765100002 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.766150951 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.766206026 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.767426014 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.767486095 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.767573118 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.811758041 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.811841011 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.811888933 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.812150955 CEST	49726	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.812161922 CEST	443	49726	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.812501907 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.828253031 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.828315020 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.828449965 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.828679085 CEST	49725	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.828685999 CEST	443	49725	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.831274986 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.831295967 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.831372976 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.831394911 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.831434965 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.832946062 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.832961082 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.833055019 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.833060980 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.833100080 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.835156918 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.835232019 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.835283041 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.846168995 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.846215963 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.846296072 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.849507093 CEST	49727	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.849517107 CEST	443	49727	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.851155043 CEST	49724	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.851160049 CEST	443	49724	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.855460882 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.855493069 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.855573893 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.856103897 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.856115103 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.856167078 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.856607914 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.856620073 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.856781960 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.856791019 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:00.873212099 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 27, 2024 23:35:00.873300076 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 27, 2024 23:35:00.879477978 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.879484892 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.890337944 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.890404940 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.890585899 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 27, 2024 23:35:00.890600920 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 27, 2024 23:35:00.917311907 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.917332888 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.917392969 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.917416096 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.917429924 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.917484045 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.917601109 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.917653084 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.917659044 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.917690039 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:00.917732954 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.918467045 CEST	49722	443	192.168.2.5	13.107.246.67
Aug 27, 2024 23:35:00.918486118 CEST	443	49722	13.107.246.67	192.168.2.5
Aug 27, 2024 23:35:01.143309116 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.143366098 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.143488884 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.143623114 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.143666029 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.143731117 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.143873930 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.143888950 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.144033909 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.144047976 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.157289028 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.157318115 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.157453060 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.157649994 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.157658100 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.157759905 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.158037901 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.158052921 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.158272982 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.158282995 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.209567070 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.209583044 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:01.209899902 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.212837934 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.212847948 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:01.313129902 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.313354015 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.313366890 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.313648939 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.313977957 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.314034939 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.344887018 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.345134020 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.345143080 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.345498085 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.345834017 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.345901012 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.357918978 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.408840895 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:01.408874035 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:01.408935070 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:01.409862041 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:01.409876108 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:01.435293913 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.656814098 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.657228947 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.657257080 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.657622099 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.658020020 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.658082962 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.659354925 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.659730911 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.659742117 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.660116911 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.660470963 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.660543919 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.660567045 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.660773039 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.660788059 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.661808968 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.661873102 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.662978888 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.663033962 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.672728062 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.673034906 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.673058987 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.673919916 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.673985958 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.674374104 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.674429893 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.699311018 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.712620974 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.712641001 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.712713957 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.712882996 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.712903976 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.712990999 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.713222980 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.713229895 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.713275909 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.713602066 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.713613987 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.713735104 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.713748932 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.713870049 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.713881016 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.714889050 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.714899063 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.714900970 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.777693987 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.824578047 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.824604034 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.881423950 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:01.881484985 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.885245085 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.885250092 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:01.885523081 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:01.933927059 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.934150934 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.939948082 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:01.980523109 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:02.017832041 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.018138885 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.018170118 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.019242048 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.019298077 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.020656109 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.020726919 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.020951033 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.020962954 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.075501919 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.142173052 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.142199993 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.142246008 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.142256021 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.142513990 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.142570972 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.157759905 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:02.157824039 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:02.157891989 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:02.181246042 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.181654930 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.181668997 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.181987047 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.182318926 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.182399035 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.200246096 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.206041098 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.206054926 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.206459045 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.208894968 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.209007978 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.220529079 CEST	49737	443	192.168.2.5	20.96.153.111
Aug 27, 2024 23:35:02.220541954 CEST	443	49737	20.96.153.111	192.168.2.5
Aug 27, 2024 23:35:02.234028101 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.255033970 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.257519960 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.275106907 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.275115013 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.276228905 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.276299000 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.276979923 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.277048111 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.433598995 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.433608055 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.460530996 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:02.460539103 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:02.541851997 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.634291887 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:02.634309053 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:02.634380102 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:02.635584116 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:02.635598898 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.087856054 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.087889910 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.087996960 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.088088036 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.088108063 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.088170052 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.088336945 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.088354111 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.088542938 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.088555098 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.295831919 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.295919895 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:03.331401110 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:03.331410885 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.331604004 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.332825899 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:03.380503893 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.409718990 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.409742117 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.409806013 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.409993887 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.410010099 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.562613010 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.566158056 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.566183090 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.566591978 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.566653967 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.567344904 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.567394018 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.575320005 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.575376987 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.575443983 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:03.583539009 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.605671883 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.605813026 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.605986118 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.605997086 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.606506109 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.606580973 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.606581926 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.606595993 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.607224941 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.607281923 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.607584953 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.607647896 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.608017921 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.608025074 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.653753042 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.664206982 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:03.664215088 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.664225101 CEST	49741	443	192.168.2.5	184.28.90.27
Aug 27, 2024 23:35:03.664230108 CEST	443	49741	184.28.90.27	192.168.2.5
Aug 27, 2024 23:35:03.730604887 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.780352116 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.780421019 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.780503988 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.781265020 CEST	49742	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.781276941 CEST	443	49742	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.784703970 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.785324097 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.785360098 CEST	443	49743	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:03.785434008 CEST	49743	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.877564907 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.878840923 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.878850937 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.879861116 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.879940033 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.880917072 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.880979061 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.881162882 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:03.881170988 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:03.934319973 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.022538900 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022600889 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022631884 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022659063 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.022669077 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022701025 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022717953 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.022726059 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022767067 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.022835970 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022885084 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.022932053 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.024705887 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.024713039 CEST	443	49744	142.250.64.68	192.168.2.5
Aug 27, 2024 23:35:04.024734020 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.024759054 CEST	49744	443	192.168.2.5	142.250.64.68
Aug 27, 2024 23:35:04.095815897 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.095825911 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.095886946 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.096766949 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.096772909 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.096882105 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.097163916 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.097174883 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.097309113 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.097323895 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.557182074 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.558825970 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.558836937 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.559161901 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.559226990 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.559753895 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.559804916 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.559933901 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.559989929 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.578787088 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.582798958 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.582807064 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.583206892 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.583271027 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.583980083 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.584054947 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.584184885 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.584247112 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.636456013 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.636462927 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.636475086 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.636478901 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.683351994 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.683351994 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:09.616780996 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:09.616817951 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:09.616913080 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:09.617986917 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:09.618005991 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:11.198896885 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:11.199006081 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:11.201313972 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:11.201323986 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:11.201627016 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:11.245860100 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:12.093647957 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:12.140506029 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312704086 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312726021 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312733889 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312752008 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312772036 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312825918 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:12.312844038 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.312896967 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:12.312951088 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.313014984 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:12.313021898 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.313318014 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:12.313467026 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:13.354541063 CEST	49747	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:13.354563951 CEST	443	49747	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:16.224033117 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.224098921 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.224281073 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:16.250730038 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.250814915 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.250973940 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:16.567255974 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.567331076 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.567390919 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:16.567847013 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.567919970 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.567956924 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:16.569036007 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.569091082 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.569132090 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:16.579560995 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.579628944 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:16.579916000 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:47.184216976 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:47.184242010 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:47.215504885 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:47.215529919 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:47.433506966 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:47.433537960 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:49.650299072 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:49.650299072 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:49.650321007 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:49.650330067 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:49.985721111 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:49.985755920 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:49.985855103 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:49.986303091 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:49.986316919 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.660159111 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.660260916 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.664016962 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.664024115 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.664259911 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.672679901 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.720493078 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.922344923 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.922368050 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.922385931 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.922465086 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.922476053 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.922569036 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.923358917 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.923391104 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.923414946 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.923419952 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.923443079 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.923460960 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.923490047 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.927393913 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.927412033 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:50.927426100 CEST	49752	443	192.168.2.5	13.85.23.86
Aug 27, 2024 23:35:50.927431107 CEST	443	49752	13.85.23.86	192.168.2.5
Aug 27, 2024 23:35:55.340626001 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.340662956 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.340733051 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.340791941 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.340801001 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.340887070 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.341187000 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.341202974 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.342039108 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.342048883 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.794478893 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.794755936 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.794780016 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.795121908 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.795403957 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.795465946 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.804896116 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.805069923 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.805079937 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.805411100 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.805668116 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.805732012 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.840265036 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.855775118 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.098824024 CEST	49729	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.098853111 CEST	443	49729	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.098885059 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.098890066 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.811963081 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:35:57.812004089 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:35:57.812103987 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:35:57.812292099 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:35:57.812308073 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:35:58.291395903 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:35:58.291749954 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:35:58.291773081 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:35:58.292083979 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:35:58.292418003 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:35:58.292486906 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:35:58.292565107 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:35:58.340507984 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:01.574398994 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:01.574410915 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:01.574440956 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:01.574441910 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:01.574460030 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:01.574465990 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:01.589971066 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:01.589978933 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:01.744252920 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:01.744625092 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:01.744653940 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:01.744721889 CEST	443	49756	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:01.744752884 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:01.744787931 CEST	49756	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:01.745296955 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:01.745332003 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:01.745393038 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:01.745652914 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:01.745667934 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:02.357542038 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:02.402546883 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:02.431299925 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:02.431309938 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:02.431894064 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:02.434865952 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:02.434950113 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:02.438050985 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:02.480510950 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:03.643985033 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:03.644279003 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:03.644299984 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:03.644311905 CEST	443	49757	23.54.161.105	192.168.2.5
Aug 27, 2024 23:36:03.644351959 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:03.644380093 CEST	49757	443	192.168.2.5	23.54.161.105
Aug 27, 2024 23:36:10.704199076 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:10.704271078 CEST	443	49754	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:10.704327106 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:10.712491989 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:10.712564945 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:10.712625980 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:32.184108019 CEST	49739	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:36:32.184132099 CEST	443	49739	142.250.80.99	192.168.2.5
Aug 27, 2024 23:36:32.215287924 CEST	49738	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:36:32.215307951 CEST	443	49738	142.250.80.99	192.168.2.5
Aug 27, 2024 23:36:32.434077024 CEST	49740	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:36:32.434096098 CEST	443	49740	142.250.80.99	192.168.2.5
Aug 27, 2024 23:36:34.651861906 CEST	49745	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:36:34.651861906 CEST	49746	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:36:34.651890993 CEST	443	49745	142.251.32.110	192.168.2.5
Aug 27, 2024 23:36:34.651902914 CEST	443	49746	142.251.32.110	192.168.2.5
Aug 27, 2024 23:36:46.574559927 CEST	49731	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:46.574588060 CEST	443	49731	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:46.574594021 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:46.574608088 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:46.574629068 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:46.574635029 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:46.590086937 CEST	49733	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:46.590092897 CEST	443	49733	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:55.714731932 CEST	49753	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:55.714731932 CEST	49754	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:55.714766979 CEST	443	49753	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:55.714778900 CEST	443	49754	172.64.41.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2024 23:34:55.632024050 CEST	53	57095	1.1.1.1	192.168.2.5
Aug 27, 2024 23:34:57.090770960 CEST	53406	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:34:57.091171980 CEST	53554	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:34:59.279099941 CEST	53	58454	1.1.1.1	192.168.2.5
Aug 27, 2024 23:34:59.280921936 CEST	53	65176	1.1.1.1	192.168.2.5
Aug 27, 2024 23:34:59.282751083 CEST	53	56144	1.1.1.1	192.168.2.5
Aug 27, 2024 23:34:59.283098936 CEST	53	53905	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.231100082 CEST	61194	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.231384993 CEST	60861	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.231722116 CEST	57772	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.232089996 CEST	58692	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.232465029 CEST	57257	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.232594013 CEST	63311	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.232884884 CEST	61335	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.233242989 CEST	65440	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.237894058 CEST	53	61194	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.237996101 CEST	53	60861	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.238333941 CEST	53	57772	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.238650084 CEST	53	58692	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.239029884 CEST	53	57257	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.239340067 CEST	53	63311	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.239629030 CEST	53	61335	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.239707947 CEST	53	65440	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.293745041 CEST	65499	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.293988943 CEST	57848	53	192.168.2.5	1.1.1.1
Aug 27, 2024 23:35:00.300643921 CEST	53	65499	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.300652981 CEST	53	57848	1.1.1.1	192.168.2.5
Aug 27, 2024 23:35:00.833899021 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:00.855179071 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.142249107 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.157859087 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.299052954 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.299072981 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.299084902 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.299093962 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.299104929 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.300048113 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.302139044 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.302287102 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.302625895 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.302762032 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.302872896 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.302978039 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.304410934 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.304641962 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.304738998 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.304816961 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.305051088 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.306582928 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.306720972 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.307002068 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.307126999 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.401088953 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.401667118 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.401675940 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.401683092 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.401860952 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.402157068 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.402721882 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.403747082 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.403755903 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.403882980 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.403892040 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.404181004 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.404759884 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.405862093 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.405870914 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.405889988 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.406013012 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.406023026 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.406167984 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.406316996 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.406579971 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.406943083 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.409280062 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.498189926 CEST	443	54141	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.503722906 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:01.524081945 CEST	54141	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.543170929 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:01.712323904 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.870904922 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.871042967 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.872908115 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.877584934 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.877608061 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.877624035 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.877799034 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.877913952 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.879103899 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.879432917 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.879719973 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.879808903 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.879831076 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.887206078 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.887252092 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.975809097 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.975822926 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.976171970 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.976861954 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.977085114 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.980067968 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.980092049 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.980309963 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.980448008 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.980571032 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.982424021 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.986076117 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.986346960 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.988965988 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.991307020 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.991481066 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.993896008 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.996809959 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:01.996963978 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:01.998083115 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.000762939 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.001110077 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.077246904 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.077586889 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.080943108 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.081017017 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.083201885 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.084099054 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.086800098 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.087018967 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.088743925 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.094892025 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.095037937 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.096477032 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.097244978 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.097595930 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.100755930 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.103368044 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.103708029 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.106394053 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.109392881 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.109620094 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.111764908 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.114193916 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.114459038 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.116740942 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.118432999 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.118442059 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.118694067 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.120403051 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.122945070 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.123094082 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.126734018 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.130218983 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.130295992 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.130760908 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.133630037 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.133780956 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.136225939 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.138701916 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.139195919 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.141176939 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.143671989 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.143908024 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.146483898 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.149513006 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.149744034 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.151633024 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.154784918 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.156750917 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.160526037 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.162156105 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.165833950 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.168466091 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.170663118 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.172805071 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.175311089 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.177475929 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.177627087 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.177741051 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.177809000 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.177944899 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.179300070 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.180728912 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.181087971 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.182884932 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.185401917 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.186572075 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.188275099 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.190326929 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.192352057 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.196302891 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.198597908 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.201828003 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.203751087 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.206187010 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.206250906 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.206298113 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.206326962 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.208982944 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.209423065 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.212018013 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.212073088 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.212697983 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.217127085 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.217184067 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.217741013 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.221960068 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.222002029 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.225915909 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.225982904 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.227030039 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.230609894 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.230678082 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.234270096 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.234337091 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.238384962 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.238445997 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.242347002 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.242358923 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.246347904 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.246361017 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.249284029 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.249356985 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.253475904 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.253509045 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.257203102 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.257278919 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.261645079 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.261663914 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.263554096 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.263565063 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.269922972 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.269962072 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.269973040 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.269988060 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.271122932 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.271325111 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.271373987 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.271512032 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.271559954 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.271596909 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272062063 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272099018 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272171021 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272224903 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272269011 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272443056 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.272648096 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.274401903 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.274419069 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.275738955 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.275803089 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.278225899 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.278253078 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.279875040 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.279886007 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.281271935 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.281299114 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.281430006 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.283638000 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.283674002 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.285444975 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.285497904 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.287050962 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.287149906 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.288752079 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.288816929 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.290702105 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.290754080 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.292423010 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.292452097 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.294599056 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.294653893 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.294699907 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.296704054 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.296746969 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.297868013 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.297935009 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.299977064 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.300019979 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.300847054 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.300930977 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.302547932 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.303656101 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.303728104 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.305394888 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.305406094 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.308264971 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.308311939 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.308326006 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.308351994 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.310432911 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.310870886 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.310894966 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.313019991 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.313139915 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.314340115 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.314421892 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.322249889 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.322424889 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.334918022 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.367269039 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.367345095 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.368078947 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.368217945 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.373009920 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.373039007 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.373677969 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.373689890 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.376302004 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.376377106 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.379776955 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.379899025 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380021095 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380063057 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380399942 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380491018 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380553961 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380563974 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380573988 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.380585909 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.383337975 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.383356094 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.384613037 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.384665966 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.384675980 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.384686947 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.385489941 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.385571957 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.388300896 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.388354063 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.388430119 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.388441086 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.390794039 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.390943050 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.390995979 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.391007900 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.393254995 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.413640022 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.459680080 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.472836018 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.496500015 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.501610041 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.506477118 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.536489010 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.539911985 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.547838926 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.547915936 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.553487062 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.553755045 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.569120884 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.569133997 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.569158077 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.569197893 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.569569111 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.569591045 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.569629908 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.573421001 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.573471069 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.573481083 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.594378948 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.594588995 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.594795942 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.597697973 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.597990990 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.636924028 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.638319016 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.639153957 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.639164925 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.639981031 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.644357920 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.644996881 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.645320892 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:02.681960106 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:02.682898998 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:02.689382076 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.693247080 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.734636068 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.765894890 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:02.781594038 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:02.782960892 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:02.783312082 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:02.785305023 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:02.987054110 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:02.987174034 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:03.061115026 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.061163902 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.085880041 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:03.086806059 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:03.087002039 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:03.087394953 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:03.157011032 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.157452106 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.157517910 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.173319101 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.202116966 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.294342041 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.305712938 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:03.305843115 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:03.404587030 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:03.405244112 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:03.405452013 CEST	443	50961	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:03.407054901 CEST	50961	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:03.783142090 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:03.783600092 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.783740044 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.879374027 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.882572889 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.882623911 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:03.882858992 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:03.919398069 CEST	64898	443	192.168.2.5	142.250.80.99
Aug 27, 2024 23:35:04.004328012 CEST	443	64898	142.250.80.99	192.168.2.5
Aug 27, 2024 23:35:04.095097065 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.227603912 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.227629900 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.234090090 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.234163046 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.234173059 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.234239101 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.236541986 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.236663103 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.238064051 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.239881039 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.240154982 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.240650892 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.240921974 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.241116047 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.335524082 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.335535049 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.335923910 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.336355925 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.336946964 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.337148905 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.420331001 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.420753956 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.422008038 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.422225952 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.423871994 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.424609900 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:04.425342083 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:04.516701937 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:12.580815077 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:12.701838970 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:12.749651909 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:12.784710884 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:12.786662102 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:12.812905073 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:12.872806072 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:12.933285952 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:12.942953110 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:12.952459097 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.077425957 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.077538967 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.173082113 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.201884031 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.252953053 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.253318071 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.254678011 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.294042110 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.373040915 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.522902012 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.522958040 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.614940882 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.614979982 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.618134022 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.654016018 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.696585894 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.696881056 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.698467970 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.710464954 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.710690022 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.794032097 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.794272900 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.795942068 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:33.825136900 CEST	62560	443	192.168.2.5	142.251.32.110
Aug 27, 2024 23:35:33.915343046 CEST	443	62560	142.251.32.110	192.168.2.5
Aug 27, 2024 23:35:55.340398073 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.652865887 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.786962986 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.787106991 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.787118912 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.787132025 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.787153959 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.787566900 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.789417982 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.789546013 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.789771080 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.789905071 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.883838892 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.883882999 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.883893013 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.883902073 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.884191990 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.884274960 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.885481119 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.886188984 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.886240959 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:55.886409998 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:55.977751970 CEST	443	49746	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:56.012155056 CEST	49746	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.100239992 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.100399971 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.100574017 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.100666046 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.505428076 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.579705954 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.580246925 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.605863094 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.611543894 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.611679077 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.611689091 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.611691952 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.611860037 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.611943007 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.677875996 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.709501028 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.709764957 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:35:57.808971882 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.810734034 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.811461926 CEST	443	59621	172.64.41.3	192.168.2.5
Aug 27, 2024 23:35:57.811616898 CEST	59621	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:02.563610077 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:02.563816071 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:02.564021111 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:02.564129114 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.010094881 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.010685921 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.044830084 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.106064081 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.106079102 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.106087923 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.106096983 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.106549025 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.106549025 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.201850891 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.202117920 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.302692890 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.303210974 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.303652048 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.304136038 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.304816961 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.304956913 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.305187941 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.686525106 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.686624050 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.755987883 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.756014109 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.756026030 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.756040096 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.756052017 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.756511927 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.757145882 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.835704088 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.836749077 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.836761951 CEST	443	56625	172.64.41.3	192.168.2.5
Aug 27, 2024 23:36:03.837001085 CEST	56625	443	192.168.2.5	172.64.41.3
Aug 27, 2024 23:36:03.837825060 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:03.837939024 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:03.917411089 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.918294907 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.918441057 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.930800915 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.930865049 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.930876970 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.930886030 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:03.931349993 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.931473017 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:03.965399027 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:04.059568882 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:04.169362068 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.513569117 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.513593912 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.513607025 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.513618946 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.514266014 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.514333963 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.514630079 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.514642000 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.514750004 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.514760017 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.730242014 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.730571032 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.820804119 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.820828915 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.821664095 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.821942091 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.825673103 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.899653912 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.903866053 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:04.944571972 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.944679022 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.944901943 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:04.944991112 CEST	57520	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:05.041299105 CEST	443	57520	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:05.576141119 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:05.705132961 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:05.725704908 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:05.725725889 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:05.725739002 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:05.726028919 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:05.726106882 CEST	57862	443	192.168.2.5	172.253.122.84
Aug 27, 2024 23:36:05.855114937 CEST	443	57862	172.253.122.84	192.168.2.5
Aug 27, 2024 23:36:34.317595959 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.317739964 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.791421890 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.791440010 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.791966915 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.792042971 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.792335987 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.792354107 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.809350967 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.843033075 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.843060017 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.886507988 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.887047052 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.887056112 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.887222052 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.938497066 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.965357065 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.965652943 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:34.967952013 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:34.997709990 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:35.022957087 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:35.023164034 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:35.024684906 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:35.060641050 CEST	63030	443	192.168.2.5	142.251.40.206
Aug 27, 2024 23:36:35.086288929 CEST	443	63030	142.251.40.206	192.168.2.5
Aug 27, 2024 23:36:35.142702103 CEST	443	63030	142.251.40.206	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 27, 2024 23:34:59.282766104 CEST	192.168.2.5	1.1.1.1	c2ec	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 27, 2024 23:34:57.090770960 CEST	192.168.2.5	1.1.1.1	0xe7ba	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:34:57.091171980 CEST	192.168.2.5	1.1.1.1	0x30b3	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 27, 2024 23:35:00.231100082 CEST	192.168.2.5	1.1.1.1	0xd25b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.231384993 CEST	192.168.2.5	1.1.1.1	0x5aef	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 23:35:00.231722116 CEST	192.168.2.5	1.1.1.1	0x1642	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.232089996 CEST	192.168.2.5	1.1.1.1	0x7506	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 23:35:00.232465029 CEST	192.168.2.5	1.1.1.1	0xd848	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.232594013 CEST	192.168.2.5	1.1.1.1	0x52c7	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 23:35:00.232884884 CEST	192.168.2.5	1.1.1.1	0x4ba0	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.233242989 CEST	192.168.2.5	1.1.1.1	0xb874	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 27, 2024 23:35:00.293745041 CEST	192.168.2.5	1.1.1.1	0x1ac8	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.293988943 CEST	192.168.2.5	1.1.1.1	0x4699	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 27, 2024 23:34:57.099596024 CEST	1.1.1.1	192.168.2.5	0x30b3	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 23:34:57.100181103 CEST	1.1.1.1	192.168.2.5	0xe7ba	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 23:34:59.987826109 CEST	1.1.1.1	192.168.2.5	0xed0a	No error (0)	shed.dual-low.s-part-0039.t-0009.t-msedge.net	s-part-0039.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 27, 2024 23:34:59.987826109 CEST	1.1.1.1	192.168.2.5	0xed0a	No error (0)	s-part-0039.t-0009.t-msedge.net		13.107.246.67	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.237894058 CEST	1.1.1.1	192.168.2.5	0xd25b	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.237894058 CEST	1.1.1.1	192.168.2.5	0xd25b	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.237996101 CEST	1.1.1.1	192.168.2.5	0x5aef	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 23:35:00.238333941 CEST	1.1.1.1	192.168.2.5	0x1642	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.238333941 CEST	1.1.1.1	192.168.2.5	0x1642	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.238650084 CEST	1.1.1.1	192.168.2.5	0x7506	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 23:35:00.239029884 CEST	1.1.1.1	192.168.2.5	0xd848	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.239029884 CEST	1.1.1.1	192.168.2.5	0xd848	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.239340067 CEST	1.1.1.1	192.168.2.5	0x52c7	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 23:35:00.239629030 CEST	1.1.1.1	192.168.2.5	0x4ba0	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.239629030 CEST	1.1.1.1	192.168.2.5	0x4ba0	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.239707947 CEST	1.1.1.1	192.168.2.5	0xb874	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 27, 2024 23:35:00.300643921 CEST	1.1.1.1	192.168.2.5	0x1ac8	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.300643921 CEST	1.1.1.1	192.168.2.5	0x1ac8	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 27, 2024 23:35:00.300652981 CEST	1.1.1.1	192.168.2.5	0x4699	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

arc.msn.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

bzib.nelreports.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49723	13.107.246.67	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 21:35:00 UTC	559	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 95d786f7-901e-0026-728f-f8f3b3000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240827T213500Z-15c77d89844fm6cd7bzmz9fe9g0000000k1g00000000p1cb Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-27 21:35:00 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49722	13.107.246.67	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 21:35:00 UTC	583	IN	HTTP/1.1 200 OK Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 14c701d7-e01e-0029-02e8-f61e45000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240827T213500Z-15c77d89844mr5m2v1r4mgrp0n0000000gh0000000009f8n Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-27 21:35:00 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-27 21:35:00 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-08-27 21:35:00 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-08-27 21:35:00 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-08-27 21:35:00 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49726	172.64.41.3	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 21:35:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 21:35:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9f305dcd4d0c80-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 21:35:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 23 00 04 8e fa 41 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom#A)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49725	172.64.41.3	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 21:35:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 21:35:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9f305ded354245-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 21:35:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1b 00 04 8e fa 50 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomP)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49727	172.64.41.3	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 21:35:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 21:35:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9f305dea318ce8-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 21:35:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 94 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49724	172.64.41.3	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 21:35:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 21:35:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9f305df9ec41cd-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 21:35:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 e7 00 04 8e fa 50 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomP)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49728	162.159.61.3	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-27 21:35:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-27 21:35:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 27 Aug 2024 21:35:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8b9f305e480a430e-EWR alt-svc: h3=":443"; ma=86400
2024-08-27 21:35:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 11 00 04 8e fa 41 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49735	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:01 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-27 21:35:02 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF17) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=65124 Date: Tue, 27 Aug 2024 21:35:02 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49737	20.96.153.111	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:02 UTC	617	OUT	GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=-3354676388932911196&ACHANNEL=4&ABUILD=117.0.5938.132&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=132 HTTP/1.1 Host: arc.msn.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 21:35:02 UTC	633	IN	HTTP/1.1 200 OK Cache-Control: max-age=86400, private Content-Length: 2064 Content-Type: application/json; charset=utf-8 Expires: Mon, 01 Jan 0001 00:00:00 GMT Server: Microsoft-IIS/10.0 ARC-RSP-DBG: [{"X-RADID":"P425775005-T700421790-C128000000003081809"},{"BATCH_REDIRECT_STORE":"B128000000003081809+P0+S0"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}] Accept-CH: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Strict-Transport-Security: max-age=31536000; includeSubDomains Date: Tue, 27 Aug 2024 21:35:01 GMT Connection: close
2024-08-27 21:35:02 UTC	2064	IN	Data Raw: 7b 22 66 22 3a 22 72 61 66 22 2c 22 76 22 3a 22 31 2e 30 22 2c 22 72 64 72 22 3a 5b 7b 22 63 22 3a 22 41 6e 61 68 65 69 6d 20 50 61 73 73 77 6f 72 64 20 4d 6f 6e 69 74 6f 72 22 2c 22 75 22 3a 22 43 6f 6e 73 65 6e 74 20 53 61 76 65 20 50 61 73 73 77 6f 72 64 22 7d 5d 2c 22 61 64 22 3a 7b 22 54 49 54 4c 45 5f 53 41 56 45 22 3a 22 53 61 76 65 20 79 6f 75 72 20 70 61 73 73 77 6f 72 64 22 2c 22 54 49 54 4c 45 5f 55 50 44 41 54 45 22 3a 22 53 61 76 65 20 79 6f 75 72 20 70 61 73 73 77 6f 72 64 22 2c 22 54 49 54 4c 45 5f 53 41 56 45 44 5f 50 41 53 53 57 4f 52 44 22 3a 22 53 61 76 65 20 79 6f 75 72 20 70 61 73 73 77 6f 72 64 22 2c 22 54 49 54 4c 45 5f 4e 4f 5f 53 41 56 45 44 5f 50 41 53 53 57 4f 52 44 22 3a 22 53 61 76 65 20 79 6f 75 72 20 70 61 73 73 77 6f 72 64 Data Ascii: {"f":"raf","v":"1.0","rdr":[{"c":"Anaheim Password Monitor","u":"Consent Save Password"}],"ad":{"TITLE_SAVE":"Save your password","TITLE_UPDATE":"Save your password","TITLE_SAVED_PASSWORD":"Save your password","TITLE_NO_SAVED_PASSWORD":"Save your password

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49741	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:03 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-27 21:35:03 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=69037 Date: Tue, 27 Aug 2024 21:35:03 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-27 21:35:03 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49742	142.251.32.110	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:03 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-27 21:35:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 27 Aug 2024 21:35:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49743	142.251.32.110	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:03 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-27 21:35:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 27 Aug 2024 21:35:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49744	142.250.64.68	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:03 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-27 21:35:04 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 27 Aug 2024 21:31:57 GMT Expires: Wed, 04 Sep 2024 21:31:57 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 186 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-27 21:35:04 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-27 21:35:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-27 21:35:04 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-27 21:35:04 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-27 21:35:04 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49747	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=OTnC7wC6xbEs4vV&MD=ayeo8n2E HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-27 21:35:12 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: abfc7c05-9049-46d2-a54d-7021f91cec78 MS-RequestId: f6cba892-0e80-4811-a5c3-3a541aee5771 MS-CV: vpOveEGMeEm7FWNq.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 27 Aug 2024 21:35:12 GMT Connection: close Content-Length: 24490
2024-08-27 21:35:12 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-27 21:35:12 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49752	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:50 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=OTnC7wC6xbEs4vV&MD=ayeo8n2E HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-27 21:35:50 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: c80c90d7-0da8-4d85-893f-13eec5240c7c MS-RequestId: 79db0736-74c8-4342-8fa6-d426f9e2fc2f MS-CV: gpf8cfGW4EuINjWg.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 27 Aug 2024 21:35:50 GMT Connection: close Content-Length: 30005
2024-08-27 21:35:50 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-27 21:35:50 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49756	23.54.161.105	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:35:58 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 21:36:01 UTC	361	IN	HTTP/1.1 200 OK Content-Length: 0 Access-Control-Allow-Headers: content-type Date: Tue, 27 Aug 2024 21:36:01 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.65a13617.1724794558.21ef5e1d Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49757	23.54.161.105	443	2604	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-27 21:36:02 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 938 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-27 21:36:02 UTC	938	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 36 30 30 30 34 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 39 38 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e 67 Data Ascii: [{"age":60004,"body":{"elapsed_time":982,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bing
2024-08-27 21:36:03 UTC	359	IN	HTTP/1.1 200 OK Content-Length: 21 Content-Type: text/plain; charset=utf-8 Date: Tue, 27 Aug 2024 21:36:03 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.65a13617.1724794562.21ef72c3 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *
2024-08-27 21:36:03 UTC	21	IN	Data Raw: 50 72 6f 63 65 73 73 65 64 20 74 68 65 20 72 65 71 75 65 73 74 Data Ascii: Processed the request

Target ID:	0
Start time:	17:34:50
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x8c0000
File size:	917'504 bytes
MD5 hash:	0F6E42568E2E9BCB953E5B0C17C5BB11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	17:34:51
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:34:51
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2044,i,14278123788458138025,17047087662670107384,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:34:51
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	17:34:52
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	17:34:57
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7176 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:34:57
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=3432 --field-trial-handle=2068,i,16644834508121894920,302066301113180173,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:35:10
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:35:11
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2792 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:35:12
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1832 --field-trial-handle=2756,i,5864555387051878363,12206127654319733192,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:35:19
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	17:35:19
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:35:19
Start date:	27/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2572 --field-trial-handle=2244,i,5339968493123961597,1908552746602800898,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1400
Total number of Limit Nodes:	52

Executed Functions

Function 008C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008C430D

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

GetCurrentProcess.KERNEL32(?,0095CB64,00000000,?,?), ref: 008C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 008C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 008C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 008C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008C44A0

Strings

GetNativeSystemInfo, xrefs: 008C4460
kernel32.dll, xrefs: 008C444F
|O, xrefs: 009036F8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: c43442147eb7a3375565fa4d95080c97543bf4e0d640177205fdfd1e939873c6
Instruction ID: 44be1b2ed40a51c9a8aeffce9c1b990057ea18a3b8eb50b57bd375ec8caa1471
Opcode Fuzzy Hash: c43442147eb7a3375565fa4d95080c97543bf4e0d640177205fdfd1e939873c6
Instruction Fuzzy Hash: 40A1F36593E3C2DFC716C77D7C436A53FB8BB26304B18989FE84193A61D2328548EB25

Function 008C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008C50AA,?,?,00000000,00000000), ref: 008C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008C50AA,?,?,00000000,00000000), ref: 008C42C9
LoadResource.KERNEL32(?,00000000,?,?,008C50AA,?,?,00000000,00000000,?,?,?,?,?,?,008C4F20), ref: 009035BE
SizeofResource.KERNEL32(?,00000000,?,?,008C50AA,?,?,00000000,00000000,?,?,?,?,?,?,008C4F20), ref: 009035D3
LockResource.KERNEL32(008C50AA,?,?,008C50AA,?,?,00000000,00000000,?,?,?,?,?,?,008C4F20,?), ref: 009035E6

Strings

SCRIPT, xrefs: 008C42BF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 344753b66e8a87fd3159045d6014d7d61846c03520b9e04515e4b4f12e28cb0a
Instruction ID: ff91b8c600c8d49a231d47cb1b584e3052ff15943ad892eab9485f14571928bc
Opcode Fuzzy Hash: 344753b66e8a87fd3159045d6014d7d61846c03520b9e04515e4b4f12e28cb0a
Instruction Fuzzy Hash: D2115AB0200701AFD7218B66DC49F277BB9EBC5B52F20816DF816D62A0DBB2D840E620

Function 00902BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 008C2B6B

Part of subcall function 008C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00991418,?,008C2E7F,?,?,?,00000000), ref: 008C3A78

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00982224), ref: 00902C10
ShellExecuteW.SHELL32(00000000,?,?,00982224), ref: 00902C17

Strings

runas, xrefs: 00902C0B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ba64ed36339519891391b889404bcab94b4935dfb68731932e3ac9e5c197d15a
Instruction ID: bc9df90b1ec03a40e3370370e2e72495e25400daf69753daf7ebf81e0dd9964c
Opcode Fuzzy Hash: ba64ed36339519891391b889404bcab94b4935dfb68731932e3ac9e5c197d15a
Instruction Fuzzy Hash: 40119D31208345AACB14FF68E855FBEBBB4FB95311F44442DF082921A2CF31CA4A9713

Function 0092DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00905222), ref: 0092DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0092DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0092DBEE
FindClose.KERNEL32(00000000), ref: 0092DBFA

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 2606c498f5ed318b718c4744d9b736e77ef6b57efe57b026e12c1936fad72f0a
Instruction ID: 76e67c4a4a9246a9d7895d76e60be81d4a2fc1a16fa4ab22179893e0c7886333
Opcode Fuzzy Hash: 2606c498f5ed318b718c4744d9b736e77ef6b57efe57b026e12c1936fad72f0a
Instruction Fuzzy Hash: 7EF0A07082AB205B8220AB78AC0D8AA376C9E01336B104702F8B6D20E0EBB09954D6D6

Function 0094AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0094B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094B1D4
_wcslen.LIBCMT ref: 0094B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094B236
_wcslen.LIBCMT ref: 0094B332

Part of subcall function 009305A7: GetStdHandle.KERNEL32(000000F6), ref: 009305C6

_wcslen.LIBCMT ref: 0094B34B
_wcslen.LIBCMT ref: 0094B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094B3B6
GetLastError.KERNEL32(00000000), ref: 0094B407
CloseHandle.KERNEL32(?), ref: 0094B439
CloseHandle.KERNEL32(00000000), ref: 0094B44A
CloseHandle.KERNEL32(00000000), ref: 0094B45C
CloseHandle.KERNEL32(00000000), ref: 0094B46E
CloseHandle.KERNEL32(?), ref: 0094B4E3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 99f034157e3faf981b148baaddd998223532bb94ab0543743498e465f3d45391
Instruction ID: 76191b7364104dcc01242a25a9ab0b0d4e40d686f1f7d110fa470658d7e223e3
Opcode Fuzzy Hash: 99f034157e3faf981b148baaddd998223532bb94ab0543743498e465f3d45391
Instruction Fuzzy Hash: E2F156316083409FC724EF29C891F2ABBE5BF85314F14895DF8999B2A2DB31EC44CB52

Function 008CD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008CD807
timeGetTime.WINMM ref: 008CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CDB28
TranslateMessage.USER32(?), ref: 008CDB7B
DispatchMessageW.USER32(?), ref: 008CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CDB9F
Sleep.KERNELBASE(0000000A), ref: 008CDBB1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: dbbe522345b77f399117f85e26af4f258cd7365a3b5416dd2ebdf36494d3a41f
Instruction ID: 8779887bd5d4f221a5d467981930090a2300420d13734caf77eed34f73604ca2
Opcode Fuzzy Hash: dbbe522345b77f399117f85e26af4f258cd7365a3b5416dd2ebdf36494d3a41f
Instruction Fuzzy Hash: BD42DF70608345AFD728EB28C844FAABBF4FF85314F14856EE596C7291D770E894DB82

Function 008C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008C2D07
RegisterClassExW.USER32(00000030), ref: 008C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C2D42
InitCommonControlsEx.COMCTL32(?), ref: 008C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C2D6F
LoadIconW.USER32(000000A9), ref: 008C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C2D94

Strings

TaskbarCreated, xrefs: 008C2D37
+, xrefs: 008C2CF0
AutoIt v3 GUI, xrefs: 008C2D23
0, xrefs: 008C2CE9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 30f12468836f505d8d5bbd0be9e9935fde72fc3c120ad51db6cc6a7e0ec00e23
Instruction ID: 966a92927e77a3976a20dc78c46d1c559655640422f9a3c96af660f4ec7a1b14
Opcode Fuzzy Hash: 30f12468836f505d8d5bbd0be9e9935fde72fc3c120ad51db6cc6a7e0ec00e23
Instruction Fuzzy Hash: 7221F4B5925309EFDB00DFA9EC49BDDBBB4FB08702F00411AF911A62A0D7B10544EF90

Function 0090065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0090039A: CreateFileW.KERNELBASE(00000000,00000000,?,00900704,?,?,00000000,?,00900704,00000000,0000000C), ref: 009003B7

GetLastError.KERNEL32 ref: 0090076F
__dosmaperr.LIBCMT ref: 00900776
GetFileType.KERNELBASE(00000000), ref: 00900782
GetLastError.KERNEL32 ref: 0090078C
__dosmaperr.LIBCMT ref: 00900795
CloseHandle.KERNEL32(00000000), ref: 009007B5
CloseHandle.KERNEL32(?), ref: 009008FF
GetLastError.KERNEL32 ref: 00900931
__dosmaperr.LIBCMT ref: 00900938

Strings

H, xrefs: 009008BD

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9bbe8e3d25584538de6aabc1fef9957335b72840b5267b7dbb815cce1384fc03
Instruction ID: 57c3e821b95a58e69d82a332fff18060ae293987edb35dadfd6f273e526c2b8f
Opcode Fuzzy Hash: 9bbe8e3d25584538de6aabc1fef9957335b72840b5267b7dbb815cce1384fc03
Instruction Fuzzy Hash: 7DA14732A141488FDF19AF68DC51BAE3BA4EB8A320F140159F815DB2D2D7359D12DB92

Function 008C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00991418,?,008C2E7F,?,?,?,00000000), ref: 008C3A78

Part of subcall function 008C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0090318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009031CE
RegCloseKey.ADVAPI32(?), ref: 00903210
_wcslen.LIBCMT ref: 00903277
_wcslen.LIBCMT ref: 00903286

Strings

\, xrefs: 0090328C
\Include\, xrefs: 008C3527
Include, xrefs: 00903184, 009031C5
Software\AutoIt v3\AutoIt, xrefs: 008C3560

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f9297a2913d2198074ec5127e6cc103c7504714fcc737323c590d30aa5884aab
Instruction ID: 735e9d375a14692324fe64e867366818a740d57fd6e876a19b3ec30ac4fc063d
Opcode Fuzzy Hash: f9297a2913d2198074ec5127e6cc103c7504714fcc737323c590d30aa5884aab
Instruction Fuzzy Hash: A5715971419300AEC714EF2DEC829AABBF8FF95B40B40492EF555C71A1EB319A48DB52

Function 008C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 008C2B9D
LoadIconW.USER32(00000063), ref: 008C2BB3
LoadIconW.USER32(000000A4), ref: 008C2BC5
LoadIconW.USER32(000000A2), ref: 008C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008C2BEF
RegisterClassExW.USER32(?), ref: 008C2C40

Part of subcall function 008C2CD4: GetSysColorBrush.USER32(0000000F), ref: 008C2D07
Part of subcall function 008C2CD4: RegisterClassExW.USER32(00000030), ref: 008C2D31
Part of subcall function 008C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C2D42
Part of subcall function 008C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008C2D5F
Part of subcall function 008C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C2D6F
Part of subcall function 008C2CD4: LoadIconW.USER32(000000A9), ref: 008C2D85
Part of subcall function 008C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C2D94

Strings

#, xrefs: 008C2C16
0, xrefs: 008C2C0F
AutoIt v3, xrefs: 008C2C2F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3f74796f7b82a48db0e374033655a6a114b2a3cd39c8cb1bb4b8a3e330722e25
Instruction ID: cebe01aafda7e4c83512713534204f889f02deca7e5d6928d12bae3a7c4e194c
Opcode Fuzzy Hash: 3f74796f7b82a48db0e374033655a6a114b2a3cd39c8cb1bb4b8a3e330722e25
Instruction Fuzzy Hash: 01213EB0E28315AFDB109FAAEC56B9D7FB4FB48B51F04411BF504A66A0D7B14540EF90

Function 008C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008C316A,?,?), ref: 008C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,008C316A,?,?), ref: 008C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008C316A,?,?), ref: 008C3232
CreatePopupMenu.USER32 ref: 008C3246
PostQuitMessage.USER32(00000000), ref: 008C3267

Strings

TaskbarCreated, xrefs: 008C322D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 12231dfb67af57919310ada4871657a9ba95523366cb38a0c5b5ce98d1fc2c52
Instruction ID: 2e9fa97d3a132bf14b72718c4b144c38a6dbd286a95ef8ad6d2ea7257dbced9b
Opcode Fuzzy Hash: 12231dfb67af57919310ada4871657a9ba95523366cb38a0c5b5ce98d1fc2c52
Instruction Fuzzy Hash: C941C431268305AEDF251B6C9D0EFB93A79F749346F08812FF502C56A1C771CE42AB62

Function 008C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,008C1CAD,?), ref: 008C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,008C1CAD,?), ref: 008C2CCF

Strings

edit, xrefs: 008C2CAC
AutoIt v3, xrefs: 008C2C89, 008C2C8E, 008C2C8F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 64d448158bc37bf7103513b4221389232b7b99dd479b132cfc9327f49d29dd44
Instruction ID: d7223db3f433b5076d74c508871f52f2e59043e1e7c41bf3b4c390c24d88406b
Opcode Fuzzy Hash: 64d448158bc37bf7103513b4221389232b7b99dd479b132cfc9327f49d29dd44
Instruction Fuzzy Hash: 26F0DAB55643917EEB31572BAC0AE772EBDE7CAF51B00005BF904A25A0C6711854EAB0

Function 0092E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0092E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0092E9A5
Sleep.KERNEL32(00000000), ref: 0092E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0092E9B7
Sleep.KERNELBASE ref: 0092E9F3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e9ec75d171d65f896c29b309a5ace512f8b9486f1311cfcf6af715e1d75ac588
Instruction ID: ae10a2e10b699840b6526bb6290dd3697863a27aabb70686da3b587057c37646
Opcode Fuzzy Hash: e9ec75d171d65f896c29b309a5ace512f8b9486f1311cfcf6af715e1d75ac588
Instruction Fuzzy Hash: DE015775C09A3DDFCF00ABE5E899AEDBB78BB08701F000546E502B2244CB349594DBA1

Function 008C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008C3B0F,SwapMouseButtons,00000004,?), ref: 008C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008C3B0F,SwapMouseButtons,00000004,?), ref: 008C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008C3B0F,SwapMouseButtons,00000004,?), ref: 008C3B83

Strings

Control Panel\Mouse, xrefs: 008C3B3E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a1f9e0273b31aac278f1ed47ec774e0e9b5897e563ce8f1622505ca98abaa4f4
Instruction ID: c506cad9562124805ba8501127d074cc52f0d0e38bbb0ceba2e316c0788113bb
Opcode Fuzzy Hash: a1f9e0273b31aac278f1ed47ec774e0e9b5897e563ce8f1622505ca98abaa4f4
Instruction Fuzzy Hash: 6C1118B5520308FEDB208FA5DC44EAEB7B8EF05765B108459A805D7110D231DE41AB60

Function 008C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009033A2

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C3A04

Strings

Line: , xrefs: 009033EB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 255606851249c17489ac1dc3697f2c415244dc0ccf4061364c3271d576d81cf9
Instruction ID: 5743f7ff00d8c0a096fd18621c06942301377623324bf07d5c0d3c72dbb45fe3
Opcode Fuzzy Hash: 255606851249c17489ac1dc3697f2c415244dc0ccf4061364c3271d576d81cf9
Instruction Fuzzy Hash: F9318971418305AAD725EB28D846FEAB7B8FB41714F008A2EF599D2191EB709A49C783

Function 008DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008E0668

Part of subcall function 008E32A4: RaiseException.KERNEL32(?,?,?,008E068A,?,00991444,?,?,?,?,?,?,008E068A,008C1129,00988738,008C1129), ref: 008E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008E0685

Strings

Unknown exception, xrefs: 008E0692

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: da352725972f9c0f202ef7c644b72391aba2b71ca90730dab17831bb7079452f
Instruction ID: aec8f94e40d0bedcbc11aa461416c4705955b4f215438dffb85f3f263fe01bab
Opcode Fuzzy Hash: da352725972f9c0f202ef7c644b72391aba2b71ca90730dab17831bb7079452f
Instruction Fuzzy Hash: 22F0283080038D73CB00B6AAD846D5E777DFE42314BA04931B924D66A2EFB0DA55CE82

Function 008C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008C1BF4
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008C1BFC
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008C1C07
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008C1C12
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008C1C1A
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008C1C22

Part of subcall function 008C1B4A: RegisterWindowMessageW.USER32(00000004,?,008C12C4), ref: 008C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008C136A
OleInitialize.OLE32 ref: 008C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 009024AB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6bc2f32c255faf8c5b7026a009d827d4e26731e29c5e60f7c3bae11cff41716e
Instruction ID: 494582615b0d83509501c2ce2d31aa65cef5986588561b5e9046df5ccd810b1d
Opcode Fuzzy Hash: 6bc2f32c255faf8c5b7026a009d827d4e26731e29c5e60f7c3bae11cff41716e
Instruction Fuzzy Hash: 7A71DDB49293028FCB84DF7EA945A553BE4FB88344746812FE41AC7371EB308445EF52

Function 0092C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0092C259
KillTimer.USER32(?,00000001,?,?), ref: 0092C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0092C270

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 35878fa4b89f6b67fb84a6eee6c9cf96b7962e19d076726cd95df67249904c60
Instruction ID: 6d721a43851bf3ad2d94468bc7cda7157e36b4b438aef6cb2b3104e271241e74
Opcode Fuzzy Hash: 35878fa4b89f6b67fb84a6eee6c9cf96b7962e19d076726cd95df67249904c60
Instruction Fuzzy Hash: F231A7B0904354AFEB32DF649855BEBBBFCAF06344F00049ED5EA97245C774AA84CB51

Function 008F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,008F85CC,?,00988CC8,0000000C), ref: 008F8704
GetLastError.KERNEL32(?,008F85CC,?,00988CC8,0000000C), ref: 008F870E
__dosmaperr.LIBCMT ref: 008F8739

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 2514e18b3f33a9f79e9697b190404e2adc2ec252025757c42dc4439a320a303d
Instruction ID: f408c5e3bd8e140a63ddb791415f1d4d1b4f29a7c6c7c4245c2e9f212ae1b6fc
Opcode Fuzzy Hash: 2514e18b3f33a9f79e9697b190404e2adc2ec252025757c42dc4439a320a303d
Instruction Fuzzy Hash: 67014833608A2C9AC724623C684D77F2B89EBA3779F290119FB14CB1D2DEB48C818251

Function 008CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 008CDB7B
DispatchMessageW.USER32(?), ref: 008CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CDB9F
Sleep.KERNELBASE(0000000A), ref: 008CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00911CC9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 592eda1bf52e41110db475c1fcd9c8efedd4b8f951e881731459bff73638f192
Instruction ID: 53e0f4a8c88d72eaabdfab399a920d157f3c80a3491bfb6988cc794b89fc3b67
Opcode Fuzzy Hash: 592eda1bf52e41110db475c1fcd9c8efedd4b8f951e881731459bff73638f192
Instruction Fuzzy Hash: ECF054706583459BE730D765CC45FDA73BCFB44311F104529E649C30C0DB3094849B15

Function 008D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008D17F6

Strings

CALL, xrefs: 008D17C6

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: dfdd0cdfe8dfae8d4377f0c707365c78f9180653dda14f1d62c859a1c9cfc156
Instruction ID: 9b0e83a757e5dc53f23ba0513323ccaf9fe92945e0fb2b6ebee7511c7be94d2b
Opcode Fuzzy Hash: dfdd0cdfe8dfae8d4377f0c707365c78f9180653dda14f1d62c859a1c9cfc156
Instruction Fuzzy Hash: 30228B70608205AFCB14DF18D484A6ABBF2FF85314F148A6EF496CB362D735E885CB52

Function 008C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00902C8C

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

Part of subcall function 008C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C2DC4

Strings

X, xrefs: 00902C5A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ffae8e0264e37477b4583daf5eb8816cd9b8fdf1613683fba311a6aff5beb10e
Instruction ID: 377f713ded7cbcc61fc4d4517bf14a1151c922e601e5db26d59ab71b1094f872
Opcode Fuzzy Hash: ffae8e0264e37477b4583daf5eb8816cd9b8fdf1613683fba311a6aff5beb10e
Instruction Fuzzy Hash: DA219371A102589FDB01EF98C849BEE7BFCEF49314F008059E505FB281DBB49A898F61

Function 008C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C3908

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8e3eee33569282d2a715ce2ce35ebc32794335bd36996db1d53892b1cafeb7e3
Instruction ID: 6a72e6512a9222ac7540950bd5a404d378d6594645718f7cd416e072cc334c00
Opcode Fuzzy Hash: 8e3eee33569282d2a715ce2ce35ebc32794335bd36996db1d53892b1cafeb7e3
Instruction Fuzzy Hash: 253171B05087019FD721DF28D885B97BBF8FB49708F00492EF59AD7250E771AA44DB52

Function 008DF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008DF661

Part of subcall function 008CD730: GetInputState.USER32 ref: 008CD807

Sleep.KERNEL32(00000000), ref: 0091F2DE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 5a797b51d7b94d06ea9f444a868816317fa961fb28b5b4e0414888948033a9f5
Instruction ID: 11a8ce6feec2ad8dee4679cb06875c8a39f60a2ba5d84eefcb5281f49a0ef410
Opcode Fuzzy Hash: 5a797b51d7b94d06ea9f444a868816317fa961fb28b5b4e0414888948033a9f5
Instruction Fuzzy Hash: D0F08C71244B099FD310EF69D44AF6AB7F8FF59761F00002AE85AC7761DB70A800CB91

Function 008CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008CBB4E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 92ae717af9209f5e03f1aac5a5ae51fe0ff2aead2d5c81277d50b4f8a3e5c00e
Instruction ID: 5f8d17a95ec19f2dd247e7a9a5268f54a724352ec6bd2eae120670b2f4bdaa8c
Opcode Fuzzy Hash: 92ae717af9209f5e03f1aac5a5ae51fe0ff2aead2d5c81277d50b4f8a3e5c00e
Instruction Fuzzy Hash: 7E32CD30A04609AFDB24CF58C886FBEB7B9FF84314F14805AE915AB251D7B5ED81CB51

Function 00952598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 00952649

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: b8fae2ee07d7897eef9f50d751f11d7c42745c0a0c05a87613a683ebe8806e04
Instruction ID: 66dbe1a390587b9cdc7f24fb0759d3b285ac7c98b454241e1ca2fa846bc83a7c
Opcode Fuzzy Hash: b8fae2ee07d7897eef9f50d751f11d7c42745c0a0c05a87613a683ebe8806e04
Instruction Fuzzy Hash: 1421D074200716AFD710DF1AC8D0E36B7A9EB46369B20806DEC568B392CB71ED45CB90

Function 009513B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00951420

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 638ffa64bafc81ad4ec6cc55b435b1fc13c2784bd3f1296faf4a3fd28bb3d24c
Instruction ID: bf34413b8aaa9270797ce67d5a808395bd49d136120e5e9b6b67211de9dc998b
Opcode Fuzzy Hash: 638ffa64bafc81ad4ec6cc55b435b1fc13c2784bd3f1296faf4a3fd28bb3d24c
Instruction Fuzzy Hash: 1031A270604202AFD714DF2AC491B69B7A5FF85325F04816DE8198F392DB75EC45CBD1

Function 008C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E9C
Part of subcall function 008C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008C4EAE
Part of subcall function 008C4E90: FreeLibrary.KERNEL32(00000000,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EFD

Part of subcall function 008C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E62
Part of subcall function 008C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4E74
Part of subcall function 008C4E59: FreeLibrary.KERNEL32(00000000,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E87

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 16fe729fa6fe09b57540994340a2fc3b787ae805f08b1073c7151302bc7421ec
Instruction ID: e0c77af545a85718038eec9ffdbf69ff27f848d62c89c8fae284844a936f742c
Opcode Fuzzy Hash: 16fe729fa6fe09b57540994340a2fc3b787ae805f08b1073c7151302bc7421ec
Instruction Fuzzy Hash: 0911E332620305AADF14EB68DC22FAD77B5FF50711F10842EF542E61D1EEB0EA859B51

Function 008F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008F8440

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1d7175d2c67098a351773a407542a853776f592a906d57365fa421dd86e3c5b2
Instruction ID: fc170a0ff85fffb2d4adda5f1981d2ba52903eb875f94eb90b36473c985d3609
Opcode Fuzzy Hash: 1d7175d2c67098a351773a407542a853776f592a906d57365fa421dd86e3c5b2
Instruction Fuzzy Hash: 4111067590410AEFCB05DF68E941AAA7BF9FF48314F144059F918EB312DA31DA118BA5

Function 008F5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008F4C7D: RtlAllocateHeap.NTDLL(00000008,008C1129,00000000,?,008F2E29,00000001,00000364,?,?,?,008EF2DE,008F3863,00991444,?,008DFDF5,?), ref: 008F4CBE

_free.LIBCMT ref: 008F506C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: eca208b32579ea4d61f006d67cfb439e18a94d1d0d900285b10e87089f3ad02f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 9D012B72204B095BE321CE799841A6AFBE8FBC5370F25051DE394C3280EA706805C674

Function 009529BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,009514B5,?), ref: 00952A01

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: fd7a06e3783d9840ef96644b69b65029b0781ce06aba0dfb45d01b4bdbe2eb5e
Instruction ID: 33e7204fee900bd098a70e64c74a880d001bde8c750fe82f0a159625e970c99f
Opcode Fuzzy Hash: fd7a06e3783d9840ef96644b69b65029b0781ce06aba0dfb45d01b4bdbe2eb5e
Instruction Fuzzy Hash: 6401D836300A419FE325CB2EC554B263796EBC6316F398468C4478B391D732FC46C790

Function 008EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 257aa9977881583c17a59f65857ea8df2f7c6939e3707767981bd09338e8560b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A8F0D132511A5896CB313A7F9C05B6A3798FF63334F100715FA21D22E2DB74D805C6A6

Function 0095149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 009514EB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: aed1833aa7195ead205e9530f1df0bbbf12e06fd9d48b3388ebeca1d327bd9d5
Instruction ID: 5deab2625130f490ec7941bac890a78c2908394e5c8e480200f82c1debaf7eda
Opcode Fuzzy Hash: aed1833aa7195ead205e9530f1df0bbbf12e06fd9d48b3388ebeca1d327bd9d5
Instruction Fuzzy Hash: AA01D4353087419F9320CF6BC440A26BB95FF85325754805DEC4A8B752D672DD86C780

Function 008F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008C1129,00000000,?,008F2E29,00000001,00000364,?,?,?,008EF2DE,008F3863,00991444,?,008DFDF5,?), ref: 008F4CBE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1400dfa1560b9658165765fc821ce6532ae7dbe5f2d4b3cea5cf4e67eac99ce6
Instruction ID: 93191a1ab75d067ceeedb54b16701fd97758c11e6d1ddacb9cbfd56c1d67c03a
Opcode Fuzzy Hash: 1400dfa1560b9658165765fc821ce6532ae7dbe5f2d4b3cea5cf4e67eac99ce6
Instruction Fuzzy Hash: DCF0B43160626C67DB215F77AC05B7B3798FF417A1B147113BB19E7291CA71D80096A1

Function 008F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a71a3b872dfe4d851e92d44c0e637c48b461356513b55d2c6494f77c1b52095
Instruction ID: d7cd719fd29ddafbf4a3b53cf923ddc11b6ea0d256ace99e5fed591acc92b84c
Opcode Fuzzy Hash: 8a71a3b872dfe4d851e92d44c0e637c48b461356513b55d2c6494f77c1b52095
Instruction Fuzzy Hash: 32E0E53112426DA7D621267B9D01BBA3648FB427F0F050031BF14D2691DB59DE0192E1

Function 008C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4F6D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a53868d9af9e821d6702a1a8c3a54a62f3bd11379b76eb7903f7b0088cfd08b6
Instruction ID: 9b2c7cc1ce9af83c3c22f63b3215b42449ad56f6632838ead69ad7272501029c
Opcode Fuzzy Hash: a53868d9af9e821d6702a1a8c3a54a62f3bd11379b76eb7903f7b0088cfd08b6
Instruction Fuzzy Hash: B8F01C71115751CFDB349F65D4A0E12B7F4FF14319310996EE5DAC2521CB31D884DB10

Function 00952A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00952A66

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e414d9bb9c1f420b4d307bebbfea09e81a7e9d66f1f3cc7668ed90f067e52eef
Instruction ID: f56dfdf3289aac15802a8563da9b2795bb4e2e11a02d41b1c79b7b0b655c0635
Opcode Fuzzy Hash: e414d9bb9c1f420b4d307bebbfea09e81a7e9d66f1f3cc7668ed90f067e52eef
Instruction Fuzzy Hash: A4E08676358226AEC714EB31EC809FE735CEF95396B104936FC16C2190DB349A9997E0

Function 008C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C2DC4

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e08b024e278acca6eedb5135db0960de9d74955c0d24d0c19ad1bf915533db6e
Instruction ID: 7fa612740477a94ce1646795652767f83bdbfc81e02488d11085232c355b5637
Opcode Fuzzy Hash: e08b024e278acca6eedb5135db0960de9d74955c0d24d0c19ad1bf915533db6e
Instruction Fuzzy Hash: 7FE0CD726042245FC710D2589C05FDA77EDEFC8790F040075FD09E7248DA70ED808651

Function 008C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C3908

Part of subcall function 008CD730: GetInputState.USER32 ref: 008CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 008C2B6B

Part of subcall function 008C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008C314E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2a5fa645c40cde676e744696aec0c28dc87645dce62b64cb309527fb02e8fc23
Instruction ID: e87a435fc897a7dc8e6d99dace682dc663e453a72465678f09732196468d0286
Opcode Fuzzy Hash: 2a5fa645c40cde676e744696aec0c28dc87645dce62b64cb309527fb02e8fc23
Instruction Fuzzy Hash: 1EE04F6220434506CA04BB6D9856E7DA769FB99361F40553EF142C31B2CE34C9474253

Function 00923D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00923D18

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 9a53e75b2e99cac2982e0dd8f3b432feedefb96b1cbd4f8161f28900e1e3758d
Instruction ID: 8c1388847351e5a89a7ae3b5d4b69af2c98463608c39356b92012d95083fc32e
Opcode Fuzzy Hash: 9a53e75b2e99cac2982e0dd8f3b432feedefb96b1cbd4f8161f28900e1e3758d
Instruction Fuzzy Hash: A5D08CF06A43087EFB0083728C0BEBB339CC316E82F004BA47E02D64C1D9A0DE080230

Function 0090039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00900704,?,?,00000000,?,00900704,00000000,0000000C), ref: 009003B7

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2714cb868735e91860e1bf55b93d705b2d593b54203aa1ed3f904e16298969db
Instruction ID: 0ff641eed02c3376be0087b49533aa8e140d777356417037510ce035d3a4e101
Opcode Fuzzy Hash: 2714cb868735e91860e1bf55b93d705b2d593b54203aa1ed3f904e16298969db
Instruction Fuzzy Hash: C1D06C3205420DBFDF028F85DD06EDA3BAAFB48714F014000BE1856020C732E821AB90

Function 008C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008C1CBC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 64667698221ccc2bc27db72884dd5c8f65f7464698fade540cf5740b893b618b
Instruction ID: d3aabbadba43e373b1fd8f3deb8c8658a21886808d557deae852a35c4546fc33
Opcode Fuzzy Hash: 64667698221ccc2bc27db72884dd5c8f65f7464698fade540cf5740b893b618b
Instruction Fuzzy Hash: 8AC0487A2A8305AEE2148B98AC4AF107764A348B02F448002F609A96E393A22820FA51

Non-executed Functions

Function 00959576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0095961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0095965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0095969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009596C9
SendMessageW.USER32 ref: 009596F2
GetKeyState.USER32(00000011), ref: 0095978B
GetKeyState.USER32(00000009), ref: 00959798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009597AE
GetKeyState.USER32(00000010), ref: 009597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009597E9
SendMessageW.USER32 ref: 00959810
SendMessageW.USER32(?,00001030,?,00957E95), ref: 00959918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0095992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00959941
SetCapture.USER32(?), ref: 0095994A
ClientToScreen.USER32(?,?), ref: 009599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009599D6
ReleaseCapture.USER32 ref: 009599E1
GetCursorPos.USER32(?), ref: 00959A19
ScreenToClient.USER32(?,?), ref: 00959A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00959A80
SendMessageW.USER32 ref: 00959AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00959AEB
SendMessageW.USER32 ref: 00959B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00959B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00959B4A
GetCursorPos.USER32(?), ref: 00959B68
ScreenToClient.USER32(?,?), ref: 00959B75
GetParent.USER32(?), ref: 00959B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00959BFA
SendMessageW.USER32 ref: 00959C2B
ClientToScreen.USER32(?,?), ref: 00959C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00959CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00959CDE
SendMessageW.USER32 ref: 00959D01
ClientToScreen.USER32(?,?), ref: 00959D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00959D82

Part of subcall function 008D9944: GetWindowLongW.USER32(?,000000EB), ref: 008D9952

GetWindowLongW.USER32(?,000000F0), ref: 00959E05

Strings

@GUI_DRAGID, xrefs: 0095997D
F, xrefs: 00959D07

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 2ad0f7ff872bf42e54bb693f9c684b403d2b8772f7333c922f4f3e4910c18b82
Instruction ID: fdd7d3872a95c87d6e702f6b142f47e93e327a34d0c485579cddb1b5d8772880
Opcode Fuzzy Hash: 2ad0f7ff872bf42e54bb693f9c684b403d2b8772f7333c922f4f3e4910c18b82
Instruction Fuzzy Hash: 83429F70109301EFEB25CF2ACD44BAABBE9FF48315F140A19F999872A1D731D958EB41

Function 00954873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00954908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00954927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0095494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0095495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0095497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00954A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00954A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00954A7E
IsMenu.USER32(?), ref: 00954A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00954AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00954B20
GetWindowLongW.USER32(?,000000F0), ref: 00954B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00954BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00954C82
wsprintfW.USER32 ref: 00954CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00954CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00954CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00954D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00954D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00954D5A

Strings

%d/%02d/%02d, xrefs: 00954CA8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b462367bd7ff279ac7bf2199df18ba57cb0a94aa42c9e79a6c8df571ec98e8a3
Instruction ID: 18ab678443d5c5f6b96edbce5106833e7f51f1caf12f7fe8728ceb02f1bb0ccb
Opcode Fuzzy Hash: b462367bd7ff279ac7bf2199df18ba57cb0a94aa42c9e79a6c8df571ec98e8a3
Instruction Fuzzy Hash: 4812FF71600304AFEB648F2ACC49FAE7BF8EF4571AF104119F916DA2E1D7749A84DB50

Function 008DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091F474
IsIconic.USER32(00000000), ref: 0091F47D
ShowWindow.USER32(00000000,00000009), ref: 0091F48A
SetForegroundWindow.USER32(00000000), ref: 0091F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0091F4AA
GetCurrentThreadId.KERNEL32 ref: 0091F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0091F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0091F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0091F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0091F4DE
SetForegroundWindow.USER32(00000000), ref: 0091F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F4F6
keybd_event.USER32(00000012,00000000), ref: 0091F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F50B
keybd_event.USER32(00000012,00000000), ref: 0091F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F519
keybd_event.USER32(00000012,00000000), ref: 0091F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F528
keybd_event.USER32(00000012,00000000), ref: 0091F52D
SetForegroundWindow.USER32(00000000), ref: 0091F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0091F557

Strings

Shell_TrayWnd, xrefs: 0091F46F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 47839b2dc1492f1e3fc196132dd4bfa73f514edc9844049ff4ca30a065bfdd31
Instruction ID: 43baedba909e7b9279e59767c9b9fe4b7712515f341ff2c8749d57adf345afb2
Opcode Fuzzy Hash: 47839b2dc1492f1e3fc196132dd4bfa73f514edc9844049ff4ca30a065bfdd31
Instruction Fuzzy Hash: B8318CB1B5431CBEEB216BB64C4AFBF7E6DEB44B51F100066FA00E61D1D6B05940BBA0

Function 00921201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0092170D
Part of subcall function 009216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0092173A
Part of subcall function 009216C3: GetLastError.KERNEL32 ref: 0092174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00921286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009212A8
CloseHandle.KERNEL32(?), ref: 009212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009212D1
GetProcessWindowStation.USER32 ref: 009212EA
SetProcessWindowStation.USER32(00000000), ref: 009212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00921310

Part of subcall function 009210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009211FC), ref: 009210D4
Part of subcall function 009210BF: CloseHandle.KERNEL32(?,?,009211FC), ref: 009210E9

Strings

winsta0, xrefs: 009212CC
, xrefs: 0092125A
default, xrefs: 0092130B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: d2acd27a4d22d9435a74abb92447646671276579d2bc164ca35492b33b1f8783
Instruction ID: 920b66e37d31bb05c671e02013ee422a03e8be0b40493fe77363cfdfc6bb1c36
Opcode Fuzzy Hash: d2acd27a4d22d9435a74abb92447646671276579d2bc164ca35492b33b1f8783
Instruction Fuzzy Hash: CC81ACB1900319AFDF20AFA5EC49BEE7BBDEF04704F044129F915E62A4C7318A64DB60

Function 00920B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00921114
Part of subcall function 009210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921120
Part of subcall function 009210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 0092112F
Part of subcall function 009210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921136
Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00920BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00920C00
GetLengthSid.ADVAPI32(?), ref: 00920C17
GetAce.ADVAPI32(?,00000000,?), ref: 00920C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00920C6D
GetLengthSid.ADVAPI32(?), ref: 00920C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00920C8C
HeapAlloc.KERNEL32(00000000), ref: 00920C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00920CB4
CopySid.ADVAPI32(00000000), ref: 00920CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00920CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00920D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00920D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920D45
HeapFree.KERNEL32(00000000), ref: 00920D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920D55
HeapFree.KERNEL32(00000000), ref: 00920D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920D65
HeapFree.KERNEL32(00000000), ref: 00920D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00920D78
HeapFree.KERNEL32(00000000), ref: 00920D7F

Part of subcall function 00921193: GetProcessHeap.KERNEL32(00000008,00920BB1,?,00000000,?,00920BB1,?), ref: 009211A1
Part of subcall function 00921193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00920BB1,?), ref: 009211A8
Part of subcall function 00921193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00920BB1,?), ref: 009211B7

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cb58745306221ca40d32b31e07f9ce3c122b2307e6e28a3328077dbb2524139b
Instruction ID: 943fe2b4c539cf38a13e1c575729bfe5e3287d0af7bd10550605835a6f4a9ce8
Opcode Fuzzy Hash: cb58745306221ca40d32b31e07f9ce3c122b2307e6e28a3328077dbb2524139b
Instruction Fuzzy Hash: 237176B290532AAFDF10DFA5EC44BAEBBBCAF44301F044115E914A7296D770AA05CFA0

Function 0093EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0095CC08), ref: 0093EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0093EB37
GetClipboardData.USER32(0000000D), ref: 0093EB43
CloseClipboard.USER32 ref: 0093EB4F
GlobalLock.KERNEL32(00000000), ref: 0093EB87
CloseClipboard.USER32 ref: 0093EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0093EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0093EBC9
GetClipboardData.USER32(00000001), ref: 0093EBD1
GlobalLock.KERNEL32(00000000), ref: 0093EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0093EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0093EC38
GetClipboardData.USER32(0000000F), ref: 0093EC44
GlobalLock.KERNEL32(00000000), ref: 0093EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0093EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0093EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0093ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0093ECF3
CountClipboardFormats.USER32 ref: 0093ED14
CloseClipboard.USER32 ref: 0093ED59

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f55573cd1dd42f949f5cb82fc2dfc6619cf27da78a5d34b60a4f8ad0e1c29583
Instruction ID: 3ccaf47f1b611cf3e662b096460cffbc7d84b69fc1e9e58ee52766979db1c1f6
Opcode Fuzzy Hash: f55573cd1dd42f949f5cb82fc2dfc6619cf27da78a5d34b60a4f8ad0e1c29583
Instruction Fuzzy Hash: C3618874208302AFD301EF25D899F6AB7B8FB84704F14455DF4A6972E2DB31D905DB62

Function 0093698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009369BE
FindClose.KERNEL32(00000000), ref: 00936A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00936A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00936A75

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00936AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00936ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00936B6A
%4d, xrefs: 00936BB1
%02d, xrefs: 00936C00, 00936C0A, 00936C5A, 00936CAA, 00936CFA, 00936D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00936B32
%03d, xrefs: 00936DA2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 16139f8e8fc18ca0dfc386bcb15fdc89958fa576d33920a31d69a5dd00e5fe13
Instruction ID: 0c90a5fe91b40e995e14ff8fa4df7b60b7a0971726b17dc98c56a4076e7f7fc5
Opcode Fuzzy Hash: 16139f8e8fc18ca0dfc386bcb15fdc89958fa576d33920a31d69a5dd00e5fe13
Instruction Fuzzy Hash: 14D12C72508340AEC714EBA4C885EABB7FCFB88704F44491DF595D6291EB74DA48CB63

Function 00939642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00939663
GetFileAttributesW.KERNEL32(?), ref: 009396A1
SetFileAttributesW.KERNEL32(?,?), ref: 009396BB
FindNextFileW.KERNEL32(00000000,?), ref: 009396D3
FindClose.KERNEL32(00000000), ref: 009396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0093974A
SetCurrentDirectoryW.KERNEL32(00986B7C), ref: 00939768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00939772
FindClose.KERNEL32(00000000), ref: 0093977F
FindClose.KERNEL32(00000000), ref: 0093978F

Strings

*.*, xrefs: 009396F5

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dd781648ae6f21d6c151d78a5fc8fc0d9aa702c554f11972ce2d4ffb4c214872
Instruction ID: 08e1b4755326176c8e2214c3a6a35879b07582b8525035ee92ba2c92295370c1
Opcode Fuzzy Hash: dd781648ae6f21d6c151d78a5fc8fc0d9aa702c554f11972ce2d4ffb4c214872
Instruction Fuzzy Hash: 8431FF7260530A6EDB10AFB5DC09BDE33ACAF49325F004055E816E21A0EBB4DE408F10

Function 0093979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00939819
FindClose.KERNEL32(00000000), ref: 00939824
FindFirstFileW.KERNEL32(*.*,?), ref: 00939840
SetCurrentDirectoryW.KERNEL32(?), ref: 00939890
SetCurrentDirectoryW.KERNEL32(00986B7C), ref: 009398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009398B8
FindClose.KERNEL32(00000000), ref: 009398C5
FindClose.KERNEL32(00000000), ref: 009398D5

Part of subcall function 0092DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0092DB00

Strings

*.*, xrefs: 0093983B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ce62733668964396549f43a81e24f02e08c7dfbbf9816c2aebd63d502dfb9313
Instruction ID: f096d882ae01d5f6f80c405dc90e828f7d233a3325cc191be9808c4675b5b4c1
Opcode Fuzzy Hash: ce62733668964396549f43a81e24f02e08c7dfbbf9816c2aebd63d502dfb9313
Instruction Fuzzy Hash: 4F31B27250431A6EDB10EFA9EC48BDE77ACAF86329F104155E955E21A0DBB0DD44CF20

Function 0094BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0094BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0094BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0094C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0094C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0094C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0094C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0094C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0094C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0094C382
RegCloseKey.ADVAPI32(00000000), ref: 0094C38F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 79416c5f7aa6f6d6cf6289eb151455d923a7b527fa6c46b9d188f048f6c2fa2f
Instruction ID: a1b3336a2efe896ce222f82dbfa57055a40d1f17f83b7075ddfa7c943c561e2a
Opcode Fuzzy Hash: 79416c5f7aa6f6d6cf6289eb151455d923a7b527fa6c46b9d188f048f6c2fa2f
Instruction Fuzzy Hash: D7022CB16042009FD754DF28C895E2ABBE5FF89318F18849DF84ADB2A2D731ED45CB52

Function 00938195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00938257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00938267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00938273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00938310
SetCurrentDirectoryW.KERNEL32(?), ref: 00938324
SetCurrentDirectoryW.KERNEL32(?), ref: 00938356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0093838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00938395

Strings

*.*, xrefs: 0093839B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5b4c6c472fe3b5af24d1e4666e8d69f57fbf40b3a685531a281f7e010281de06
Instruction ID: a9776b530599763fa91344ad12f183f2c6996ed984ae47886bb49dea214ba0d4
Opcode Fuzzy Hash: 5b4c6c472fe3b5af24d1e4666e8d69f57fbf40b3a685531a281f7e010281de06
Instruction Fuzzy Hash: 5A6124B25083459FCB10EB64C841AAFB3E8FF89314F04892EF999C7251DB35E9458F92

Function 0092D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

Part of subcall function 0092E199: GetFileAttributesW.KERNEL32(?,0092CF95), ref: 0092E19A

FindFirstFileW.KERNEL32(?,?), ref: 0092D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0092D1DD
MoveFileW.KERNEL32(?,?), ref: 0092D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0092D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0092D237

Part of subcall function 0092D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0092D21C,?,?), ref: 0092D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0092D253
FindClose.KERNEL32(00000000), ref: 0092D264

Strings

\*.*, xrefs: 0092D0CD, 0092D0D6, 0092D0EB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: edae3eb67799849dea91c5a4f9759ea8fae1527d5800979d77993a4b737dc30e
Instruction ID: 186e59e8bea5b1055f1e17b8e324a6dd28de593740b4be5f36e78e32a0f57151
Opcode Fuzzy Hash: edae3eb67799849dea91c5a4f9759ea8fae1527d5800979d77993a4b737dc30e
Instruction Fuzzy Hash: BA618E3180621D9ECF05EBA4E992EEDB779FF55300F208169E411B7196EB30AF09CB61

Function 0093ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0093ED91
EmptyClipboard.USER32 ref: 0093ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0093EDAC
CloseClipboard.USER32 ref: 0093EEA3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9ed112d727c8701c49ff016535305951d8007453b53a86036389f954f3d7040f
Instruction ID: c6150bada89eff9ce338f503997735c91f471e45ff29717738ba3318c99291d9
Opcode Fuzzy Hash: 9ed112d727c8701c49ff016535305951d8007453b53a86036389f954f3d7040f
Instruction Fuzzy Hash: DE418E752186119FE320DF19D848F19BBA5FF44319F14C099E4298B6A2C775ED42CF91

Function 0092E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0092170D
Part of subcall function 009216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0092173A
Part of subcall function 009216C3: GetLastError.KERNEL32 ref: 0092174A

ExitWindowsEx.USER32(?,00000000), ref: 0092E932

Strings

, xrefs: 0092E95C
SeShutdownPrivilege, xrefs: 0092E902
@, xrefs: 0092E925
, xrefs: 0092E920

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ebb13d50e757395f681b9d6282040ab3f0fa7a017b04ee53e63a4c117483f5f0
Instruction ID: bce0f8149ddf7fc1ba43259cc2b5245b535f230f58f5a85d4696c2cce8cba1b3
Opcode Fuzzy Hash: ebb13d50e757395f681b9d6282040ab3f0fa7a017b04ee53e63a4c117483f5f0
Instruction Fuzzy Hash: D0012676620330AFEB1422B5BCCABBF725C9714781F150823F802E21D5D5A55CC08290

Function 00941204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00941276
WSAGetLastError.WSOCK32 ref: 00941283
bind.WSOCK32(00000000,?,00000010), ref: 009412BA
WSAGetLastError.WSOCK32 ref: 009412C5
closesocket.WSOCK32(00000000), ref: 009412F4
listen.WSOCK32(00000000,00000005), ref: 00941303
WSAGetLastError.WSOCK32 ref: 0094130D
closesocket.WSOCK32(00000000), ref: 0094133C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5520b86b212cef1ccf1b2503ac02e71e3f9f13d187b1dd91aeb56f8972d3ea6f
Instruction ID: 31ec29d9131decf26f375d5b73aa59ebb38ba14824d229f3bced164304888550
Opcode Fuzzy Hash: 5520b86b212cef1ccf1b2503ac02e71e3f9f13d187b1dd91aeb56f8972d3ea6f
Instruction Fuzzy Hash: 9B415E716002009FD714DF68C489F2ABBE5FF46318F188198E9669F396C771ED81CBA1

Function 008FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008FB9D4
_free.LIBCMT ref: 008FB9F8
_free.LIBCMT ref: 008FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00963700), ref: 008FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0099121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00991270,000000FF,?,0000003F,00000000,?), ref: 008FBC36
_free.LIBCMT ref: 008FBD4B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: add1a02076a37b0e9393c9e68508ef2bcf5a440e4a0be2fc39650e1fe2e6f1d4
Instruction ID: d5d06da2d52d5cc7ba6f0fe7bf35987b1676639d88092691326978134d23cec3
Opcode Fuzzy Hash: add1a02076a37b0e9393c9e68508ef2bcf5a440e4a0be2fc39650e1fe2e6f1d4
Instruction Fuzzy Hash: 53C11571A0420DAFCB20AF7DDC41BBEBBA8FF41360F1441AAE694D7251EB308E418751

Function 0092D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

Part of subcall function 0092E199: GetFileAttributesW.KERNEL32(?,0092CF95), ref: 0092E19A

FindFirstFileW.KERNEL32(?,?), ref: 0092D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0092D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0092D481
FindClose.KERNEL32(00000000), ref: 0092D498
FindClose.KERNEL32(00000000), ref: 0092D4A1

Strings

\*.*, xrefs: 0092D3F2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 84a0de36964c1d0120d1f13825ad80bbdd9bc7aa57da3ea4267ba2b975b18a48
Instruction ID: 2866a914494d1fd5d5bbc49008159db06662a86298dc536389699531bfca0860
Opcode Fuzzy Hash: 84a0de36964c1d0120d1f13825ad80bbdd9bc7aa57da3ea4267ba2b975b18a48
Instruction Fuzzy Hash: D2315E710193559FC204EF64D895DAF77B8FE95304F444A2DF4E1931A1EB30EA099763

Function 008FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008FE645

Strings

1#SNAN, xrefs: 008FF844
1#QNAN, xrefs: 008FF84B
1#IND, xrefs: 008FF83D
1#INF, xrefs: 008FF852

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9db7f4f0a9522e3a88c9e55e075c458a299b987651a64947714600f38d80a897
Instruction ID: 5d8b7cde0da87041a1da65fbd91a2ffd9ca364167e83526d57bca12e919eb8df
Opcode Fuzzy Hash: 9db7f4f0a9522e3a88c9e55e075c458a299b987651a64947714600f38d80a897
Instruction Fuzzy Hash: F3C21771E0862C8FDB25CE289D407EAB7B5FB89305F1441EADA4DE7251E774AE818F40

Function 0093648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009364DC
CoInitialize.OLE32(00000000), ref: 00936639
CoCreateInstance.OLE32(0095FCF8,00000000,00000001,0095FB68,?), ref: 00936650
CoUninitialize.OLE32 ref: 009368D4

Strings

.lnk, xrefs: 009364BA, 00936524, 009365E0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fceca9eca0d709d27be0ab364e8f26595b9d8e87294105d52c64370efeae7d77
Instruction ID: 1d1bf18472e8c94bd80baa8de0e8a22a150f32802d76005171410b3ae2fa08e1
Opcode Fuzzy Hash: fceca9eca0d709d27be0ab364e8f26595b9d8e87294105d52c64370efeae7d77
Instruction Fuzzy Hash: 46D11871518201AFC314EF28C881E6BB7E9FF99704F10896DF595CB291EB71E905CB92

Function 009422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009422E8

Part of subcall function 0093E4EC: GetWindowRect.USER32(?,?), ref: 0093E504

GetDesktopWindow.USER32 ref: 00942312
GetWindowRect.USER32(00000000), ref: 00942319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00942355
GetCursorPos.USER32(?), ref: 00942381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009423DF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9d4c493e8ae9520e4c776278af9c2aa43bc299efc05f86283b0f279a042c5db7
Instruction ID: 70684e018696039c1c8ef2d7f896cd4dfd6d15b939ca19c546636b7b010bd544
Opcode Fuzzy Hash: 9d4c493e8ae9520e4c776278af9c2aa43bc299efc05f86283b0f279a042c5db7
Instruction Fuzzy Hash: 8B31FCB2108315AFC720DF55D848F9BBBA9FFC8714F400A1AF88497181DB34EA08CB92

Function 00939B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00939B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00939C8B

Part of subcall function 00933874: GetInputState.USER32 ref: 009338CB
Part of subcall function 00933874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00933966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00939BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00939C75

Strings

*.*, xrefs: 00939B5D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ab9b120fd6bfb952b1baa1f1b4fccb1485cf140012e6d89e89d5fa9d4567fb4f
Instruction ID: c2a483b34a29ecb15b56357e0d77733aa813fd499eef0ba46cb9b30270440aae
Opcode Fuzzy Hash: ab9b120fd6bfb952b1baa1f1b4fccb1485cf140012e6d89e89d5fa9d4567fb4f
Instruction Fuzzy Hash: F041717190420A9FCF14DF68D889BEEBBB8FF05315F144159E849A2291EB70DE84CF61

Function 008D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008D9A4E
GetSysColor.USER32(0000000F), ref: 008D9B23
SetBkColor.GDI32(?,00000000), ref: 008D9B36

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8b6430db5b364ca36d18a6432c9816dc4a7f5d0456ffacd1df135eae459f2f4c
Instruction ID: 2c3b42d9ad1056c7057d07b35bc533d1d3e47d7387c1dc13d110262630fa3bc3
Opcode Fuzzy Hash: 8b6430db5b364ca36d18a6432c9816dc4a7f5d0456ffacd1df135eae459f2f4c
Instruction Fuzzy Hash: 41A13871208529BEE724EA7D8C48EBB6BADFB82354F15030BF482C67D1DA259D41D372

Function 00941806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094304E: inet_addr.WSOCK32(?), ref: 0094307A
Part of subcall function 0094304E: _wcslen.LIBCMT ref: 0094309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0094185D
WSAGetLastError.WSOCK32 ref: 00941884
bind.WSOCK32(00000000,?,00000010), ref: 009418DB
WSAGetLastError.WSOCK32 ref: 009418E6
closesocket.WSOCK32(00000000), ref: 00941915

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0ddbb89c0e4f3036d16deffab3a0dc86c16ebe34079790f11712e09843ea8509
Instruction ID: 1889cd790595141365d356174016e8c490b3a623778a92bd1ca69e9a5b4f6c4f
Opcode Fuzzy Hash: 0ddbb89c0e4f3036d16deffab3a0dc86c16ebe34079790f11712e09843ea8509
Instruction Fuzzy Hash: 21519375A00210AFDB10AF28C886F6A77E5EB44718F18855CF9069F3D3DB71ED418BA2

Function 00951C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00951CC0
IsWindowEnabled.USER32 ref: 00951CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00951CDB
IsIconic.USER32 ref: 00951CE9
IsZoomed.USER32 ref: 00951CF7

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: df911069932dcd464ecd430da6643a3888bb9fa5317010e9b3fab9f2848387cc
Instruction ID: f4b6b95d06005f15acfe465b7dcc1a03220379cf809476004f7534025bc3e9ab
Opcode Fuzzy Hash: df911069932dcd464ecd430da6643a3888bb9fa5317010e9b3fab9f2848387cc
Instruction Fuzzy Hash: 2B2180717452115FD720CF1BC884F6A7BA9EF95316B19805CEC8A8B351DB72EC46CB90

Function 008C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 008C83E8
VUUU, xrefs: 008C843C
VUUU, xrefs: 008C83FA
ERCP, xrefs: 008C813C
VUUU, xrefs: 00905DF0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: e520c8244956950ee8e4d9b9eb24e534708677d1c2db68611e732990f18cb912
Instruction ID: 1d237b7ffac18373ad07d6deda0f46f0f5f1c5d93e99a5758367037e39c536cf
Opcode Fuzzy Hash: e520c8244956950ee8e4d9b9eb24e534708677d1c2db68611e732990f18cb912
Instruction Fuzzy Hash: 72A25770A4021ACFDF248F58C844BAEB7B5FB54314F2581AAE815EB285EB74DD91CF90

Function 0094A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0094A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0094A6BA

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0094A79C
CloseHandle.KERNEL32(00000000), ref: 0094A7AB

Part of subcall function 008DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00903303,?), ref: 008DCE8A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: ed582e3b115b20ef7d94907523ea7100f0c6e7ed5412513449fe9f332363d6e2
Instruction ID: 5b247a80e7546fda5052a9d2924ed9b6082b0d0b23afa3606c385038df4c3bb5
Opcode Fuzzy Hash: ed582e3b115b20ef7d94907523ea7100f0c6e7ed5412513449fe9f332363d6e2
Instruction Fuzzy Hash: 1D51E5B1508300AFD710EF29D886E6ABBE8FF89754F40492DF595D7251EB70E904CB92

Function 0092AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0092AAAC
SetKeyboardState.USER32(00000080), ref: 0092AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0092AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0092AB88

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1b9c21ffff2193d3f22726dff89a514e806c496807ed1ee4e4478a10a3622230
Instruction ID: d70fb455212cbf760e59433eb144d6c2a128836ceebbec3cdd8cbf2a783c15ff
Opcode Fuzzy Hash: 1b9c21ffff2193d3f22726dff89a514e806c496807ed1ee4e4478a10a3622230
Instruction Fuzzy Hash: 5E312C72A40328AFFF35CB65EC05BFA77AAAF94310F04421BF181561D8D3758985D792

Function 0093CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0093CE89
GetLastError.KERNEL32(?,00000000), ref: 0093CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0093CEFE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f95c28cc4b9c09f47d90cd8f42ddea78a60c580ad63a37876ae279d7a2fef4ab
Instruction ID: 2d4b59190781ba644155169fbb31406fec2d001f792a70fc7b98b440ddc1dabf
Opcode Fuzzy Hash: f95c28cc4b9c09f47d90cd8f42ddea78a60c580ad63a37876ae279d7a2fef4ab
Instruction Fuzzy Hash: 2721A9B1504B05AFEB309FA6C988BAAB7FCEB40319F10481AE546E2151E774EE049F60

Function 00928298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009282AA

Strings

|, xrefs: 009282DA
(, xrefs: 009282F0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6a3dcbd268360495585da464deb3ed7dd24f4d6cf9cd6b5c27433ca7293fa66c
Instruction ID: c06c7bc932f8cfcb163588a36212a3fa483dea6de997a34d51557f5f120285ff
Opcode Fuzzy Hash: 6a3dcbd268360495585da464deb3ed7dd24f4d6cf9cd6b5c27433ca7293fa66c
Instruction Fuzzy Hash: 67323474A017159FCB28CF19D480AAAB7F0FF48710B15C56EE49ADB7A5EB70E981CB40

Function 00935C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00935CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00935D17
FindClose.KERNEL32(?), ref: 00935D5F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 113afdccbade8ec2b59ebbfe3dbb8ffe0c78d51fdedf9d92957d830ef9fc8364
Instruction ID: 99f8b63cdf0259fe2e28f1c2ff3d0c82a8813933f0de3c400dbaf927bb557492
Opcode Fuzzy Hash: 113afdccbade8ec2b59ebbfe3dbb8ffe0c78d51fdedf9d92957d830ef9fc8364
Instruction Fuzzy Hash: 0D516674604A019FC714DF28C494E9AB7E8FF49324F15855EE9AA8B3A2DB30ED05CF91

Function 008F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008F2731

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3cfd43dbd29396196b39350565ce189a189c4f4009f749bca3d8629c3420f0ee
Instruction ID: ed25d5bbbc4a0d9426ff828867adffc5a159c6fee481d87dd0ec8ff3d290dbfd
Opcode Fuzzy Hash: 3cfd43dbd29396196b39350565ce189a189c4f4009f749bca3d8629c3420f0ee
Instruction Fuzzy Hash: 9C31B47491132C9BCB21DF69DC89799B7B8FF18310F5041EAE41CA6261E7749F818F45

Function 009351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00935238
SetErrorMode.KERNEL32(00000000), ref: 009352A1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f82d3f065bdb145016ace08fd53bd416e41a8236f9075ed561c3956f288b1390
Instruction ID: 522bcc274ddda30271172f5a06c1693bcfea089c30150aa56f3cb36ec6168848
Opcode Fuzzy Hash: f82d3f065bdb145016ace08fd53bd416e41a8236f9075ed561c3956f288b1390
Instruction Fuzzy Hash: 71318E75A10618DFDB00DF54D884FAEBBB4FF48314F058099E809AB362CB31E856CB91

Function 009216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008E0668
Part of subcall function 008DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0092170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0092173A
GetLastError.KERNEL32 ref: 0092174A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e10f11055abd73dfa9ccc9fd4dc66e76399ea268ab6f75228ceaf5de4981412e
Instruction ID: 9f345569a23f8805d3e82d76b8e8254454f061cc8abd1446519e78162e6e119d
Opcode Fuzzy Hash: e10f11055abd73dfa9ccc9fd4dc66e76399ea268ab6f75228ceaf5de4981412e
Instruction Fuzzy Hash: 971191B2414305AFD718AF64EC86D6BB7BDFB44765B20852EE05697241EB70BC518B20

Function 0092D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0092D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0092D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0092D650

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d0b0122daf2165e97ff56845b2028274ecbd7f8f8878ef8445fd392def45c91a
Instruction ID: 06eb61fc64e5fcf51417de007e3341d2e8e6dfd335d316c4e5d887bd6a357284
Opcode Fuzzy Hash: d0b0122daf2165e97ff56845b2028274ecbd7f8f8878ef8445fd392def45c91a
Instruction Fuzzy Hash: 6D117CB1E05328BFDB108F95AC44FAFBBBCEB45B50F108111F914E7294C2704A018BA1

Function 00921663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0092168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009216A1
FreeSid.ADVAPI32(?), ref: 009216B1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9919ba94cb0faa945aca1d06144295e8b532bc1c882b4df6ada14a3cb0de9ab6
Instruction ID: 6a6a9ea9c3112c56409d25e96551af9b578ab63959958f913ffc9aa6ee960378
Opcode Fuzzy Hash: 9919ba94cb0faa945aca1d06144295e8b532bc1c882b4df6ada14a3cb0de9ab6
Instruction Fuzzy Hash: A3F0F4B1950309FFDF00DFF59C89AAEBBBCEB08605F504565E501E2181E774AA449B50

Function 008E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008F28E9,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002,00000000,?,008F28E9), ref: 008E4D09
TerminateProcess.KERNEL32(00000000,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002,00000000,?,008F28E9), ref: 008E4D10
ExitProcess.KERNEL32 ref: 008E4D22

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0690cf98a212d6980a6366be09afde649bd4d97b64e7975a7b4e7b860dbe0c59
Instruction ID: 642ab2cad73e9743ea45a87f22898a979688858eadf3089a46870ec02beee5d6
Opcode Fuzzy Hash: 0690cf98a212d6980a6366be09afde649bd4d97b64e7975a7b4e7b860dbe0c59
Instruction Fuzzy Hash: 6DE0B671114788AFCF11AF66DD09A583F69FF82782B104054FD19CA223CB35DD42EB80

Function 008FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008FC36C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3f38f43ec9565ca4bcdae5e7bcea030a0b5d72c0ed49af6adf350b7e15360d38
Instruction ID: d0a4a1f998553c3088d25abdc87383f60bddc0c1590d671f126f8e17303552c1
Opcode Fuzzy Hash: 3f38f43ec9565ca4bcdae5e7bcea030a0b5d72c0ed49af6adf350b7e15360d38
Instruction Fuzzy Hash: D841397290021DAFCB209FB9DD49EBB77B8FB84354F104269FA05D7280E6719E81CB50

Function 0091D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0091D28C

Strings

X64, xrefs: 0091D2A8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 173b75f651e22bd87e3ccec5928c300dda5a49ebb49637d1a7682de451de8019
Instruction ID: 487582a74ddd33bdf074242b5763b7bb83852ab82163f1415688b0f0aea650ef
Opcode Fuzzy Hash: 173b75f651e22bd87e3ccec5928c300dda5a49ebb49637d1a7682de451de8019
Instruction Fuzzy Hash: 23D0C9B581521DEECF90CBA0DC88DDDB3BCFB04305F100652F106E2140D77495489F10

Function 008ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a3f5fef9f97d259f2b6e99acf7b7dc0df58f6bf6ec66c16d26b6bcb02d6dfec0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7021D71E002599FDF14CFA9C8806ADFBF1FF89314F254169E919E7384D731A9428B94

Function 009368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00936918
FindClose.KERNEL32(00000000), ref: 00936961

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d891290c4fe8516d6dc3f7f8f9200a6fdf370f1c3a78f1ec9050cdb1e4ee0936
Instruction ID: bbd2b47e133a7723fa73a7df37609f0bdd5740c30ca7f1a7d460e2b9b203d81e
Opcode Fuzzy Hash: d891290c4fe8516d6dc3f7f8f9200a6fdf370f1c3a78f1ec9050cdb1e4ee0936
Instruction Fuzzy Hash: 38118E71614200AFC710DF29D484B16BBE5FF85329F14C69DE4698F6A2CB70EC05CB91

Function 009337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00944891,?,?,00000035,?), ref: 009337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00944891,?,?,00000035,?), ref: 009337F4

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 56919c7a5ff76b8556948c4fa04b687eebc842fe62e3a5310f42bbf15956fe48
Instruction ID: a1308c8eb6e30c1be4af5fe4f0b6a537f95ffdab93c77b8c6bcaf257ee89c6b6
Opcode Fuzzy Hash: 56919c7a5ff76b8556948c4fa04b687eebc842fe62e3a5310f42bbf15956fe48
Instruction Fuzzy Hash: 64F0E5B06043292EE72017668C4DFEB3AAEEFC4761F000165F609E2291DA709904CBB0

Function 0092B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0092B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0092B270

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: be1d3c3f4b62f35d1d322ad5b3d3ce2f8af89f87ddf35178c3a3834047609daf
Instruction ID: 439912f53c70fba444e684c123846846dbf27ab877fc58ea66dcc802e8d964c8
Opcode Fuzzy Hash: be1d3c3f4b62f35d1d322ad5b3d3ce2f8af89f87ddf35178c3a3834047609daf
Instruction Fuzzy Hash: 13F01D7181434DAFDB059FA1D805BAE7FB4FF08305F008409F965A5192D3799611DF94

Function 009210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009211FC), ref: 009210D4
CloseHandle.KERNEL32(?,?,009211FC), ref: 009210E9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7c618a7a36b866d36fe6905dba0de8ac2d512c7c707f7f3314bd2de7e9785e5c
Instruction ID: cddd41b09a608d3ae15241b05a67a24b345ad5294235b206958d6e9f867f8501
Opcode Fuzzy Hash: 7c618a7a36b866d36fe6905dba0de8ac2d512c7c707f7f3314bd2de7e9785e5c
Instruction Fuzzy Hash: 63E04F72018710AEEB252B66FC05E7377A9FB04311B10892EF5A6C04B6DB626CA0EB50

Function 008CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00910C40

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 464c76a184c72cabcdd1f02d9ddb04119c2278fd672c782db7ae101a49a170ac
Instruction ID: ad7326b6c54c8a80b7d328ce446388a440a93828bc876da1908a153226d4df3f
Opcode Fuzzy Hash: 464c76a184c72cabcdd1f02d9ddb04119c2278fd672c782db7ae101a49a170ac
Instruction Fuzzy Hash: 88324A74A102189BCF14DF94C885FEDB7B9FF45308F14805DE80AAB291DB76E985CB61

Function 008F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008F6766,?,?,00000008,?,?,008FFEFE,00000000), ref: 008F6998

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e4071199228cac84a975130289e6eec445086366511928debc1c7ce9143cd9be
Instruction ID: 8ebc42c11428d0245a46cb49ad87dc0ce9398de949a2b8ce7b39af5638c33b40
Opcode Fuzzy Hash: e4071199228cac84a975130289e6eec445086366511928debc1c7ce9143cd9be
Instruction Fuzzy Hash: 15B13B3162060D9FD715CF28C48AB657BE0FF45368F29865CE999CF2A2D335E9A1CB40

Function 008DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0091851F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: be97429e0bbf3eb7c53cfbe73fad639f2ec16ae21df8f8881a7f4c2ef449dc43
Instruction ID: 8da139ef818a58830702112e1dcc60e5e97aecb1a105c6d392a995132e07e337
Opcode Fuzzy Hash: be97429e0bbf3eb7c53cfbe73fad639f2ec16ae21df8f8881a7f4c2ef449dc43
Instruction Fuzzy Hash: 69124E71A00229DBDB14CF58C881AEEB7F5FF48710F15819AE849EB351DB349E81DB94

Function 0093EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0093EABD

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5a80a708bb0f71d2976b0b7b806ccdb3307387bc4c296ecb0d85f1152a5df841
Instruction ID: 4fda209c7437bf00d7e2a36ab575ab6a151e4ca019d3e96cd7d4c03c66ae7505
Opcode Fuzzy Hash: 5a80a708bb0f71d2976b0b7b806ccdb3307387bc4c296ecb0d85f1152a5df841
Instruction Fuzzy Hash: 87E01A352102059FC710EF5AD805E9AB7E9FF98760F00841AFC49C7391DAB0E8418B91

Function 008E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008E03EE), ref: 008E09DA

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 52099cbfbccac420de9f48da21492a1f3dc29afe17f595568f2b229a110a077c
Instruction ID: d1c38aad85b2267fd18903fb73766ad429990a4c970a4b8a7847d52ffba30c43
Opcode Fuzzy Hash: 52099cbfbccac420de9f48da21492a1f3dc29afe17f595568f2b229a110a077c
Instruction Fuzzy Hash:

Function 008E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008E798B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d929befcdc24a59ec1f515b77b54b419b8251ccb2a358f0b1c6ca6a4d97c08d3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BA51997160C6E99BEB38956F885D7BE2B89FF23344F180539D886C7283C619DE01D35A

Function 008F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5741fceb46e0880b6c3db57033be5b89cef858169a9f501f0aeccba777e164c3
Instruction ID: 7a9cd412f8f7158a266559aa272b6039f40b9f845c0b5520f5dd0d90acd25680
Opcode Fuzzy Hash: 5741fceb46e0880b6c3db57033be5b89cef858169a9f501f0aeccba777e164c3
Instruction Fuzzy Hash: A0321122D3DF054DE7239634C822336A649EFB73C5F15D73BE81AB5AA9EB69C4835100

Function 008DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276df7f81b559aea1c38cfbd2d92a3eb84b0f462ae15e1e246f3d852c09210ae
Instruction ID: f8cc1c156ef7add008ab375b7db22326f22febd3cf9b6368ca3148f68f109843
Opcode Fuzzy Hash: 276df7f81b559aea1c38cfbd2d92a3eb84b0f462ae15e1e246f3d852c09210ae
Instruction Fuzzy Hash: B532F1B1B8411E8ADF28CA28C5906FD77A5EF45310F288A6BD98ADB391D234DDC1DB41

Function 008C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df1fe032e57df240d8272d9e8a25b586cdbab0732a3ced1a04175d50ee5bfc4
Instruction ID: ba29ccc2eb4c92c4381f717cad74446145f4ed3582f63c35d2c85487785f907f
Opcode Fuzzy Hash: 6df1fe032e57df240d8272d9e8a25b586cdbab0732a3ced1a04175d50ee5bfc4
Instruction Fuzzy Hash: AF228C70A0460A9FDF14CFA8C881AAEB7B6FF44314F104629E816E7291EB36ED54CF51

Function 008C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b62ba9b348084647ce123e9a4b3bb516474f1c57ce8f3e4ae9e4d629a6c8707
Instruction ID: e282e14ee2cc5e7911aed84dbd504e93e236e8a98ba6dde4c7c3a2d64dbab45c
Opcode Fuzzy Hash: 9b62ba9b348084647ce123e9a4b3bb516474f1c57ce8f3e4ae9e4d629a6c8707
Instruction Fuzzy Hash: 3702B5B1A00219EFDB04DF64D881BADB7B5FF44300F508569E856DB391EB31DA11DB91

Function 008F9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be371611d16305e6dbd5e05efc9fcc8563b92e4017ca0d3eea4218eabd2a2dd0
Instruction ID: 8eac0354b7d4a609ba9796522d4cbec96a055f3c24ff967fc2cd8e26fd251217
Opcode Fuzzy Hash: be371611d16305e6dbd5e05efc9fcc8563b92e4017ca0d3eea4218eabd2a2dd0
Instruction Fuzzy Hash: 38B1F220E3AF454DD32396398831336B65CAFBB6D5F91D71BFC1A74E62EB2286835140

Function 008E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 22a7ba97194ebae161c12d69f13093fc061fc33bb59516deb0f224f59f2cb589
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7E9144726080E34ADF69463B857847EFFE1EA933A131A079DE4F2CA1C5EE34D954D620

Function 008E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5f3a3cb842d09a6cb7a0109b193e9f4a4a2903388f07dd3a24f3890a419ea87d
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2A9110722090E24ADF69467B857803DFEE1AA933B531A07AED4F2CA1C1FE34C5549620

Function 008E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465fd4c140b3416427cb79661e153554aae1c5499aec5b0b76e28a8f25c524e7
Instruction ID: 5faf4d98019b064a986fc1fb1921368d7c567cccaae0a0e52f9d9e14211acd74
Opcode Fuzzy Hash: 465fd4c140b3416427cb79661e153554aae1c5499aec5b0b76e28a8f25c524e7
Instruction Fuzzy Hash: E06169716087D9A6DA349A2F8C95BBE3398FF83764F20092DE942DB2C1D611DE428316

Function 008E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd55f929e253bb11a15a06233f2e7bec10cfe5ac504357180b4f48a9c2bc0c
Instruction ID: 18e9090e5f086cab8f561d2e08cfa524a1edd5c8e7f689a6b6d3936af63977ab
Opcode Fuzzy Hash: c5bd55f929e253bb11a15a06233f2e7bec10cfe5ac504357180b4f48a9c2bc0c
Instruction Fuzzy Hash: C7617B7170C7CEA6DE385A2F4C95BBF2389FF43B44F100959E942DB289EA12DD428356

Function 008E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 22f8e94de3d83992e1b5afd85c6116c0d404e2546a65b542eb2af6a55a40149d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 778141726090E34ADF69423B857847EFFE1BA933A131A07ADD4F2CA1C6EE34C554D620

Function 00932046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089b6c5d2680233ae3c5087fe8e3a2da34d685c1a58550f745731fd76acf23fb
Instruction ID: 33902571911a4c518801488556ca91c79002ef8ce5ac862eb3b6ded0530758a1
Opcode Fuzzy Hash: 089b6c5d2680233ae3c5087fe8e3a2da34d685c1a58550f745731fd76acf23fb
Instruction Fuzzy Hash: A621A5326216158BDB2CCF7DC82267E73E9A754310F25862EE4A7C77D0DE35A904DB90

Function 00942ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00942B30
DeleteObject.GDI32(00000000), ref: 00942B43
DestroyWindow.USER32 ref: 00942B52
GetDesktopWindow.USER32 ref: 00942B6D
GetWindowRect.USER32(00000000), ref: 00942B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00942CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00942CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942CF8
GetClientRect.USER32(00000000,?), ref: 00942D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00942D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942DA8
GlobalFree.KERNEL32(00000000), ref: 00942DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0095FC38,00000000), ref: 00942DDB
GlobalFree.KERNEL32(00000000), ref: 00942DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00942E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00942E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0094303F

Strings

DISPLAY, xrefs: 00942EA2
static, xrefs: 00942D3A, 00942E91
, xrefs: 00942FC5
AutoIt v3, xrefs: 00942CF2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 17a111c43b18180e10ad3fa02946f3f17199b8c85e53f00a7bf4fe81fb763049
Instruction ID: 64ca3c2960316664ba41392079e08ab9f0ff8d88628d8467b6e17e63db92dd34
Opcode Fuzzy Hash: 17a111c43b18180e10ad3fa02946f3f17199b8c85e53f00a7bf4fe81fb763049
Instruction Fuzzy Hash: 4F027AB1910209AFDB14DF69CC89EAE7BB9FB49711F008159F915AB2A1CB70ED01DF60

Function 009570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0095712F
GetSysColorBrush.USER32(0000000F), ref: 00957160
GetSysColor.USER32(0000000F), ref: 0095716C
SetBkColor.GDI32(?,000000FF), ref: 00957186
SelectObject.GDI32(?,?), ref: 00957195
InflateRect.USER32(?,000000FF,000000FF), ref: 009571C0
GetSysColor.USER32(00000010), ref: 009571C8
CreateSolidBrush.GDI32(00000000), ref: 009571CF
FrameRect.USER32(?,?,00000000), ref: 009571DE
DeleteObject.GDI32(00000000), ref: 009571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00957230
FillRect.USER32(?,?,?), ref: 00957262
GetWindowLongW.USER32(?,000000F0), ref: 00957284

Part of subcall function 009573E8: GetSysColor.USER32(00000012), ref: 00957421
Part of subcall function 009573E8: SetTextColor.GDI32(?,?), ref: 00957425
Part of subcall function 009573E8: GetSysColorBrush.USER32(0000000F), ref: 0095743B
Part of subcall function 009573E8: GetSysColor.USER32(0000000F), ref: 00957446
Part of subcall function 009573E8: GetSysColor.USER32(00000011), ref: 00957463
Part of subcall function 009573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00957471
Part of subcall function 009573E8: SelectObject.GDI32(?,00000000), ref: 00957482
Part of subcall function 009573E8: SetBkColor.GDI32(?,00000000), ref: 0095748B
Part of subcall function 009573E8: SelectObject.GDI32(?,?), ref: 00957498
Part of subcall function 009573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009574B7
Part of subcall function 009573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009574CE
Part of subcall function 009573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009574DB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 46d44a7c28c3f8756082e747e1784dfbd47e77230f08d22c675c6b05ed5b2585
Instruction ID: 43eeb9a8c78c626b9e4e610f1471fc98dc87f96ad93b8b9fd1f7824b3b1f98e8
Opcode Fuzzy Hash: 46d44a7c28c3f8756082e747e1784dfbd47e77230f08d22c675c6b05ed5b2585
Instruction Fuzzy Hash: B9A1A1B201C301BFDB00DFA2EC48A5BBBA9FB49322F100A19F962961E1D774E945DB51

Function 008D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00916AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00916AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00916F43

Part of subcall function 008D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D8BE8,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 008D8FC5

SendMessageW.USER32(?,00001053), ref: 00916F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00916F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00916FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00916FB7

Strings

0, xrefs: 00916DCF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ffb1a5a2333ea777ff84d72b8c4c788f297016dcb63b993f04fef92d651c7d8d
Instruction ID: 9613b8b9b612ed68c4ec3cc7a6431a715f0553b538d90424ff964af1df3f8215
Opcode Fuzzy Hash: ffb1a5a2333ea777ff84d72b8c4c788f297016dcb63b993f04fef92d651c7d8d
Instruction Fuzzy Hash: 4A129D34A09206DFDB25CF28D884BAAB7E9FB44301F14456AF585CB261CB31EC92DF91

Function 00942711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0094273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0094286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00942900
GetClientRect.USER32(00000000,?), ref: 0094290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00942955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00942964
GetStockObject.GDI32(00000011), ref: 00942974
SelectObject.GDI32(00000000,00000000), ref: 00942978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00942988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00942991
DeleteDC.GDI32(00000000), ref: 0094299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00942A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00942A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00942A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00942A77
GetStockObject.GDI32(00000011), ref: 00942A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00942A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00942A97

Strings

DISPLAY, xrefs: 0094295A
static, xrefs: 0094294F, 00942A71
msctls_progress32, xrefs: 00942A13
AutoIt v3, xrefs: 009428F8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1bda36910a934c523a92933d227c33ca40a2bf2bb3a2982de3d2176f0d329022
Instruction ID: dc5f74b2bb8af6bc2abc4d5ceb55693dc310571228aa968aa2a7321ea8defb00
Opcode Fuzzy Hash: 1bda36910a934c523a92933d227c33ca40a2bf2bb3a2982de3d2176f0d329022
Instruction Fuzzy Hash: 7CB139B1A10215AFEB14DF69CC8AFAE7BB9FB48711F008119F915E7290D770E940DBA0

Function 00934ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00934AED
GetDriveTypeW.KERNEL32(?,0095CB68,?,\\.\,0095CC08), ref: 00934BCA
SetErrorMode.KERNEL32(00000000,0095CB68,?,\\.\,0095CC08), ref: 00934D36

Strings

Removable, xrefs: 00934C10, 00934C15
CDROM, xrefs: 00934BFB
ATA, xrefs: 00934C98
Fibre, xrefs: 00934CAD
MMC, xrefs: 00934CDE
SAS, xrefs: 00934CC9
SSA, xrefs: 00934CA6
iSCSI, xrefs: 00934CC2
Unknown, xrefs: 00934BED, 00934C83
SSD, xrefs: 00934C4A
SCSI, xrefs: 00934C8A
Virtual, xrefs: 00934CE5
\\.\, xrefs: 00934B3F
FileBackedVirtual, xrefs: 00934CEC
USB, xrefs: 00934CB4
RAID, xrefs: 00934CBB
Fixed, xrefs: 00934C09
ATAPI, xrefs: 00934C91
Network, xrefs: 00934C02
RAMDisk, xrefs: 00934BF4
1394, xrefs: 00934C9F
PhysicalDrive, xrefs: 00934B76
SATA, xrefs: 00934CD0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2addf9a7d273b0ebf0d039c4603481e4ab9c0aedd0c7c26308306e4369a14095
Instruction ID: b7bb29928bc6d352bf5609f2bd98ae7817a72a4d88f02ef7aa8796b6bba78c06
Opcode Fuzzy Hash: 2addf9a7d273b0ebf0d039c4603481e4ab9c0aedd0c7c26308306e4369a14095
Instruction Fuzzy Hash: AE6194306052059BCB14EF28C981EADB7B4EB44304F259459F886AF792DB39FD41DF41

Function 009573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00957421
SetTextColor.GDI32(?,?), ref: 00957425
GetSysColorBrush.USER32(0000000F), ref: 0095743B
GetSysColor.USER32(0000000F), ref: 00957446
CreateSolidBrush.GDI32(?), ref: 0095744B
GetSysColor.USER32(00000011), ref: 00957463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00957471
SelectObject.GDI32(?,00000000), ref: 00957482
SetBkColor.GDI32(?,00000000), ref: 0095748B
SelectObject.GDI32(?,?), ref: 00957498
InflateRect.USER32(?,000000FF,000000FF), ref: 009574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0095752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00957554
InflateRect.USER32(?,000000FD,000000FD), ref: 00957572
DrawFocusRect.USER32(?,?), ref: 0095757D
GetSysColor.USER32(00000011), ref: 0095758E
SetTextColor.GDI32(?,00000000), ref: 00957596
DrawTextW.USER32(?,009570F5,000000FF,?,00000000), ref: 009575A8
SelectObject.GDI32(?,?), ref: 009575BF
DeleteObject.GDI32(?), ref: 009575CA
SelectObject.GDI32(?,?), ref: 009575D0
DeleteObject.GDI32(?), ref: 009575D5
SetTextColor.GDI32(?,?), ref: 009575DB
SetBkColor.GDI32(?,?), ref: 009575E5

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8b7fdcd350155ee3f85f38dbabcf0844fdae2ba06aba19fd18b0e0b5352b67b0
Instruction ID: ac501979faa22a9c64d2dcf30f36393d38614ec56b5f752ba19ff44354158940
Opcode Fuzzy Hash: 8b7fdcd350155ee3f85f38dbabcf0844fdae2ba06aba19fd18b0e0b5352b67b0
Instruction Fuzzy Hash: C76170B2908318AFDF01DFA5DC49EAEBFB9EB08321F104115F915AB2A1D7749A40DB90

Function 00950FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00951128
GetDesktopWindow.USER32 ref: 0095113D
GetWindowRect.USER32(00000000), ref: 00951144
GetWindowLongW.USER32(?,000000F0), ref: 00951199
DestroyWindow.USER32(?), ref: 009511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0095120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0095121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00951232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00951245
IsWindowVisible.USER32(00000000), ref: 009512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009512D0
GetWindowRect.USER32(00000000,?), ref: 009512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0095130E
GetMonitorInfoW.USER32(00000000,?), ref: 00951328
CopyRect.USER32(?,?), ref: 0095133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009513AA

Strings

tooltips_class32, xrefs: 009511E6
0, xrefs: 009510D3
(, xrefs: 0095131B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1e08f663b08a1e5b4b0d6c027eed55bd8a334b72a653bfd8710244c508dc59e8
Instruction ID: dc4aa590221fb7427138ea91e63aa7ce43e9a9f931c1e3bdfd7ddd35ac8f6b6a
Opcode Fuzzy Hash: 1e08f663b08a1e5b4b0d6c027eed55bd8a334b72a653bfd8710244c508dc59e8
Instruction Fuzzy Hash: 9CB17B71608341AFD704DF6AC885F6ABBE4FF84351F00891CF9999B2A1D771E849CB92

Function 00950241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009502E5
_wcslen.LIBCMT ref: 0095031F
_wcslen.LIBCMT ref: 00950389
_wcslen.LIBCMT ref: 009503F1
_wcslen.LIBCMT ref: 00950475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00950504

Part of subcall function 008DF9F2: _wcslen.LIBCMT ref: 008DF9FD

Part of subcall function 0092223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00922258
Part of subcall function 0092223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0092228A

Strings

SELECT, xrefs: 00950548
GETITEMCOUNT, xrefs: 00950316, 00950337
GETSELECTEDCOUNT, xrefs: 00950470, 0095048B
GETSUBITEMCOUNT, xrefs: 00950384, 0095039F
VIEWCHANGE, xrefs: 00950675
SELECTINVERT, xrefs: 0095057E
ISSELECTED, xrefs: 009504DD
SELECTCLEAR, xrefs: 0095052D
SELECTALL, xrefs: 00950515
GETTEXT, xrefs: 009503EC, 00950407
FINDITEM, xrefs: 00950627
DESELECT, xrefs: 0095059C
GETSELECTED, xrefs: 009505E1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: cafaf6dda015a002f9900a5ae7df8f336b01f8a646ea2ddb9094e0e0ef4ee1b9
Instruction ID: e1c6c3a0bc1cb7ed6a9da09ded9bef17147e244e9334d2658cdb78d3c0c754a3
Opcode Fuzzy Hash: cafaf6dda015a002f9900a5ae7df8f336b01f8a646ea2ddb9094e0e0ef4ee1b9
Instruction Fuzzy Hash: 39E17C312082019FC724EF2AC55192AB7E6FFD8715F144A6DF8969B3A1DB30ED49CB42

Function 008D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D8968
GetSystemMetrics.USER32(00000007), ref: 008D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D899B
GetSystemMetrics.USER32(00000008), ref: 008D89A3
GetSystemMetrics.USER32(00000004), ref: 008D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008D8A5A
GetStockObject.GDI32(00000011), ref: 008D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008D8A81

Part of subcall function 008D912D: GetCursorPos.USER32(?), ref: 008D9141
Part of subcall function 008D912D: ScreenToClient.USER32(00000000,?), ref: 008D915E
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000001), ref: 008D9183
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000002), ref: 008D919D

SetTimer.USER32(00000000,00000000,00000028,008D90FC), ref: 008D8AA8

Strings

AutoIt v3 GUI, xrefs: 008D8A20

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ec7d0b822c4bdc03d7754c2c7cc0b40ad72002d01ee26dd8f65b85b2c0bb5177
Instruction ID: ac3205c184e28c76e811f558a52fc77c146d46236ce428016c8a3a39b8332248
Opcode Fuzzy Hash: ec7d0b822c4bdc03d7754c2c7cc0b40ad72002d01ee26dd8f65b85b2c0bb5177
Instruction Fuzzy Hash: 6DB18971A0430AEFDB14DFA9DC85BAE3BB5FB48315F10422AFA15E7290DB30A941DB51

Function 00920D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00921114
Part of subcall function 009210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921120
Part of subcall function 009210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 0092112F
Part of subcall function 009210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921136
Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00920DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00920E29
GetLengthSid.ADVAPI32(?), ref: 00920E40
GetAce.ADVAPI32(?,00000000,?), ref: 00920E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00920E96
GetLengthSid.ADVAPI32(?), ref: 00920EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00920EB5
HeapAlloc.KERNEL32(00000000), ref: 00920EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00920EDD
CopySid.ADVAPI32(00000000), ref: 00920EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00920F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00920F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00920F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920F6E
HeapFree.KERNEL32(00000000), ref: 00920F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920F7E
HeapFree.KERNEL32(00000000), ref: 00920F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920F8E
HeapFree.KERNEL32(00000000), ref: 00920F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00920FA1
HeapFree.KERNEL32(00000000), ref: 00920FA8

Part of subcall function 00921193: GetProcessHeap.KERNEL32(00000008,00920BB1,?,00000000,?,00920BB1,?), ref: 009211A1
Part of subcall function 00921193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00920BB1,?), ref: 009211A8
Part of subcall function 00921193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00920BB1,?), ref: 009211B7

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: efde4cf056a4c05af1c2a435e5b26a708bc96e034047d295e385f7c971df1afb
Instruction ID: aa8ff6fbf6a904af850fd0b3dcabb6b8e1b1dddbcebbd6a620c93544d8f13073
Opcode Fuzzy Hash: efde4cf056a4c05af1c2a435e5b26a708bc96e034047d295e385f7c971df1afb
Instruction Fuzzy Hash: 3F7168B290431AAFDF209FA5ED48BEEBBBCFF44311F048115F919A6196D7319A05CB60

Function 0094C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0095CC08,00000000,?,00000000,?,?), ref: 0094C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0094C5A4
_wcslen.LIBCMT ref: 0094C5F4
_wcslen.LIBCMT ref: 0094C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0094C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0094C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0094C84D
RegCloseKey.ADVAPI32(?), ref: 0094C881
RegCloseKey.ADVAPI32(00000000), ref: 0094C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0094C960

Strings

REG_EXPAND_SZ, xrefs: 0094C5CD
REG_QWORD, xrefs: 0094C8C3
REG_DWORD, xrefs: 0094C804
REG_BINARY, xrefs: 0094C913
REG_MULTI_SZ, xrefs: 0094C6F5
REG_SZ, xrefs: 0094C644

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d983ac68cdb56b8539951088b897667d4b8a142ab412c684e3c624f52cda782b
Instruction ID: 81d051c31421e2800a6ae5610629b48becce3db68677e8c34be56ddf44ea04c2
Opcode Fuzzy Hash: d983ac68cdb56b8539951088b897667d4b8a142ab412c684e3c624f52cda782b
Instruction Fuzzy Hash: 5B1215756042019FDB54DF28C881E2AB7E5FF89714F14885CF89A9B3A2DB31ED41CB82

Function 0095091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009509C6
_wcslen.LIBCMT ref: 00950A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00950A54
_wcslen.LIBCMT ref: 00950A8A
_wcslen.LIBCMT ref: 00950B06
_wcslen.LIBCMT ref: 00950B81

Part of subcall function 008DF9F2: _wcslen.LIBCMT ref: 008DF9FD

Part of subcall function 00922BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00922BFA

Strings

SELECT, xrefs: 00950D11
GETITEMCOUNT, xrefs: 00950C1E
GETTOTALCOUNT, xrefs: 009509F2, 00950A17
UNCHECK, xrefs: 00950D3E
EXPAND, xrefs: 00950BF8
GETTEXT, xrefs: 00950C97
EXISTS, xrefs: 00950B7C, 00950B97
CHECK, xrefs: 00950A85, 00950AA0
COLLAPSE, xrefs: 00950B01, 00950B1C
ISCHECKED, xrefs: 00950CE1
GETSELECTED, xrefs: 00950C4E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 059ffd121e490cac0dab2f3f2fc13383b68068b5cafe6f508f7efa087e0c436d
Instruction ID: 8e3a25b768398e3c6e3e8fdfb7ac2a8bcf8116e61e83e696cc3542bb40cad083
Opcode Fuzzy Hash: 059ffd121e490cac0dab2f3f2fc13383b68068b5cafe6f508f7efa087e0c436d
Instruction Fuzzy Hash: EFE16D356083019FCB14EF2AC45092AB7E5FFD8315B14895DF8969B3A2DB31ED49CB82

Function 0094C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
_wcslen.LIBCMT ref: 0094C9F1
_wcslen.LIBCMT ref: 0094CA68
_wcslen.LIBCMT ref: 0094CA9E
_wcslen.LIBCMT ref: 0094CAF9
_wcslen.LIBCMT ref: 0094CB2F
_wcslen.LIBCMT ref: 0094CB7F

Strings

HKU, xrefs: 0094CBF0
HKCC, xrefs: 0094CBAC
HKCR, xrefs: 0094CB29, 0094CB2E
HKCU, xrefs: 0094CBCE
HKEY_CLASSES_ROOT, xrefs: 0094CAF3, 0094CAF8
HKEY_CURRENT_CONFIG, xrefs: 0094CB79, 0094CB7E
HKEY_LOCAL_MACHINE, xrefs: 0094CA62, 0094CA67
HKEY_CURRENT_USER, xrefs: 0094CBBD
HKEY_USERS, xrefs: 0094CBDF
HKLM, xrefs: 0094CA98, 0094CA9D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f44a582bfde7f7835b05b52a43a83280e4d7c551662bf567c7c4c4c8c9fde209
Instruction ID: 05c74c7f992f28e1a80380f719916e16d5e51ccfd88b1c0bcbd9ae75af18e701
Opcode Fuzzy Hash: f44a582bfde7f7835b05b52a43a83280e4d7c551662bf567c7c4c4c8c9fde209
Instruction Fuzzy Hash: 377118B260112A8FCB60EE7CC951DBE3399EF61754F250928FC66E7285EA35CD44C3A1

Function 0095833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0095835A
_wcslen.LIBCMT ref: 0095836E
_wcslen.LIBCMT ref: 00958391
_wcslen.LIBCMT ref: 009583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00955BF2), ref: 0095844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00958487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00958501
FreeLibrary.KERNEL32(?), ref: 0095850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0095851D
DestroyIcon.USER32(?,?,?,?,?,00955BF2), ref: 0095852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00958549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00958555

Strings

.icl, xrefs: 00958368
.dll, xrefs: 009583AB
.exe, xrefs: 00958388

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: fd47a319a96d1c4c7425b1199630eb2ca14b230fbcdca69602ffc4b842c3094d
Instruction ID: f646cfdab922e4dc4a855028f5a743d3d4dc05f40b72053ec34b656420f4f725
Opcode Fuzzy Hash: fd47a319a96d1c4c7425b1199630eb2ca14b230fbcdca69602ffc4b842c3094d
Instruction Fuzzy Hash: F261CB71504205BAEB14DF66CC81BBF77A8FB04722F104549FC15E61E1EB74A984DBA0

Function 008C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 008C77D3
#notrayicon, xrefs: 008C77E7
#comments-end, xrefs: 008C78D9
", xrefs: 00905153
#include-once, xrefs: 008C782F
#include, xrefs: 008C7847
#ce, xrefs: 008C78ED
#OnAutoItStartRegister, xrefs: 008C7817
', xrefs: 00905169
Bad directive syntax error, xrefs: 0090519A
#comments-start, xrefs: 008C785F, 008C78B1
Cannot parse #include, xrefs: 00905279
#requireadmin, xrefs: 008C77FF
#cs, xrefs: 008C7873, 008C78C5
Unterminated group of comments, xrefs: 0090528C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 83b94cd5a29bc808c86fd20c975626016cc32b1fe4c9d94ab6145858f31c8a35
Instruction ID: f69c43deb084055d71a5a168c6b632f6b5bc00d2de6609b2db6d0777df350fb6
Opcode Fuzzy Hash: 83b94cd5a29bc808c86fd20c975626016cc32b1fe4c9d94ab6145858f31c8a35
Instruction Fuzzy Hash: 5581C371604209AFDB20AF69DD52FAF37B8FF55304F044029F909EA196EB70DA15CB92

Function 00933E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00933EF8
_wcslen.LIBCMT ref: 00933F03
_wcslen.LIBCMT ref: 00933F5A
_wcslen.LIBCMT ref: 00933F98
GetDriveTypeW.KERNEL32(?), ref: 00933FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00934059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00934087

Strings

close, xrefs: 00933EFE, 00933F18
type cdaudio alias cd wait, xrefs: 00934001
close cd wait, xrefs: 00934072
set cd door , xrefs: 00934028
wait, xrefs: 00934044
open , xrefs: 00933FE5
open, xrefs: 00933F54, 00933F59
closed, xrefs: 00933F08, 00933F2D, 00933F46, 00933F7E, 00933F97

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 7af5d59c7e99418c6d9f6d8e0fd1a0e7e50c803ad53e899595ee11f45f18591c
Instruction ID: c025c769880c583578d6a44f4630e45ac8b4a09e38e4b7ac307b7f0bb7e9fe90
Opcode Fuzzy Hash: 7af5d59c7e99418c6d9f6d8e0fd1a0e7e50c803ad53e899595ee11f45f18591c
Instruction Fuzzy Hash: CF718C726042019FC710EF28C88196AB7F8FF94758F50892DF996D7261EB31EE45CB92

Function 00925A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00925A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00925A40
SetWindowTextW.USER32(?,?), ref: 00925A57
GetDlgItem.USER32(?,000003EA), ref: 00925A6C
SetWindowTextW.USER32(00000000,?), ref: 00925A72
GetDlgItem.USER32(?,000003E9), ref: 00925A82
SetWindowTextW.USER32(00000000,?), ref: 00925A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00925AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00925AC3
GetWindowRect.USER32(?,?), ref: 00925ACC
_wcslen.LIBCMT ref: 00925B33
SetWindowTextW.USER32(?,?), ref: 00925B6F
GetDesktopWindow.USER32 ref: 00925B75
GetWindowRect.USER32(00000000), ref: 00925B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00925BD3
GetClientRect.USER32(?,?), ref: 00925BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00925C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00925C2F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 881693205515058db52b9042bc2114e5b2ef1f67d79f678e37e206e2485c4e1a
Instruction ID: 6f1832751e71e3df3fc93e42bf62fb3cd4c55759db15e2aa90aed0fe2a62c011
Opcode Fuzzy Hash: 881693205515058db52b9042bc2114e5b2ef1f67d79f678e37e206e2485c4e1a
Instruction Fuzzy Hash: 1B71AE71900B19EFCB20DFA9DE85BAEBBF9FF48705F114918E182A25A4D774E940CB10

Function 0093FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0093FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0093FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0093FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0093FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0093FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0093FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0093FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0093FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0093FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0093FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0093FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0093FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0093FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0093FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0093FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0093FECC
GetCursorInfo.USER32(?), ref: 0093FEDC
GetLastError.KERNEL32 ref: 0093FF1E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: b3ca9eea0d9977ac0cb0b74d68e7969fef38c569871260e08bf44278137cce54
Instruction ID: 39f793d2d69fe34c1f395c597320f8d793b04be6069ebcb55761e0dfca2bb298
Opcode Fuzzy Hash: b3ca9eea0d9977ac0cb0b74d68e7969fef38c569871260e08bf44278137cce54
Instruction Fuzzy Hash: 654122B0D093196ADB109FBA8C89C5EBFE8FF04754B50452AE51DE7281DB78E901CF91

Function 008E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008E00C6

Part of subcall function 008E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0099070C,00000FA0,772E072D,?,?,?,?,009023B3,000000FF), ref: 008E011C
Part of subcall function 008E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009023B3,000000FF), ref: 008E0127
Part of subcall function 008E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009023B3,000000FF), ref: 008E0138
Part of subcall function 008E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008E014E
Part of subcall function 008E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008E015C
Part of subcall function 008E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008E016A
Part of subcall function 008E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008E0195
Part of subcall function 008E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008E01A0

___scrt_fastfail.LIBCMT ref: 008E00E7

Part of subcall function 008E00A3: __onexit.LIBCMT ref: 008E00A9

Strings

InitializeConditionVariable, xrefs: 008E0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008E0122
kernel32.dll, xrefs: 008E0133
SleepConditionVariableCS, xrefs: 008E0154
WakeAllConditionVariable, xrefs: 008E0162

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 146c1856de84fca78c461dc4b5c2b30e0425d918f400583e5d1a4ea251bdbb2a
Instruction ID: a05cd869ac86ed76c71ebf3017c7d7bbe9d0457225605a0ff7966b7c2e2ca2b5
Opcode Fuzzy Hash: 146c1856de84fca78c461dc4b5c2b30e0425d918f400583e5d1a4ea251bdbb2a
Instruction Fuzzy Hash: 9821F97265D7506FDB105BBAAC05B2A33A4FB86B66F000536F901EB2D1DBB49C409F91

Function 009230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092318D
_wcslen.LIBCMT ref: 009231F8

Strings

INSTANCE, xrefs: 00923453
CLASSNN, xrefs: 009231F3, 00923204
REGEXPCLASS, xrefs: 00923255, 00923266
NAME, xrefs: 00923335, 00923346
TEXT, xrefs: 0092347C
CLASS, xrefs: 00923188, 009231A5

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 22d4c62067032ae4f4124ce240a7cb87e531f311d0c91f34d4059284c11241d1
Instruction ID: e6681fdd8c68f5631c4c7d68649f33324ab7223a7f88beff60a5e8df090dce05
Opcode Fuzzy Hash: 22d4c62067032ae4f4124ce240a7cb87e531f311d0c91f34d4059284c11241d1
Instruction Fuzzy Hash: D5E10632A00626ABCB14EF68D441BEDBBB4FF54710F54C119E45AF3254DB38AF898790

Function 009344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0095CC08), ref: 00934527
_wcslen.LIBCMT ref: 0093453B
_wcslen.LIBCMT ref: 00934599
_wcslen.LIBCMT ref: 009345F4
_wcslen.LIBCMT ref: 0093463F
_wcslen.LIBCMT ref: 009346A7

Part of subcall function 008DF9F2: _wcslen.LIBCMT ref: 008DF9FD

GetDriveTypeW.KERNEL32(?,00986BF0,00000061), ref: 00934743

Strings

fixed, xrefs: 00934635, 0093463A
ramdisk, xrefs: 009346F1
cdrom, xrefs: 0093458F, 00934594
network, xrefs: 0093469D, 009346A2
removable, xrefs: 009345EA, 009345EF
all, xrefs: 00934531, 00934536
unknown, xrefs: 00934708

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9c55e8c98a245af5f574735f6fb0a1ab7ef6235ec5df6ef69abf3ad21c6e80c0
Instruction ID: 4d2238328896b6ba6b0b94cea5ec7f12b5b0c9b168888974e905bb4736abea6c
Opcode Fuzzy Hash: 9c55e8c98a245af5f574735f6fb0a1ab7ef6235ec5df6ef69abf3ad21c6e80c0
Instruction Fuzzy Hash: 98B1D1716083029FC710EF28C891A6AB7E9FFA6764F51492DF496C7291E730E845CF92

Function 00943FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0095CC08), ref: 009440BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009440CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0095CC08), ref: 009440F2
FreeLibrary.KERNEL32(00000000,?,0095CC08), ref: 0094413E
StringFromGUID2.OLE32(?,?,00000028,?,0095CC08), ref: 009441A8
SysFreeString.OLEAUT32(00000009), ref: 00944262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009442C8
SysFreeString.OLEAUT32(?), ref: 009442F2

Strings

GetModuleHandleExW, xrefs: 009440C7
kernel32.dll, xrefs: 009440B6

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: daf4ac04bd053f0fd53e7e93014e5b555caaa3bc72d1379625f9eec4f05f85c4
Instruction ID: 7e4f63527fa516efdeaee2a1772316b9790ff323b17d185e4ef324db056b1bd0
Opcode Fuzzy Hash: daf4ac04bd053f0fd53e7e93014e5b555caaa3bc72d1379625f9eec4f05f85c4
Instruction Fuzzy Hash: 1E122975A00215AFDB14CF94C884FAEB7B9FF49319F248498F905AB261D731ED46CBA0

Function 008C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00991990), ref: 00902F8D
GetMenuItemCount.USER32(00991990), ref: 0090303D
GetCursorPos.USER32(?), ref: 00903081
SetForegroundWindow.USER32(00000000), ref: 0090308A
TrackPopupMenuEx.USER32(00991990,00000000,?,00000000,00000000,00000000), ref: 0090309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009030A9

Strings

0, xrefs: 008C327D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6be117af9648d81bfc2826ddb3601b57bf81f6f27b549cd2992a9d5c6ea08e4d
Instruction ID: 3f4aa33f233ca7cd97feafd47234b7be20759100a2ce6c9c9f50a4d31bdc3ece
Opcode Fuzzy Hash: 6be117af9648d81bfc2826ddb3601b57bf81f6f27b549cd2992a9d5c6ea08e4d
Instruction Fuzzy Hash: 83710970644316BEEB258F69DC49FAABF78FF05368F204216F615AA1E0C7B1AD10DB50

Function 00956CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00956DEB

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00956E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00956E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00956E94
DestroyWindow.USER32(?), ref: 00956EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008C0000,00000000), ref: 00956EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00956EFD
GetDesktopWindow.USER32 ref: 00956F16
GetWindowRect.USER32(00000000), ref: 00956F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00956F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00956F4D

Part of subcall function 008D9944: GetWindowLongW.USER32(?,000000EB), ref: 008D9952

Strings

0, xrefs: 00956D98
tooltips_class32, xrefs: 00956E58, 00956EDD

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 66585d68d033479d1b4b4da6eca27ea47c0e08fb32ccd47ba6294fa21ae42b98
Instruction ID: 4277e71ba8653ccf5d106647fe9ae4b46149da624598adc58d2215404bd0dd03
Opcode Fuzzy Hash: 66585d68d033479d1b4b4da6eca27ea47c0e08fb32ccd47ba6294fa21ae42b98
Instruction Fuzzy Hash: 6D715674508345AFDB21CF19D848FAABBE9FB99305F44091EF98987261C770E90ADB12

Function 0095911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00959147

Part of subcall function 00957674: ClientToScreen.USER32(?,?), ref: 0095769A
Part of subcall function 00957674: GetWindowRect.USER32(?,?), ref: 00957710
Part of subcall function 00957674: PtInRect.USER32(?,?,00958B89), ref: 00957720

SendMessageW.USER32(?,000000B0,?,?), ref: 009591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00959225
SendMessageW.USER32(?,000000B0,?,?), ref: 0095923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00959255
SendMessageW.USER32(?,000000B1,?,?), ref: 00959277
DragFinish.SHELL32(?), ref: 0095927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00959371

Strings

@GUI_DRAGID, xrefs: 009592E9
@GUI_DRAGFILE, xrefs: 00959320
@GUI_DROPID, xrefs: 0095929E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7d8d1dde6f5fd78c0d157f61309cf1e6bb7e493efac09c90ba36e8401998f3cf
Instruction ID: 566eb4bc4eb1096cd41fed81c175e190ccc8c97542c9cb1e26a8217b9beb3b45
Opcode Fuzzy Hash: 7d8d1dde6f5fd78c0d157f61309cf1e6bb7e493efac09c90ba36e8401998f3cf
Instruction Fuzzy Hash: D9614771108301AFD705EF65DC85EABBBF8FB89750F00092EF595921A1DB709A49CB52

Function 0093C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0093C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0093C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0093C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0093C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0093C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0093C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0093C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0093C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0093C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0093C5F0
InternetCloseHandle.WININET(00000000), ref: 0093C5FB

Strings

, xrefs: 0093C575

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 415b7ac4f6d07952cf1773df93436b06d887b51f849868311705395cc45f8427
Instruction ID: e2fab4ec5273790418d15b1d413f7ef7129074b398bf6f99981d3c34c88587ec
Opcode Fuzzy Hash: 415b7ac4f6d07952cf1773df93436b06d887b51f849868311705395cc45f8427
Instruction Fuzzy Hash: 965139F1504B09BFDB219F65C988AAB7BFCFB08755F004419F945A6610DB34E944EF60

Function 0095856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00958592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0095FC38,?), ref: 00958611
GlobalFree.KERNEL32(00000000), ref: 00958621
GetObjectW.GDI32(?,00000018,?), ref: 00958641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00958671
DeleteObject.GDI32(?), ref: 00958699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009586AF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e924748ce5d6ce637b6e8f610cf06d9139f03d9dfca07406b4f99e9252b2f3e7
Instruction ID: c3ff5c2094867651ab4cf3e91be978409fa1df094a3acd082a14d8967cec2bd7
Opcode Fuzzy Hash: e924748ce5d6ce637b6e8f610cf06d9139f03d9dfca07406b4f99e9252b2f3e7
Instruction Fuzzy Hash: 344129B5605308AFDB11DFA6DC48EAB7BBCEF89716F104058F916E7260DB309945DB20

Function 009314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00931502
VariantCopy.OLEAUT32(?,?), ref: 0093150B
VariantClear.OLEAUT32(?), ref: 00931517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00931657
VariantInit.OLEAUT32(?), ref: 00931708
SysFreeString.OLEAUT32(?), ref: 0093178C
VariantClear.OLEAUT32(?), ref: 009317D8
VariantClear.OLEAUT32(?), ref: 009317E7
VariantInit.OLEAUT32(00000000), ref: 00931823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00931625
Default, xrefs: 009316AF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: cb8ce0ef2e5a8c35e01671b9f688b75f0d8a0ddd2e9e521d52670ea74070caa9
Instruction ID: d55a7cf5e78493791994bffa9438aedf4cecd49f28cdb577f1c985abe654d215
Opcode Fuzzy Hash: cb8ce0ef2e5a8c35e01671b9f688b75f0d8a0ddd2e9e521d52670ea74070caa9
Instruction Fuzzy Hash: B1D1FE71A00205EBDB009F69E885B79B7B9FF44700F14895AF446EB2A1DB34EC45DF62

Function 0094B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0094B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0094B80A
RegCloseKey.ADVAPI32(?), ref: 0094B87E
RegCloseKey.ADVAPI32(?), ref: 0094B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0094B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0094B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0094B922
FreeLibrary.KERNEL32(00000000), ref: 0094B983
RegCloseKey.ADVAPI32(00000000), ref: 0094B994

Strings

RegDeleteKeyExW, xrefs: 0094B8FE
advapi32.dll, xrefs: 0094B8ED

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 499c18d41cab68aee7e1d9c819d9aebbe95fc4479327d82b9357d51db2a3895a
Instruction ID: 90378346c9d78fa33a4dff082a3e731d3fc7ac904974904238a6e5baf3086ca3
Opcode Fuzzy Hash: 499c18d41cab68aee7e1d9c819d9aebbe95fc4479327d82b9357d51db2a3895a
Instruction Fuzzy Hash: 02C16D70218201AFD714DF28C495F2ABBF5FF84318F14855CE49A8B7A2CB75E945CB92

Function 0094255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009425E8
CreateCompatibleDC.GDI32(?), ref: 009425F4
SelectObject.GDI32(00000000,?), ref: 00942601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0094266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009426D0
SelectObject.GDI32(?,?), ref: 009426D8
DeleteObject.GDI32(?), ref: 009426E1
DeleteDC.GDI32(?), ref: 009426E8
ReleaseDC.USER32(00000000,?), ref: 009426F3

Strings

(, xrefs: 0094268D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d34cad7d1f59c7674825e50fd1cd83d27406970e8c772825ed61895bfff10abd
Instruction ID: 064b31e3cf39398f689445fb5c6c4d646cd4e9700826bc8c215992e4c43df299
Opcode Fuzzy Hash: d34cad7d1f59c7674825e50fd1cd83d27406970e8c772825ed61895bfff10abd
Instruction Fuzzy Hash: 9D61E1B5D04219EFCF14CFA8D884EAEBBB5FF48310F20852AE956A7250D770A941DF50

Function 008FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008FDAA1

Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD659
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD66B
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD67D
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD68F
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6A1
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6B3
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6C5
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6D7
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6E9
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6FB
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD70D
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD71F
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD731

_free.LIBCMT ref: 008FDA96

Part of subcall function 008F29C8: HeapFree.KERNEL32(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FDAB8
_free.LIBCMT ref: 008FDACD
_free.LIBCMT ref: 008FDAD8
_free.LIBCMT ref: 008FDAFA
_free.LIBCMT ref: 008FDB0D
_free.LIBCMT ref: 008FDB1B
_free.LIBCMT ref: 008FDB26
_free.LIBCMT ref: 008FDB5E
_free.LIBCMT ref: 008FDB65
_free.LIBCMT ref: 008FDB82
_free.LIBCMT ref: 008FDB9A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4323f411a0dfe001135902eb13ad428897174727a9411ce91406d8afe61fa3c
Instruction ID: 9a98fbc5011b227001c01eedcb533e63aa82462f7d66b6574515eed6200a09e1
Opcode Fuzzy Hash: b4323f411a0dfe001135902eb13ad428897174727a9411ce91406d8afe61fa3c
Instruction Fuzzy Hash: 48314A3264430E9FEB22AE39E845F7A7BEAFF00321F154519E749D7291DA71EC408725

Function 0092365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0092369C
_wcslen.LIBCMT ref: 009236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00923797
GetClassNameW.USER32(?,?,00000400), ref: 0092380C
GetDlgCtrlID.USER32(?), ref: 0092385D
GetWindowRect.USER32(?,?), ref: 00923882
GetParent.USER32(?), ref: 009238A0
ScreenToClient.USER32(00000000), ref: 009238A7
GetClassNameW.USER32(?,?,00000100), ref: 00923921
GetWindowTextW.USER32(?,?,00000400), ref: 0092395D

Strings

%s%u, xrefs: 00923734

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b83e6cb775e8af7fa8b1a0dde7abf610bc83ffd97a77abaa47c52cb35025935c
Instruction ID: e774e0585320b606c6b1548c6826e9ea7b68caf358f68b1916b33848acb4e4b3
Opcode Fuzzy Hash: b83e6cb775e8af7fa8b1a0dde7abf610bc83ffd97a77abaa47c52cb35025935c
Instruction Fuzzy Hash: E391D071204726EFD718DF24E885BAAB7ECFF45340F008629F999D2194DB34EA45CB91

Function 00924954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00924994
GetWindowTextW.USER32(?,?,00000400), ref: 009249DA
_wcslen.LIBCMT ref: 009249EB
CharUpperBuffW.USER32(?,00000000), ref: 009249F7
_wcsstr.LIBVCRUNTIME ref: 00924A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00924A64
GetWindowTextW.USER32(?,?,00000400), ref: 00924A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00924AE6
GetClassNameW.USER32(?,?,00000400), ref: 00924B20
GetWindowRect.USER32(?,?), ref: 00924B8B

Strings

ThumbnailClass, xrefs: 00924A6F, 00924AF1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b84358aee19c256699f9d6f275748d36fd4b963c3f1d3590f7dc05044cf349e8
Instruction ID: ace2d7ff18df857b799dd324be3d89ce4f858c2862e220326069e4a076ec22f0
Opcode Fuzzy Hash: b84358aee19c256699f9d6f275748d36fd4b963c3f1d3590f7dc05044cf349e8
Instruction Fuzzy Hash: 1C91CE710083269FDB04DF15E985BAA77ECFF84314F048469FD859A09ADB30ED45CBA2

Function 00958D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00958D5A
GetFocus.USER32 ref: 00958D6A
GetDlgCtrlID.USER32(00000000), ref: 00958D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00958E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00958ECF
GetMenuItemCount.USER32(?), ref: 00958EEC
GetMenuItemID.USER32(?,00000000), ref: 00958EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00958F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00958F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00958FA1

Strings

0, xrefs: 00958E9F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: adfa7ae679fe27137125102d4aba4d05954cf15afa95856acbdf5c44247c59f0
Instruction ID: d3ac195c46d6c876a4f664d9152fa8ca717bfc4f36234758b41ddb162880fdd2
Opcode Fuzzy Hash: adfa7ae679fe27137125102d4aba4d05954cf15afa95856acbdf5c44247c59f0
Instruction Fuzzy Hash: 4381AF71508301AFDB10DF16D885A6B7BF9FB88355F040919FD85A7291DB30D909DBA2

Function 0092BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00991990,000000FF,00000000,00000030), ref: 0092BFAC
SetMenuItemInfoW.USER32(00991990,00000004,00000000,00000030), ref: 0092BFE1
Sleep.KERNEL32(000001F4), ref: 0092BFF3
GetMenuItemCount.USER32(?), ref: 0092C039
GetMenuItemID.USER32(?,00000000), ref: 0092C056
GetMenuItemID.USER32(?,-00000001), ref: 0092C082
GetMenuItemID.USER32(?,?), ref: 0092C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0092C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0092C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0092C145

Strings

0, xrefs: 0092BF3D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 2c5682eb688425794cc27c4e2fe2b1851ab0a7c8107cdbf5edb4afe7a818f4dc
Instruction ID: 34bb4862baff4ea83177b209c315444ee3565fc36c8b16f27b90752fee48b5de
Opcode Fuzzy Hash: 2c5682eb688425794cc27c4e2fe2b1851ab0a7c8107cdbf5edb4afe7a818f4dc
Instruction Fuzzy Hash: 82618CB091836AAFDF11CF68ED89AEE7BB8EF05344F100055F801A3296D735AD15DBA0

Function 0092DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0092DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0092DC46
_wcslen.LIBCMT ref: 0092DC50
_wcsstr.LIBVCRUNTIME ref: 0092DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0092DCBC

Strings

04090000, xrefs: 0092DCF2
StringFileInfo\, xrefs: 0092DC8F
%u.%u.%u.%u, xrefs: 0092DD9A
DefaultLangCodepage, xrefs: 0092DD1F
\VarFileInfo\Translation, xrefs: 0092DCB4

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: f83730ff8f63932dbf3086875760efc08b515e51bd23fdb6cf0c5f72d80697f6
Instruction ID: 81f461746847d33d9dc2f213b1215b1abf95b07490289ba72792bdef6413a176
Opcode Fuzzy Hash: f83730ff8f63932dbf3086875760efc08b515e51bd23fdb6cf0c5f72d80697f6
Instruction Fuzzy Hash: AA4105729407107ADB00E76AAC07EBF37ACEF46710F10016AFA05E61C2EB75D90097A6

Function 0094CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0094CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0094CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0094CD48

Part of subcall function 0094CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0094CCAA
Part of subcall function 0094CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0094CCBD
Part of subcall function 0094CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0094CCCF
Part of subcall function 0094CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0094CD05
Part of subcall function 0094CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0094CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0094CCF3

Strings

RegDeleteKeyExW, xrefs: 0094CCC9
advapi32.dll, xrefs: 0094CCB8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 998fecc8a1935117aedcb33613ae79ac4b61e0757e25fea2365de17f86314006
Instruction ID: 54d9f8aebb8371302fe1d2ebeeeb877f10ddbdd00283f5820ed6d5929057e19a
Opcode Fuzzy Hash: 998fecc8a1935117aedcb33613ae79ac4b61e0757e25fea2365de17f86314006
Instruction Fuzzy Hash: 693183B1D02219BFDB209B61DC88EFFBB7CEF45751F000565B905E2290DB349A45EBA0

Function 00933D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00933D40
_wcslen.LIBCMT ref: 00933D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00933D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00933DBE
RemoveDirectoryW.KERNEL32(?), ref: 00933DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00933E55
CloseHandle.KERNEL32(00000000), ref: 00933E60
CloseHandle.KERNEL32(00000000), ref: 00933E6B

Strings

\, xrefs: 00933D77
:, xrefs: 00933D82
\??\%s, xrefs: 00933D5B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: fa846b6c2ac006716a82966e2476062578fd6f2897ada6e9a88b9d07843c498f
Instruction ID: 5d92b90063417479d9229f1a1c8a0b07c6fe6b7ca2dd533e03a510b4c455761a
Opcode Fuzzy Hash: fa846b6c2ac006716a82966e2476062578fd6f2897ada6e9a88b9d07843c498f
Instruction Fuzzy Hash: 4731D4B1954209ABDB209BA5DC48FEF37BCEF89701F1080B5F619D61A0E77497848F24

Function 0092E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0092E6B4

Part of subcall function 008DE551: timeGetTime.WINMM(?,?,0092E6D4), ref: 008DE555

Sleep.KERNEL32(0000000A), ref: 0092E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0092E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0092E727
SetActiveWindow.USER32 ref: 0092E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0092E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0092E773
Sleep.KERNEL32(000000FA), ref: 0092E77E
IsWindow.USER32 ref: 0092E78A
EndDialog.USER32(00000000), ref: 0092E79B

Strings

BUTTON, xrefs: 0092E719

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 052205ed805a3c7f57785818473d49148363543733e9e264df877aa9f67aa8c5
Instruction ID: ab8dc4924574ed8859cc93a5de4087096389a0e3eec30a3511f25b89fa27324e
Opcode Fuzzy Hash: 052205ed805a3c7f57785818473d49148363543733e9e264df877aa9f67aa8c5
Instruction Fuzzy Hash: 372190B022D315BFEB105F69FCC9B2A3B6DF75474AF100427F506826A6DB71AC40AB24

Function 0092E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0092EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0092EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0092EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0092EAA7

Strings

status PlayMe mode, xrefs: 0092EA58
play PlayMe wait, xrefs: 0092EA91
play PlayMe, xrefs: 0092EAA2
alias PlayMe, xrefs: 0092EA36
open , xrefs: 0092EA0C
close PlayMe, xrefs: 0092EA6E, 0092EA9B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: df5ea2c2495e954087c7db5ff4189fea78c485e6a6ddadf1f755b171f0e1b955
Instruction ID: 6919f1d63f77e24b456a289e489aa75b01cc27ce522a2d436ea023401c0e40a4
Opcode Fuzzy Hash: df5ea2c2495e954087c7db5ff4189fea78c485e6a6ddadf1f755b171f0e1b955
Instruction Fuzzy Hash: 4611C631A5026979D720B7A5EC4AEFF6A7CFBD1B04F000429B401E61D0EE704D45C6B1

Function 00929F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0092A012
SetKeyboardState.USER32(?), ref: 0092A07D
GetAsyncKeyState.USER32(000000A0), ref: 0092A09D
GetKeyState.USER32(000000A0), ref: 0092A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0092A0E3
GetKeyState.USER32(000000A1), ref: 0092A0F4
GetAsyncKeyState.USER32(00000011), ref: 0092A120
GetKeyState.USER32(00000011), ref: 0092A12E
GetAsyncKeyState.USER32(00000012), ref: 0092A157
GetKeyState.USER32(00000012), ref: 0092A165
GetAsyncKeyState.USER32(0000005B), ref: 0092A18E
GetKeyState.USER32(0000005B), ref: 0092A19C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5b4ae514db47b4eb1779893b3f9468d1f3d9091d69eaba8af8238142d6a63a26
Instruction ID: 4efed85064c2643ba5bab7958d184c9ab6f078d45f4625a9b2b74cff48c881b6
Opcode Fuzzy Hash: 5b4ae514db47b4eb1779893b3f9468d1f3d9091d69eaba8af8238142d6a63a26
Instruction Fuzzy Hash: 03510B215087A42AFB35EBA0A9107EABFF89F12350F084599D5C2571C7DA549E4CCB62

Function 00925CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00925CE2
GetWindowRect.USER32(00000000,?), ref: 00925CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00925D59
GetDlgItem.USER32(?,00000002), ref: 00925D69
GetWindowRect.USER32(00000000,?), ref: 00925D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00925DCF
GetDlgItem.USER32(?,000003E9), ref: 00925DDD
GetWindowRect.USER32(00000000,?), ref: 00925DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00925E31
GetDlgItem.USER32(?,000003EA), ref: 00925E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00925E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00925E67

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3cb2c093f7a1106b2206fd7195c93a552c7ae6a233c0c254da30bf6e405625d0
Instruction ID: 2398b197893ae6891493a4b81c83a8f2f5388db538c018c9e8dd55f23a4592b6
Opcode Fuzzy Hash: 3cb2c093f7a1106b2206fd7195c93a552c7ae6a233c0c254da30bf6e405625d0
Instruction Fuzzy Hash: 72512DB1A10715AFDF18CF69DD89AAEBBB9FB48301F118129F915E6294D7709E00CB50

Function 008D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D8BE8,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 008D8FC5

DestroyWindow.USER32(?), ref: 008D8C81
KillTimer.USER32(00000000,?,?,?,?,008D8BBA,00000000,?), ref: 008D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00916973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 009169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 009169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008D8BBA,00000000), ref: 009169D4
DeleteObject.GDI32(00000000), ref: 009169E6

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e6ab34c11621d399b8a28d1856379210caf9268eef7e5b02348609ee931ce2b2
Instruction ID: d849478f5b407f54757bcc772a76fed4fb42bda94297414f3807f45a515c31fd
Opcode Fuzzy Hash: e6ab34c11621d399b8a28d1856379210caf9268eef7e5b02348609ee931ce2b2
Instruction Fuzzy Hash: 50618C31626709DFCB269F29D948B6977F5FB50316F14461AE042DBAA0CB31ADC0EF90

Function 008D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008D9944: GetWindowLongW.USER32(?,000000EB), ref: 008D9952

GetSysColor.USER32(0000000F), ref: 008D9862

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 71937e9c30a3e754b953c022769084e61a430167dcbde217ff033f0ffd95e503
Instruction ID: 31bf2b6f974f690bbe3935bc4a00559907e448a44596271fb69cc0decc3101f8
Opcode Fuzzy Hash: 71937e9c30a3e754b953c022769084e61a430167dcbde217ff033f0ffd95e503
Instruction Fuzzy Hash: 87419071108744AFDB205F799C84BB93B6AFB06722F144756F9E2872E1D7319942EB10

Function 009296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0090F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00929717
LoadStringW.USER32(00000000,?,0090F7F8,00000001), ref: 00929720

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0090F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00929742
LoadStringW.USER32(00000000,?,0090F7F8,00000001), ref: 00929745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00929866

Strings

Line %d:, xrefs: 009297A0
Line %d (File "%s"):, xrefs: 0092978F
^ ERROR, xrefs: 009297FB
Error: , xrefs: 0092981D
%s (%d) : ==> %s: %s %s, xrefs: 0092984A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3518e4c1505d8ee14350df6345a5153c24913208bf044059b32128f24116ba5b
Instruction ID: 7f43ffb67b0ec3a90b410bcd041212d1ead8e36d2421e589d3ca044028893044
Opcode Fuzzy Hash: 3518e4c1505d8ee14350df6345a5153c24913208bf044059b32128f24116ba5b
Instruction Fuzzy Hash: BB415E72904219AADB04FBE4ED46EEE7778FF54340F100169F605B2192EB35AF49CB62

Function 009206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00920804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0092082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00920837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0092083C

Strings

\CLSID, xrefs: 00920724
SOFTWARE\Classes\, xrefs: 0092070E
\IPC$, xrefs: 00920784

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ee1fa3ce57223c128adbfa499e62390cff441988b9a1591bf15850057d8800c5
Instruction ID: 01d8a4fb8baeea87a809b2fa1e47f97720d43d0c58e6ef66cafb63be85b66bd5
Opcode Fuzzy Hash: ee1fa3ce57223c128adbfa499e62390cff441988b9a1591bf15850057d8800c5
Instruction Fuzzy Hash: 9D410872C10229ABDF15EBA4EC85DEEB778FF44354F454169E901A32A1EB309E04CB91

Function 00953F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0095403B
CreateCompatibleDC.GDI32(00000000), ref: 00954042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00954055
SelectObject.GDI32(00000000,00000000), ref: 0095405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00954068
DeleteDC.GDI32(00000000), ref: 00954072
GetWindowLongW.USER32(?,000000EC), ref: 0095407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00954092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0095409E

Strings

static, xrefs: 00953FD3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c0b49963760fbfb2fdf5400e8acc2c4c32826a76de0f7881d134820ff521ceab
Instruction ID: 5eedb7dbd3c63676ad00802335e76d895681738b2e248959645c5d8401223003
Opcode Fuzzy Hash: c0b49963760fbfb2fdf5400e8acc2c4c32826a76de0f7881d134820ff521ceab
Instruction Fuzzy Hash: 00318B72515315AFDF219FB6DC48FDA3B68EF0D326F100210FA14A21A0C735D855EB50

Function 00943C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00943C5C
CoInitialize.OLE32(00000000), ref: 00943C8A
CoUninitialize.OLE32 ref: 00943C94
_wcslen.LIBCMT ref: 00943D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00943DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00943ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00943F0E
CoGetObject.OLE32(?,00000000,0095FB98,?), ref: 00943F2D
SetErrorMode.KERNEL32(00000000), ref: 00943F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00943FC4
VariantClear.OLEAUT32(?), ref: 00943FD8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 11f1a0f0f3d7da9615a03fb3abd9b2ab49b0842be85801d9bde6aecc26a144be
Instruction ID: 30c88117dfadb9bd974c50a295be729a72334629f117f77209e25ad2aeff64b3
Opcode Fuzzy Hash: 11f1a0f0f3d7da9615a03fb3abd9b2ab49b0842be85801d9bde6aecc26a144be
Instruction Fuzzy Hash: 31C101B1608305AF9700DF69C884D2BBBE9FF89748F10895DF98A9B251D731EE05CB52

Function 00937A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00937AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00937B8F
SHGetDesktopFolder.SHELL32(?), ref: 00937BA3
CoCreateInstance.OLE32(0095FD08,00000000,00000001,00986E6C,?), ref: 00937BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00937C74
CoTaskMemFree.OLE32(?,?), ref: 00937CCC
SHBrowseForFolderW.SHELL32(?), ref: 00937D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00937D7A
CoTaskMemFree.OLE32(00000000), ref: 00937D81
CoTaskMemFree.OLE32(00000000), ref: 00937DD6
CoUninitialize.OLE32 ref: 00937DDC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7cbe25d3cbe29f955d711b51fd5b5b24b08125a1454e737b7d0e622194849787
Instruction ID: 77ca9a90a4b9cd9eb38c5a8f8a29c6fd1338e9318bcfcc6c976bb0aedc064f18
Opcode Fuzzy Hash: 7cbe25d3cbe29f955d711b51fd5b5b24b08125a1454e737b7d0e622194849787
Instruction Fuzzy Hash: 08C1E7B5A04209AFCB14DFA4C884DAEBBB9FF48304F148499E919DB261D730EE45CF90

Function 0095541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00955504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00955515
CharNextW.USER32(00000158), ref: 00955544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00955585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0095559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009555AC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: c32d602375e252517675e9ba926d68ce9ec1f230d36f22b21124e20918752491
Instruction ID: 4bc7c150870ae7f4a7de99ec1f834dfe0b0c2d75b3a4b963111aef1750a340cd
Opcode Fuzzy Hash: c32d602375e252517675e9ba926d68ce9ec1f230d36f22b21124e20918752491
Instruction Fuzzy Hash: DB61B070904609EFDF10CF96CCA4AFE7BB9FB05322F114445F925A72A2D7348A89DB60

Function 0091FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0091FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0091FB08
VariantInit.OLEAUT32(?), ref: 0091FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0091FB3A
VariantCopy.OLEAUT32(?,?), ref: 0091FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0091FBA1
VariantClear.OLEAUT32(?), ref: 0091FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0091FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0091FBCC
VariantClear.OLEAUT32(?), ref: 0091FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0091FBE9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d000ea5671e42d5a906d9a2d3e3407ede17bc6eb46fd8a99b2ce53c4ab3b5dd8
Instruction ID: 5e6b0180a3ecb3fd2db8e3d77c0516a50039f3eeb9d82b4835970f89c4281ebb
Opcode Fuzzy Hash: d000ea5671e42d5a906d9a2d3e3407ede17bc6eb46fd8a99b2ce53c4ab3b5dd8
Instruction Fuzzy Hash: C3416075A0421D9FCB00DF68C864DEDBBB9FF48345F008069E819A7261DB34A946CB90

Function 00929C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00929CA1
GetAsyncKeyState.USER32(000000A0), ref: 00929D22
GetKeyState.USER32(000000A0), ref: 00929D3D
GetAsyncKeyState.USER32(000000A1), ref: 00929D57
GetKeyState.USER32(000000A1), ref: 00929D6C
GetAsyncKeyState.USER32(00000011), ref: 00929D84
GetKeyState.USER32(00000011), ref: 00929D96
GetAsyncKeyState.USER32(00000012), ref: 00929DAE
GetKeyState.USER32(00000012), ref: 00929DC0
GetAsyncKeyState.USER32(0000005B), ref: 00929DD8
GetKeyState.USER32(0000005B), ref: 00929DEA

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 500973e95160e13be8f2556ba2be9cf0eef6135f2b47c3cec4867d1b88a3bef0
Instruction ID: d85cd371bab0e2fdc9ef79e8a0a3c26d3ec6eb140c904754cba523a867d16dd2
Opcode Fuzzy Hash: 500973e95160e13be8f2556ba2be9cf0eef6135f2b47c3cec4867d1b88a3bef0
Instruction Fuzzy Hash: 31410B745087DA6DFF30D760E8043B5BEE86F11344F04805EEAC6566C6EBA49DC8D7A2

Function 0094055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009405BC
inet_addr.WSOCK32(?), ref: 0094061C
gethostbyname.WSOCK32(?), ref: 00940628
IcmpCreateFile.IPHLPAPI ref: 00940636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009407B9
WSACleanup.WSOCK32 ref: 009407BF

Strings

Ping, xrefs: 00940676

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fe9c94e8065e5fb56e222a9c60c7ee749738947fc4b3b4c273f1e92612a8df4c
Instruction ID: e17431bfd9ea17bb4ad8449b1764fffff87fa828049325add18d0c198f817ed5
Opcode Fuzzy Hash: fe9c94e8065e5fb56e222a9c60c7ee749738947fc4b3b4c273f1e92612a8df4c
Instruction Fuzzy Hash: 10916C755083019FD320DF19C889F1ABBE4EF84318F1589A9E56A8B6A2C730ED41CF92

Function 00948CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00948CF3

Part of subcall function 00928E54: _wcslen.LIBCMT ref: 00928E77

_wcslen.LIBCMT ref: 00948D4E
_wcslen.LIBCMT ref: 00948D9C
_wcslen.LIBCMT ref: 00948DDC
_wcslen.LIBCMT ref: 00948E6E

Strings

none, xrefs: 00948E65, 00948E6A
stdcall, xrefs: 00948DD6, 00948DDB
winapi, xrefs: 00948D96, 00948D9B
cdecl, xrefs: 00948D48, 00948D4D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d1a61011af12b11698ea0d1abaea7b5efc4fa0f58ee5285b7b9c278428569e74
Instruction ID: b21f34651c430546a3adce1f9231d55434d74a71bf36eb510267f872b5697b99
Opcode Fuzzy Hash: d1a61011af12b11698ea0d1abaea7b5efc4fa0f58ee5285b7b9c278428569e74
Instruction Fuzzy Hash: 7951AF31A001169BCB24EFACC940DBFB7A9FF64324B214629E826E72C4EB35DD40C791

Function 0094372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00943774
CoUninitialize.OLE32 ref: 0094377F
CoCreateInstance.OLE32(?,00000000,00000017,0095FB78,?), ref: 009437D9
IIDFromString.OLE32(?,?), ref: 0094384C
VariantInit.OLEAUT32(?), ref: 009438E4
VariantClear.OLEAUT32(?), ref: 00943936

Strings

NULL Pointer assignment, xrefs: 0094381E
Invalid parameter, xrefs: 00943865
Failed to create object, xrefs: 009437E4, 0094389A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 5d580c955283425fc0de946c3039b5c924f9a11b23bc5f493eedb2ac0b950712
Instruction ID: a2c5d753f58a8d32c8c9249613430e858fe5413eadfb70ee1680471356b75ac8
Opcode Fuzzy Hash: 5d580c955283425fc0de946c3039b5c924f9a11b23bc5f493eedb2ac0b950712
Instruction Fuzzy Hash: 28618EB0608311AFD310DF64C849F5ABBE8EF88715F108919F9959B391D770EE48CB92

Function 00933388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009333CF

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009333F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00933522
Incorrect parameters to object property !, xrefs: 009334AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00933504
Line %d (File "%s"):, xrefs: 00933443, 0093345C
Error: , xrefs: 009334D1
^ ERROR , xrefs: 0093349E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1625595c0adac11006562a051e8813931f9778b30b32c34eea6c5659f54634a1
Instruction ID: f9bbebd6a4ffab0a5bd648948b75a5210337fefedf2a5e129d9c891432ca3415
Opcode Fuzzy Hash: 1625595c0adac11006562a051e8813931f9778b30b32c34eea6c5659f54634a1
Instruction Fuzzy Hash: F2519F7190020AAADF14EBA4DD46EEEB778FF04344F108169F505B2162EB31AF58DF62

Function 0092B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0092B5FC
_wcslen.LIBCMT ref: 0092B608
_wcslen.LIBCMT ref: 0092B64D
_wcslen.LIBCMT ref: 0092B68C
_wcslen.LIBCMT ref: 0092B6C7

Strings

REMOVE, xrefs: 0092B602, 0092B607
KEYS, xrefs: 0092B647, 0092B64C
APPEND, xrefs: 0092B6C1, 0092B6C6
EXISTS, xrefs: 0092B686, 0092B68B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 423d0812853a81c4510554628a76e01fcea77e82e96e77e431afa2da27c7f220
Instruction ID: 7c78da5c0097d338fe8b7d44b91fc245fcf54fb3abd4f73c3d0f616034c734ec
Opcode Fuzzy Hash: 423d0812853a81c4510554628a76e01fcea77e82e96e77e431afa2da27c7f220
Instruction Fuzzy Hash: 1441E632A001379ACB206F7DD8905BE7BF9FF61768B244129E566DB288E735CD81C790

Function 00935393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00935416
GetLastError.KERNEL32 ref: 00935420
SetErrorMode.KERNEL32(00000000,READY), ref: 009354A7

Strings

UNKNOWN, xrefs: 00935444
READY, xrefs: 00935460, 00935468
INVALID, xrefs: 00935459
NOTREADY, xrefs: 0093544B
READONLY, xrefs: 00935452

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5f87e62e31321d9abb46839fc40fb2b31001ed56c34917f4ab3e46804a4b7f50
Instruction ID: 2069b2760ee822b73c57995605ae902fb4699d75b4c2149fc7318be3c37f4591
Opcode Fuzzy Hash: 5f87e62e31321d9abb46839fc40fb2b31001ed56c34917f4ab3e46804a4b7f50
Instruction Fuzzy Hash: 80318D75A006049FC714DF68C888FAABBB8FB49305F158069E805CF2A2D775DD86CF91

Function 00953C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00953C79
SetMenu.USER32(?,00000000), ref: 00953C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00953D10
IsMenu.USER32(?), ref: 00953D24
CreatePopupMenu.USER32 ref: 00953D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00953D5B
DrawMenuBar.USER32 ref: 00953D63

Strings

0, xrefs: 00953C54
F, xrefs: 00953D4E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ce0a83a5aa717f1892a82f7d4bf92e3f6c809bda6116b3d7803b09b9513984d4
Instruction ID: 7e60af8e49ae714715036e6fdc11d1f32b407774e8101387907a878ac8ff68f5
Opcode Fuzzy Hash: ce0a83a5aa717f1892a82f7d4bf92e3f6c809bda6116b3d7803b09b9513984d4
Instruction Fuzzy Hash: E541AD74A05309AFDB14CFA6D844B9A77B9FF49381F044029FD46973A0D730AA04DF90

Function 00921EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00921F64
GetDlgCtrlID.USER32 ref: 00921F6F
GetParent.USER32 ref: 00921F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00921F8E
GetDlgCtrlID.USER32(?), ref: 00921F97
GetParent.USER32(?), ref: 00921FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00921FAE

Strings

ComboBox, xrefs: 00921EEC
ListBox, xrefs: 00921F21

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 6ba57a96ab359281b214ce9f2b50dfdc1fa2eb7dd0d16ad139ba6ddbb409339a
Instruction ID: 8763800e4dad8615cefc34f2b556bcfa204da7770615223f2d52c05bf9894cc2
Opcode Fuzzy Hash: 6ba57a96ab359281b214ce9f2b50dfdc1fa2eb7dd0d16ad139ba6ddbb409339a
Instruction Fuzzy Hash: 1421D770900314BFCF04AFA4DC45EEEBBB8EF15310F004155F961A7295CB389A18DB60

Function 00921FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00922043
GetDlgCtrlID.USER32 ref: 0092204E
GetParent.USER32 ref: 0092206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0092206D
GetDlgCtrlID.USER32(?), ref: 00922076
GetParent.USER32(?), ref: 0092208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0092208D

Strings

ComboBox, xrefs: 00921FCD
ListBox, xrefs: 00922002

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2b143e1bb6ed04854db7ef9162ff1fa5964ae40b29b9b58a42d5d2fd5906b6bc
Instruction ID: 79aef3a8d180345f361121895b72fd83b47f89215a4d7da1d5032e5e7144976c
Opcode Fuzzy Hash: 2b143e1bb6ed04854db7ef9162ff1fa5964ae40b29b9b58a42d5d2fd5906b6bc
Instruction Fuzzy Hash: 6021C2B1940214BFCF10AFA4DC45EEEBBB8EF15300F004455F991A72A5CA799A14DB60

Function 00953A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00953A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00953AA0
GetWindowLongW.USER32(?,000000F0), ref: 00953AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00953AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00953B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00953BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00953BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00953BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00953BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00953C13

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: dd3a35d965593a9c40031ec6806c9b7b42af84bad73bcc6af6366fc7561f6d48
Instruction ID: 66343550d2bbadf90d3ec1fa0c3e695de6482341aa26697407c6683efdb82e73
Opcode Fuzzy Hash: dd3a35d965593a9c40031ec6806c9b7b42af84bad73bcc6af6366fc7561f6d48
Instruction Fuzzy Hash: 96617975A00248AFDB11DFA9CC81FEE77B8EB49700F10419AFA15E72A1C774AE45DB50

Function 0092B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0092B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B165
GetWindowThreadProcessId.USER32(00000000), ref: 0092B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0092B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B21D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2a18a00500fab548827cc58b7bef703795e3ee4668892427e4d74798f478894c
Instruction ID: 28f7ee1573f4e74a5652975192ed9ac842c0b1a98747dfd09689bb7c2e9ae9c9
Opcode Fuzzy Hash: 2a18a00500fab548827cc58b7bef703795e3ee4668892427e4d74798f478894c
Instruction Fuzzy Hash: 683187B1528314FFDB109F29EC88BAE7BEDAB61312F10800AFA11D6191D7B49A40DF60

Function 008F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008F2C94

Part of subcall function 008F29C8: HeapFree.KERNEL32(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008F2CA0
_free.LIBCMT ref: 008F2CAB
_free.LIBCMT ref: 008F2CB6
_free.LIBCMT ref: 008F2CC1
_free.LIBCMT ref: 008F2CCC
_free.LIBCMT ref: 008F2CD7
_free.LIBCMT ref: 008F2CE2
_free.LIBCMT ref: 008F2CED
_free.LIBCMT ref: 008F2CFB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9442ccd14ce70474ca56af9ca60478eb8a8dc83a1f8da7e74c627fb6f7f6fc96
Instruction ID: 3a3e44f414935ef1b9895ed34ae362305283183513d73614a6b7fdcc906ba943
Opcode Fuzzy Hash: 9442ccd14ce70474ca56af9ca60478eb8a8dc83a1f8da7e74c627fb6f7f6fc96
Instruction Fuzzy Hash: F311937624010DAFCB02EFA8D882DED3FA5FF05350F4144A5FA48DB222DA71EA509B91

Function 008C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008C1459
OleUninitialize.OLE32(?,00000000), ref: 008C14F8
UnregisterHotKey.USER32(?), ref: 008C16DD
DestroyWindow.USER32(?), ref: 009024B9
FreeLibrary.KERNEL32(?), ref: 0090251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0090254B

Strings

close all, xrefs: 008C1454

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 43a9bdaab206c9b8b2488ff83d3f1d6e0b6e6a810e067783a0f7a1e913dc6d8c
Instruction ID: 894c87463cc6fe2d0d0bd7dbaf9bd1c1f8676d142848ef6e3894fdcb1db6b89c
Opcode Fuzzy Hash: 43a9bdaab206c9b8b2488ff83d3f1d6e0b6e6a810e067783a0f7a1e913dc6d8c
Instruction Fuzzy Hash: 62D138716012128FCB29EF19C899F29F7A4FF05700F1442ADE54AAB292DB31ED12CF55

Function 00937DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00937FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00937FC1
GetFileAttributesW.KERNEL32(?), ref: 00937FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00938005
SetCurrentDirectoryW.KERNEL32(?), ref: 00938017
SetCurrentDirectoryW.KERNEL32(?), ref: 00938060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009380B0

Strings

*.*, xrefs: 00938066

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0701bf0e2817c3980f2ecf21d02d9d5c286265f1e7c883aefdc62d2febe7d14c
Instruction ID: 585abc294d3cd75900bfc641c1167431173026087fef5e9eb1ecabf6925d8ca5
Opcode Fuzzy Hash: 0701bf0e2817c3980f2ecf21d02d9d5c286265f1e7c883aefdc62d2febe7d14c
Instruction Fuzzy Hash: 92817EB15083459BCB34EB55C884AAAF3E8FB89314F144C6EF889D7260EB74DD458F52

Function 008C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008C5C7A

Part of subcall function 008C5D0A: GetClientRect.USER32(?,?), ref: 008C5D30
Part of subcall function 008C5D0A: GetWindowRect.USER32(?,?), ref: 008C5D71
Part of subcall function 008C5D0A: ScreenToClient.USER32(?,?), ref: 008C5D99

GetDC.USER32 ref: 009046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00904708
SelectObject.GDI32(00000000,00000000), ref: 00904716
SelectObject.GDI32(00000000,00000000), ref: 0090472B
ReleaseDC.USER32(?,00000000), ref: 00904733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009047C4

Strings

U, xrefs: 00904693

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7a6f4ea3e21c2c7a9b96d3c5e2e7d07f8f3b389927614c617040eb1b75344da3
Instruction ID: a020b51fe412a4898c133627afbc92721d4a6ec10eeb578b028665f742b373e3
Opcode Fuzzy Hash: 7a6f4ea3e21c2c7a9b96d3c5e2e7d07f8f3b389927614c617040eb1b75344da3
Instruction Fuzzy Hash: 5B71E1B1400209DFCF218F64C984EBA3BBAFF4A355F14426AEE559A2A6D731DC81DF50

Function 0093359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009335E4

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

LoadStringW.USER32(00992390,?,00000FFF,?), ref: 0093360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00933742
"%s" (%d) : ==> %s:%s%s, xrefs: 00933724
Line %d (File "%s"):, xrefs: 0093366B
^ ERROR, xrefs: 009336C9
Error: , xrefs: 009336EF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 3b826503d50b406a5739e9e2d1dc7e37eda67a2722e10e580bfde9c92e7b7475
Instruction ID: 137626162e1ec255c4cf5da453e1b466236f38a368fdce054ef01b47ed4e4b04
Opcode Fuzzy Hash: 3b826503d50b406a5739e9e2d1dc7e37eda67a2722e10e580bfde9c92e7b7475
Instruction Fuzzy Hash: 16516D7194020AAADF14EBA4DC46FEEBB38FF44304F148169F105B21A1EB305B99DF62

Function 00958B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

Part of subcall function 008D912D: GetCursorPos.USER32(?), ref: 008D9141
Part of subcall function 008D912D: ScreenToClient.USER32(00000000,?), ref: 008D915E
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000001), ref: 008D9183
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000002), ref: 008D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00958B6B
ImageList_EndDrag.COMCTL32 ref: 00958B71
ReleaseCapture.USER32 ref: 00958B77
SetWindowTextW.USER32(?,00000000), ref: 00958C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00958C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00958CFF

Strings

@GUI_DRAGFILE, xrefs: 00958C9A
@GUI_DROPID, xrefs: 00958C51

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 389f430a7dee2f22922e091681bb9db63f546de9cd290a6b6571370b0300154f
Instruction ID: f58ef873991b1d95273cce3f99a95cc9262a59661831f52d060dd691df358c23
Opcode Fuzzy Hash: 389f430a7dee2f22922e091681bb9db63f546de9cd290a6b6571370b0300154f
Instruction Fuzzy Hash: D951AF70108304AFD704DF29DC56FAA77E4FB88755F000A2DF996A72E1DB709948DB62

Function 0093C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0093C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0093C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0093C2CA
GetLastError.KERNEL32 ref: 0093C322
SetEvent.KERNEL32(?), ref: 0093C336
InternetCloseHandle.WININET(00000000), ref: 0093C341

Strings

, xrefs: 0093C2BB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 10b7040e4d39ce718b7a28a097a7b2513a4225ba1307e590533b13b87d0dadfe
Instruction ID: a544ddf36d2b784590939368238dfa9c8ea3a724db296a40b5bffb0ef7c57acd
Opcode Fuzzy Hash: 10b7040e4d39ce718b7a28a097a7b2513a4225ba1307e590533b13b87d0dadfe
Instruction Fuzzy Hash: FB3169F1604B08AFD7219FA58C88AAB7BFCEB49744F14851EF446A2200DB34DD059F61

Function 0092989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00903AAF,?,?,Bad directive syntax error,0095CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009298BC
LoadStringW.USER32(00000000,?,00903AAF,?), ref: 009298C3

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00929987

Strings

Line %d:, xrefs: 00929912
Line %d (File "%s"):, xrefs: 0092992D
%s (%d) : ==> %s.: %s %s, xrefs: 009298F1
., xrefs: 0092996D
Error: , xrefs: 00929955

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 36ffa739bb6a423dee1a0ea19d30abc3d57d40b9d500f81a89a2c668ef68c0c1
Instruction ID: 2f8ec9e7ba58e593dd7cfea66e67282c1e83a80367bd32bcafecc856d1df73a1
Opcode Fuzzy Hash: 36ffa739bb6a423dee1a0ea19d30abc3d57d40b9d500f81a89a2c668ef68c0c1
Instruction Fuzzy Hash: A3218D3290431AAFCF15AFA4DC0AFEE7739FF18304F04446AF515A61A2EB319658DB11

Function 0092209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0092214D

Strings

list, xrefs: 0092212F
details, xrefs: 009220FB
SHELLDLL_DefView, xrefs: 009220CC
largeicons, xrefs: 009220E1
smallicons, xrefs: 00922115

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a81d04280056a8eb4781c2cd7b15c50bbdf8ac351945441528976ca2d3e32c3e
Instruction ID: cdcf7a7fffff4f7161ebef275cb18017985a3774cc7ef6204b2077c0c683eb8f
Opcode Fuzzy Hash: a81d04280056a8eb4781c2cd7b15c50bbdf8ac351945441528976ca2d3e32c3e
Instruction Fuzzy Hash: 0911367A68C327B9F6013325EC06CE6379CDF16328B200026FB04E40E6FE65A8255718

Function 008F8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6975f304ca9bc936f3a260e87b1e103f16295331e3eb2c1f60e8f47aa567deb
Instruction ID: 3d961ddb2a1d33a200d068e591410a68b35dd5826a161629d75eff5dc77ad541
Opcode Fuzzy Hash: c6975f304ca9bc936f3a260e87b1e103f16295331e3eb2c1f60e8f47aa567deb
Instruction Fuzzy Hash: FFC1BC75A0824DAFCB119FBDD841BBDBBB0FF9A310F144099EA54E7292CB319941CB61

Function 008FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008FCEB7
_free.LIBCMT ref: 008FCF22
_free.LIBCMT ref: 008FCF48
_free.LIBCMT ref: 008FCF71
_free.LIBCMT ref: 008FCFA9
_free.LIBCMT ref: 008FCFDA
_free.LIBCMT ref: 008FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008FD09C
_free.LIBCMT ref: 008FD0B5

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0fa28af8f729c76d4f5c1dacfe20ed30c6217863c1dae78033d9ab516a3654ca
Instruction ID: 33fc7418d781998c670750ecc28921bc930601fdae71aa87b89645a4b78a3ad4
Opcode Fuzzy Hash: 0fa28af8f729c76d4f5c1dacfe20ed30c6217863c1dae78033d9ab516a3654ca
Instruction Fuzzy Hash: 15615871A0430DAFDB21AFB89981A7ABBA5FF41310F14016EFB01D7282DB719E019761

Function 008D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00916890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00916901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0091691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0091692D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0312c35e0c6ab20a8bb037ce36e56df17972dd25fc1938641de4f3bfea1645fd
Instruction ID: 7f9327516059d9dc487982362988916c002d8c41decbf873c4c40324f7249eef
Opcode Fuzzy Hash: 0312c35e0c6ab20a8bb037ce36e56df17972dd25fc1938641de4f3bfea1645fd
Instruction Fuzzy Hash: 84518C70A10309EFDB24CF29CC51FAA7BB5FB44361F10461AF952D62A0DB70E990DB50

Function 0093C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0093C182
GetLastError.KERNEL32 ref: 0093C195
SetEvent.KERNEL32(?), ref: 0093C1A9

Part of subcall function 0093C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0093C272
Part of subcall function 0093C253: GetLastError.KERNEL32 ref: 0093C322
Part of subcall function 0093C253: SetEvent.KERNEL32(?), ref: 0093C336
Part of subcall function 0093C253: InternetCloseHandle.WININET(00000000), ref: 0093C341

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 072bc0a44d698b7a6683551b01a98b27205fd21068f0e33086a8ca7d7037f7f9
Instruction ID: 707275571bd85204e92ec83d2557410b637ce347524eb7e73a2ac0b551d53a13
Opcode Fuzzy Hash: 072bc0a44d698b7a6683551b01a98b27205fd21068f0e33086a8ca7d7037f7f9
Instruction Fuzzy Hash: FF317AB1204B05AFDB219FA6DC44A67BBECFF58311F00441DF96AA6610D730E814EFA0

Function 009225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00923A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00923A57
Part of subcall function 00923A3D: GetCurrentThreadId.KERNEL32 ref: 00923A5E
Part of subcall function 00923A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009225B3), ref: 00923A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00922601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00922605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0092260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00922623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00922627

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9e2a511cdb2cfbc042a4858023131243aa42085f36629bbea16dd3a40a806344
Instruction ID: c8ad310e057d9151277e741b05019b91230c9807098baf02b5c361c5b0796f89
Opcode Fuzzy Hash: 9e2a511cdb2cfbc042a4858023131243aa42085f36629bbea16dd3a40a806344
Instruction Fuzzy Hash: 2F01D4713A8720BBFB1067699C8AF593F99DB8EB12F100012F318AE1D5C9E224449A69

Function 00921803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00921449,?,?,00000000), ref: 0092180C
HeapAlloc.KERNEL32(00000000,?,00921449,?,?,00000000), ref: 00921813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00921449,?,?,00000000), ref: 00921828
GetCurrentProcess.KERNEL32(?,00000000,?,00921449,?,?,00000000), ref: 00921830
DuplicateHandle.KERNEL32(00000000,?,00921449,?,?,00000000), ref: 00921833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00921449,?,?,00000000), ref: 00921843
GetCurrentProcess.KERNEL32(00921449,00000000,?,00921449,?,?,00000000), ref: 0092184B
DuplicateHandle.KERNEL32(00000000,?,00921449,?,?,00000000), ref: 0092184E
CreateThread.KERNEL32(00000000,00000000,00921874,00000000,00000000,00000000), ref: 00921868

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3bcf7c423884c2f4a80345a836ed1bce9ae0812ec2fd0b4ab519ae710cf99e8b
Instruction ID: e7413ebd22750ebf7f1c569e697968e13808d296c4eadec24126907055c1f403
Opcode Fuzzy Hash: 3bcf7c423884c2f4a80345a836ed1bce9ae0812ec2fd0b4ab519ae710cf99e8b
Instruction Fuzzy Hash: A001BBB5654708BFE710ABB6EC4DF6B3BACEB89B11F004411FA05DB1A1CA709840DB20

Function 0094A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0092D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0092D501
Part of subcall function 0092D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0092D50F
Part of subcall function 0092D4DC: CloseHandle.KERNEL32(00000000), ref: 0092D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094A16D
GetLastError.KERNEL32 ref: 0094A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0094A268
GetLastError.KERNEL32(00000000), ref: 0094A273
CloseHandle.KERNEL32(00000000), ref: 0094A2C4

Strings

SeDebugPrivilege, xrefs: 0094A18F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 892b7c6f3ddbdeab1424d6b4820426d3ce1d6aff5032a89d79b89fab0701f452
Instruction ID: 391c5a023438660c747f6b646d65bd4f7fc40afc44f156c2c03a7e3a030b62ee
Opcode Fuzzy Hash: 892b7c6f3ddbdeab1424d6b4820426d3ce1d6aff5032a89d79b89fab0701f452
Instruction Fuzzy Hash: DD61BF702482429FD720DF19C494F1ABBE5EF44318F14849CE4668B7A3C7B6EC45DB92

Function 00953886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00953925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0095393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00953954
_wcslen.LIBCMT ref: 00953999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009539F4

Strings

SysListView32, xrefs: 009538F7

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 30afb7017f10d8f4fba4d178bc3ea26ed8bc032f536f32793cd8ececf6d2a790
Instruction ID: e72b1fb5fc0346c53926b8c868366d9ec7bbb3736f3f2294f1ef175d1da97a58
Opcode Fuzzy Hash: 30afb7017f10d8f4fba4d178bc3ea26ed8bc032f536f32793cd8ececf6d2a790
Instruction Fuzzy Hash: 5441F271A00309ABEF21DF65CC45BEA7BA9FF08391F104526F948E7281D370DA84CB90

Function 0092BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0092BCFD
IsMenu.USER32(00000000), ref: 0092BD1D
CreatePopupMenu.USER32 ref: 0092BD53
GetMenuItemCount.USER32(01245280), ref: 0092BDA4
InsertMenuItemW.USER32(01245280,?,00000001,00000030), ref: 0092BDCC

Strings

0, xrefs: 0092BCA8
2, xrefs: 0092BD37

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b9969334eeead814a612981f3b226612cbcd255e2be9c161a2de2d64b78da4f2
Instruction ID: 90ac225e7afb40871f0a8dbc7f8c2a126e7c73d8e19ccceec36c630e43f6ee35
Opcode Fuzzy Hash: b9969334eeead814a612981f3b226612cbcd255e2be9c161a2de2d64b78da4f2
Instruction Fuzzy Hash: 9651DDB0A043259BDB10CFA9E888BEEBBF8BF85314F148519E551D72D8E7709941CBA1

Function 0092C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0092C913

Strings

blank, xrefs: 0092C895
question, xrefs: 0092C8CC
warning, xrefs: 0092C8FC
info, xrefs: 0092C8B4
stop, xrefs: 0092C8E4

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d9c39ce80f11296d47c1c7eb7446ff18fc2d190ab8f1cd9646a18fd33032d0e7
Instruction ID: 98da9df92e1138c46edcdd827225f13efa2572955c53853e2d9abc4c8d1bac8d
Opcode Fuzzy Hash: d9c39ce80f11296d47c1c7eb7446ff18fc2d190ab8f1cd9646a18fd33032d0e7
Instruction Fuzzy Hash: C2115075689326BEE7006B55FC83CAE379CDF16329B10003AF504EA2C2D7B45E4053A9

Function 0092DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0092DE42
gethostname.WSOCK32(?,00000100), ref: 0092DE5C
gethostbyname.WSOCK32(?), ref: 0092DE69
inet_ntoa.WSOCK32(?), ref: 0092DEAB
_strcat.LIBCMT ref: 0092DEB9
WSACleanup.WSOCK32 ref: 0092DEDE

Strings

0.0.0.0, xrefs: 0092DE87

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 769a224823965881a17e83a358f7e769f25ef029da27cfa0b805029c5e083f02
Instruction ID: 226b441e47765e4aea91b58cbcc1010d83adcff380602823ba6c6d0d505889e1
Opcode Fuzzy Hash: 769a224823965881a17e83a358f7e769f25ef029da27cfa0b805029c5e083f02
Instruction Fuzzy Hash: 861159B1804324AFDB20BB25EC0AEEE37ACEF15311F010169F545EA096EF708A809B61

Function 00959F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

GetSystemMetrics.USER32(0000000F), ref: 00959FC7
GetSystemMetrics.USER32(0000000F), ref: 00959FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0095A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0095A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0095A263
ShowWindow.USER32(00000003,00000000), ref: 0095A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0095A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0095A2CA

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7c3ca1cdd446b2249327865a45e55d70cbd23c94befbf16d20a6db820c40cebb
Instruction ID: 830b7fbf580242a7212655419d549169c43902ab8057256c2d32f412839a0ac8
Opcode Fuzzy Hash: 7c3ca1cdd446b2249327865a45e55d70cbd23c94befbf16d20a6db820c40cebb
Instruction Fuzzy Hash: 66B1EC3060421ADFDF14CF6AC9857AE3BF2FF48312F088169EC959B295D731A944CB65

Function 0092ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0092ED2A
_wcslen.LIBCMT ref: 0092ED3B
_wcslen.LIBCMT ref: 0092ED79
_wcslen.LIBCMT ref: 0092EDAF
_wcslen.LIBCMT ref: 0092EDDF
_wcslen.LIBCMT ref: 0092EDEF
_wcslen.LIBCMT ref: 0092EE2B
_wcslen.LIBCMT ref: 0092EE5A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3d36934d70a1a90d4f1107d2c71de45a85619464e782c498e1ebe70a3877f71a
Instruction ID: a8aec179e9046954c4a4e7d1ca932960ce513719838464756bb68e4cc01516b8
Opcode Fuzzy Hash: 3d36934d70a1a90d4f1107d2c71de45a85619464e782c498e1ebe70a3877f71a
Instruction Fuzzy Hash: CE418065C1026875CB11EBB9988A9CFB7A8FF46710F508462F618F3122FB34E255C7E6

Function 008DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 008DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 0091F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 0091F454

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 865776342da0135aa6ead54e432ee37d05429bf0319fea5819b6e69d65a7470a
Instruction ID: 5b3b315c3f3b541ba6e6d7547699b4cc5bf41f659ab81d58347ae6f98c24f848
Opcode Fuzzy Hash: 865776342da0135aa6ead54e432ee37d05429bf0319fea5819b6e69d65a7470a
Instruction Fuzzy Hash: CE413B70A18788BEC7398B2D88B876A7F91FB46324F14463EE247D6762C63198C1F711

Function 00952D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00952D1B
GetDC.USER32(00000000), ref: 00952D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00952D2E
ReleaseDC.USER32(00000000,00000000), ref: 00952D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00952D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00952D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00955A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00952DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00952DE1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0ad5a461b26bd2024e1c9adcee824acf47698425478ace46b8dc90428a16d48e
Instruction ID: 8dffad452650450856a82845283354a534e1812682a2a27874a249c496861d0b
Opcode Fuzzy Hash: 0ad5a461b26bd2024e1c9adcee824acf47698425478ace46b8dc90428a16d48e
Instruction Fuzzy Hash: C0316BB2215314BFEF118F518C8AFEB3BADEB0A716F044055FE089A291C6759C50CBA4

Function 00925622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00925637
_memcmp.LIBVCRUNTIME ref: 00925659
_memcmp.LIBVCRUNTIME ref: 00925671
_memcmp.LIBVCRUNTIME ref: 00925684
_memcmp.LIBVCRUNTIME ref: 0092569E
_memcmp.LIBVCRUNTIME ref: 009256B1
_memcmp.LIBVCRUNTIME ref: 009256C9
_memcmp.LIBVCRUNTIME ref: 009256E4

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4e7e7429b69b7c307dccb818abfa6e22af53e8b2252b924c7698deb6dd96fc3
Instruction ID: 9d5cf7770066d4569d7dd376894a456cb81ff84df9fbd972e74313b8c7c6b2ff
Opcode Fuzzy Hash: c4e7e7429b69b7c307dccb818abfa6e22af53e8b2252b924c7698deb6dd96fc3
Instruction Fuzzy Hash: 29214971A41A6877DA14D522AE92FFB334CFF61399F450030FD04DA689F738ED1482A6

Function 00944FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0094502E, 00945383
Not an Object type, xrefs: 00945007

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 433ecd38605def099e902f60c02ce9bf8c1884df81d0c6e9955d7c3ad471cd6e
Instruction ID: c282e810a96198260d3c8a81ac721b2c12230f03aae04b79c3730598532fffad
Opcode Fuzzy Hash: 433ecd38605def099e902f60c02ce9bf8c1884df81d0c6e9955d7c3ad471cd6e
Instruction Fuzzy Hash: A0D1C275A0070AAFDF10CF98C881FAEB7B9BF48344F158569E915AB282E770DD45CB50

Function 00901522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00901651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009017FB,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009016FB

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00901777
__freea.LIBCMT ref: 009017A2
__freea.LIBCMT ref: 009017AE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: cbf7912b19a15d0f9a1be74ee2c4b28180c4e1ce7a65aa01e54554ffa59d3318
Instruction ID: 7fbf98720a0d46016b9151f06113df98e5c8bcb2368a0ed47a973dfb07467253
Opcode Fuzzy Hash: cbf7912b19a15d0f9a1be74ee2c4b28180c4e1ce7a65aa01e54554ffa59d3318
Instruction Fuzzy Hash: 52918272E102169EDB208EB4CC85AEE7BB9EF89710F184659F905EB1D1DB35DD80CB60

Function 00944523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00944648
VariantInit.OLEAUT32(?), ref: 00944749
VariantClear.OLEAUT32(?), ref: 00944753
VariantClear.OLEAUT32(?), ref: 009447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0094472C
Null Object assignment in FOR..IN loop, xrefs: 009445D8, 00944706, 009447BE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: ca1da332f4e1ee3ba753e9591065c1bc6f3964add0fc48d4ef9f52d60d81cb15
Instruction ID: 2108c1b6c8ccdd987a11e5c45990e4b7b7d565c2c6f3a37cfc4e6f237f6cd7c3
Opcode Fuzzy Hash: ca1da332f4e1ee3ba753e9591065c1bc6f3964add0fc48d4ef9f52d60d81cb15
Instruction Fuzzy Hash: 2F917E71A00219AFDF20CFA5C888FAEBBB8FF46714F108559F515AB281D7749945CFA0

Function 00931187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0093125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00931284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0093135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00931430

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 67793a268940633b932743aef98630d5a874f483a892f953024e33775493ba6e
Instruction ID: 9fb80843a60f3fd3581822e0148e523cf8301675c87e2dad13834f3b39007650
Opcode Fuzzy Hash: 67793a268940633b932743aef98630d5a874f483a892f953024e33775493ba6e
Instruction Fuzzy Hash: 5991E171A00209AFDB00DFA8C884BBEB7B9FF45325F104429E951EB2B1D778A941CF91

Function 008D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8db83b3e3fe81bbfed9a8a7f974a4b0a37f4862cdfa11eeedaa0993eb16a47cf
Instruction ID: ca291a3196703a154cee0614d73f2f86c900c0c9e21e94fd7c1b48723bb5f74f
Opcode Fuzzy Hash: 8db83b3e3fe81bbfed9a8a7f974a4b0a37f4862cdfa11eeedaa0993eb16a47cf
Instruction Fuzzy Hash: 7A913671E0421AEFCB10CFA9DC84AEEBBB9FF48320F148556E555B7251D374AA42CB60

Function 00943947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0094396B
CharUpperBuffW.USER32(?,?), ref: 00943A7A
_wcslen.LIBCMT ref: 00943A8A
VariantClear.OLEAUT32(?), ref: 00943C1F

Part of subcall function 00930CDF: VariantInit.OLEAUT32(00000000), ref: 00930D1F
Part of subcall function 00930CDF: VariantCopy.OLEAUT32(?,?), ref: 00930D28
Part of subcall function 00930CDF: VariantClear.OLEAUT32(?), ref: 00930D34

Strings

Incorrect Parameter format, xrefs: 009439A6, 00943BA1
AUTOIT.ERROR, xrefs: 00943A80, 00943A85

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a63ec9dabefe3726980cad40cbec2126f4e078a3e9f35727d7aff5b96b8f5778
Instruction ID: 28c216d2762696c9cbe74b9db10fa469d4b803091d13caf312cf73013437a808
Opcode Fuzzy Hash: a63ec9dabefe3726980cad40cbec2126f4e078a3e9f35727d7aff5b96b8f5778
Instruction Fuzzy Hash: 419125756083059FC704EF68C481A6AB7E9FF88314F14896DF88A9B351DB31EE45CB92

Function 00944BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0092000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?,?,0092035E), ref: 0092002B
Part of subcall function 0092000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920046
Part of subcall function 0092000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920054
Part of subcall function 0092000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?), ref: 00920064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00944C51
_wcslen.LIBCMT ref: 00944D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00944DCF
CoTaskMemFree.OLE32(?), ref: 00944DDA

Strings

NULL Pointer assignment, xrefs: 00944E23, 00944E52

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c852be7306d968324a4b47470aca08c51d6f9d2bc814bd9068c4a00d6b53169f
Instruction ID: 0f67e82ee4a9b9f84afe9c6acc875d60d79ef7c11039f44fab215271664d0b99
Opcode Fuzzy Hash: c852be7306d968324a4b47470aca08c51d6f9d2bc814bd9068c4a00d6b53169f
Instruction Fuzzy Hash: B7912571D0021DAFDF14DFA4D891EEEB7B8FF48304F108569E919A7291EB349A448FA1

Function 009520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00952183
GetMenuItemCount.USER32(00000000), ref: 009521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009521DD
_wcslen.LIBCMT ref: 00952213
GetMenuItemID.USER32(?,?), ref: 0095224D
GetSubMenu.USER32(?,?), ref: 0095225B

Part of subcall function 00923A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00923A57
Part of subcall function 00923A3D: GetCurrentThreadId.KERNEL32 ref: 00923A5E
Part of subcall function 00923A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009225B3), ref: 00923A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009522E3

Part of subcall function 0092E97B: Sleep.KERNELBASE ref: 0092E9F3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4cc8d330b71312506da6536ac30bc49b00a2579b5e098643e8d34ae0c98e9377
Instruction ID: 35aa8cc986b91dca098e947b891b1bcdb445e4bd298113c8cc24d46eccb0a233
Opcode Fuzzy Hash: 4cc8d330b71312506da6536ac30bc49b00a2579b5e098643e8d34ae0c98e9377
Instruction Fuzzy Hash: CB71AF75A04205AFCB14DF6AC881AAEB7F5FF89311F148459E826EB351DB34EE418F90

Function 00957E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012450C8), ref: 00957F37
IsWindowEnabled.USER32(012450C8), ref: 00957F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0095801E
SendMessageW.USER32(012450C8,000000B0,?,?), ref: 00958051
IsDlgButtonChecked.USER32(?,?), ref: 00958089
GetWindowLongW.USER32(012450C8,000000EC), ref: 009580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009580C3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4a76fa83d77c828c902a50e3c41c6c2af1881fa5de44da8fcb23be6a9777f7ba
Instruction ID: dc17d45ec0d49e58600322226ebbde1aab88b18dcba9503c5e0360af2a0c043e
Opcode Fuzzy Hash: 4a76fa83d77c828c902a50e3c41c6c2af1881fa5de44da8fcb23be6a9777f7ba
Instruction Fuzzy Hash: 18719374508205AFEF21DFA6DC84FEABBB9FF09302F144459ED45572A1CB31AA49DB10

Function 0092AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0092AEF9
GetKeyboardState.USER32(?), ref: 0092AF0E
SetKeyboardState.USER32(?), ref: 0092AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0092AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0092AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0092AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0092B020

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f996cbd233ba5b91e5deecfa00652533689a98ee36a7b6cc57acc0bf7240914
Instruction ID: 2677808971f5381235438c269d9ec4ce545d20842e9fafc0a7dc460426f1d9b9
Opcode Fuzzy Hash: 0f996cbd233ba5b91e5deecfa00652533689a98ee36a7b6cc57acc0bf7240914
Instruction Fuzzy Hash: CA51E2A16447E53EFB378234AD45BBABFED5B06304F088489E1E9958C6C3D8ACC8D751

Function 0092ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0092AD19
GetKeyboardState.USER32(?), ref: 0092AD2E
SetKeyboardState.USER32(?), ref: 0092AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0092ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0092ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0092AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0092AE38

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2faa121096fc0cfa60daf2fb42dc6cdcc7536db789950e2ad04deadc5f512c24
Instruction ID: b9419148002ea8d80bfdf642380059193d2a2474e06d235d76265296c7d295a5
Opcode Fuzzy Hash: 2faa121096fc0cfa60daf2fb42dc6cdcc7536db789950e2ad04deadc5f512c24
Instruction Fuzzy Hash: 2051D5A25087E53EFB3683349C55B7ABEEC5B46300F088488E1D5568C7D294EC89E752

Function 008F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00903CD6,?,?,?,?,?,?,?,?,008F5BA3,?,?,00903CD6,?,?), ref: 008F5470
__fassign.LIBCMT ref: 008F54EB
__fassign.LIBCMT ref: 008F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00903CD6,00000005,00000000,00000000), ref: 008F552C
WriteFile.KERNEL32(?,00903CD6,00000000,008F5BA3,00000000,?,?,?,?,?,?,?,?,?,008F5BA3,?), ref: 008F554B
WriteFile.KERNEL32(?,?,00000001,008F5BA3,00000000,?,?,?,?,?,?,?,?,?,008F5BA3,?), ref: 008F5584

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 079569b0d3d2c817d375fa0820fb6d150bfc1bd2c8f3e1754f2ff197d0a0ced4
Instruction ID: 81a53790de69961a785c49ce144853bacb8f019ff45470e55d29fe7133a7c6d5
Opcode Fuzzy Hash: 079569b0d3d2c817d375fa0820fb6d150bfc1bd2c8f3e1754f2ff197d0a0ced4
Instruction Fuzzy Hash: 7B519EB1A0464DAFDB10CFB8D895AEEBBF9FF09300F14411AEA55E7291D7309A41CB60

Function 008E2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008E2D53
_ValidateLocalCookies.LIBCMT ref: 008E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008E2E0C
_ValidateLocalCookies.LIBCMT ref: 008E2E61

Strings

csm, xrefs: 008E2DF6

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e4bf0e168b48d6d814c790e427479e78ca97b3a3e0a9274f66200ecb29774e3e
Instruction ID: 97a66cb9030e1753b801a9d32ae8962690e97d2596c74e100ae0f7b302799e3a
Opcode Fuzzy Hash: e4bf0e168b48d6d814c790e427479e78ca97b3a3e0a9274f66200ecb29774e3e
Instruction Fuzzy Hash: BF41B334A0025DABCF10DF6ACC45A9EBBA8FF46314F148155E914EB392D7719E01CB91

Function 009410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094304E: inet_addr.WSOCK32(?), ref: 0094307A
Part of subcall function 0094304E: _wcslen.LIBCMT ref: 0094309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00941112
WSAGetLastError.WSOCK32 ref: 00941121
WSAGetLastError.WSOCK32 ref: 009411C9
closesocket.WSOCK32(00000000), ref: 009411F9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2ab1416546bc91c3aa17fc435a195d5d830cdc4bfc0458d0270b39eb1854841b
Instruction ID: 88828b5ea9c5a01337ac2f0d8da5e6e00dba8ef705e7a9c89118e3b78eb92fe4
Opcode Fuzzy Hash: 2ab1416546bc91c3aa17fc435a195d5d830cdc4bfc0458d0270b39eb1854841b
Instruction Fuzzy Hash: 07410271604204AFDB109F28C884FAABBE9FF49324F148059FE099B291D774ED81CBE1

Function 0092CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0092CF22,?), ref: 0092DDFD

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0092CF22,?), ref: 0092DE16

lstrcmpiW.KERNEL32(?,?), ref: 0092CF45
MoveFileW.KERNEL32(?,?), ref: 0092CF7F
_wcslen.LIBCMT ref: 0092D005
_wcslen.LIBCMT ref: 0092D01B
SHFileOperationW.SHELL32(?), ref: 0092D061

Strings

\*.*, xrefs: 0092CFF3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9f4fc86531f2d4e94821aa1fa6673771144f9676d2077150bd24e269791d25d6
Instruction ID: 67e12424604764b3055bc97aaa4c21bc6164687d68f70d7cb2920043e1aafe9a
Opcode Fuzzy Hash: 9f4fc86531f2d4e94821aa1fa6673771144f9676d2077150bd24e269791d25d6
Instruction Fuzzy Hash: 724155B19452285FDF12EBA4DA81BDDB7BCAF48380F1000E6E545EB156EA34A644CB50

Function 00952DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00952E1C
GetWindowLongW.USER32(?,000000F0), ref: 00952E4F
GetWindowLongW.USER32(?,000000F0), ref: 00952E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00952EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00952EE0
GetWindowLongW.USER32(?,000000F0), ref: 00952EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00952F0B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d6efec62f12c5fc74a207bd98385240b97a776eb10f8d5fd7db1b0c906e46564
Instruction ID: 7670652c9dee1467dbe4550410bf8dda961ac20927fa9abdb9195cb5bd70c926
Opcode Fuzzy Hash: d6efec62f12c5fc74a207bd98385240b97a776eb10f8d5fd7db1b0c906e46564
Instruction Fuzzy Hash: 82313530619241AFDB21CF5AEC86F6937E8FB8A712F140165F9008F2B1CB71AC48EB00

Function 00927726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00927769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0092778F
SysAllocString.OLEAUT32(00000000), ref: 00927792
SysAllocString.OLEAUT32(?), ref: 009277B0
SysFreeString.OLEAUT32(?), ref: 009277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009277DE
SysAllocString.OLEAUT32(?), ref: 009277EC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2bea6d671d71f4c578c11f6232f47cf5685d49456676d4b99f9c5604c98ebc78
Instruction ID: bf2fadd60d5aa8de766f84b57a63d982107e8196e4623ce203b50657b1e6fba3
Opcode Fuzzy Hash: 2bea6d671d71f4c578c11f6232f47cf5685d49456676d4b99f9c5604c98ebc78
Instruction Fuzzy Hash: EA21B076608329AFDB10DFA9EC88CBBB3ACFB093647008525FA05EB265D670DC419760

Function 009277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00927842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00927868
SysAllocString.OLEAUT32(00000000), ref: 0092786B
SysAllocString.OLEAUT32 ref: 0092788C
SysFreeString.OLEAUT32 ref: 00927895
StringFromGUID2.OLE32(?,?,00000028), ref: 009278AF
SysAllocString.OLEAUT32(?), ref: 009278BD

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8dd7aac683010084dab38321434330eae5e9efa07715078e1c2566d3c9c9ff79
Instruction ID: 7046cc80060f95d699f892b2dd272f91256c750fa436843a27933224b057d9ec
Opcode Fuzzy Hash: 8dd7aac683010084dab38321434330eae5e9efa07715078e1c2566d3c9c9ff79
Instruction Fuzzy Hash: CA21A171608224BFDB109FE9ECC8DBAB7ECEB083607108125FA15DB2A5E674DC41DB64

Function 009304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0093052E

Strings

nul, xrefs: 00930567

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d76e97c1bfd46af9b7d612e7134c56bcebde715dd5f1d8d6bd50317d765db781
Instruction ID: 92a2c19f6868f32005c148ea8ef9c2520db119e01ed1134f69de004b47c48860
Opcode Fuzzy Hash: d76e97c1bfd46af9b7d612e7134c56bcebde715dd5f1d8d6bd50317d765db781
Instruction Fuzzy Hash: EE217CB5500305AFDF209F2ADC54A9A7BB8BF84724F204A19F8A1D72E0E770D940DF20

Function 009305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00930601

Strings

nul, xrefs: 00930639

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d73a6ea3ae14b3ef7ede40cd0911af5da1802e5965d2c7bfd4fa9989902856ab
Instruction ID: 42e6fe043e5f3efb2e2f70c5358d2363859670497086a8339b53b29f084c9548
Opcode Fuzzy Hash: d73a6ea3ae14b3ef7ede40cd0911af5da1802e5965d2c7bfd4fa9989902856ab
Instruction Fuzzy Hash: C1217F755003059FDB209F699C15A9A77A8AFD5B28F200B19F8A1E72E4D7709860CF10

Function 009540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008C604C
Part of subcall function 008C600E: GetStockObject.GDI32(00000011), ref: 008C6060
Part of subcall function 008C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00954112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0095411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0095412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00954139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00954145

Strings

Msctls_Progress32, xrefs: 009540E3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 519bb201de920c18fae5ddfcfdab23e5f1c1391f1116a078272099fe960932b7
Instruction ID: 2ab76ba5c885e14ec53c3c864ff4ee13a6e60b63b56871266efb786daca49240
Opcode Fuzzy Hash: 519bb201de920c18fae5ddfcfdab23e5f1c1391f1116a078272099fe960932b7
Instruction Fuzzy Hash: F411B2B215021ABEEF119F65CC85EE77FADEF18798F104111BA18A2190C672DC61DBA4

Function 008FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008FD7A3: _free.LIBCMT ref: 008FD7CC

_free.LIBCMT ref: 008FD82D

Part of subcall function 008F29C8: HeapFree.KERNEL32(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FD838
_free.LIBCMT ref: 008FD843
_free.LIBCMT ref: 008FD897
_free.LIBCMT ref: 008FD8A2
_free.LIBCMT ref: 008FD8AD
_free.LIBCMT ref: 008FD8B8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d2dbc47453b7ae324273155cb7684e4f08ea1dde12822907ec5547c1b39b97c4
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: A8112E71680B0CAAD621BFB4CC47FEB7BDDFF04700F404825B399EA4A2DA65B5058662

Function 0092DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0092DA74
LoadStringW.USER32(00000000), ref: 0092DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0092DA91
LoadStringW.USER32(00000000), ref: 0092DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0092DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0092DAB9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ae703ef5630cb3954123d00e9679c963d5dd911464d8edfdd8213bfde8d6ed72
Instruction ID: a97a048633cdb9b14a0771e2da4ba54bc3132ad762448343094911f1e49d1701
Opcode Fuzzy Hash: ae703ef5630cb3954123d00e9679c963d5dd911464d8edfdd8213bfde8d6ed72
Instruction Fuzzy Hash: 040186F25043187FE710EBA1DD89EEB336CE708306F404891B746E2041EA749E848F74

Function 0093096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0123E3A0,0123E3A0), ref: 0093097B
EnterCriticalSection.KERNEL32(0123E380,00000000), ref: 0093098D
TerminateThread.KERNEL32(?,000001F6), ref: 0093099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 009309A9
CloseHandle.KERNEL32(?), ref: 009309B8
InterlockedExchange.KERNEL32(0123E3A0,000001F6), ref: 009309C8
LeaveCriticalSection.KERNEL32(0123E380), ref: 009309CF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 197a6ea8e4015482d5f87e5b947863249121d17066589241a27da5a695f282bc
Instruction ID: aaeec6888a63ee808a808c2c08bd6cfc9687dc376e8cde308d4d1e6c5f11ceb1
Opcode Fuzzy Hash: 197a6ea8e4015482d5f87e5b947863249121d17066589241a27da5a695f282bc
Instruction Fuzzy Hash: AEF0197245AB02AFD7415BA5EE88BDABA29FF41702F402025F202908A0CB7494A5DF90

Function 00941C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00941DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00941DE1
WSAGetLastError.WSOCK32 ref: 00941DF2
htons.WSOCK32(?), ref: 00941EDB
inet_ntoa.WSOCK32(?), ref: 00941E8C

Part of subcall function 009239E8: _strlen.LIBCMT ref: 009239F2

Part of subcall function 00943224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0093EC0C), ref: 00943240

_strlen.LIBCMT ref: 00941F35

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9ae0ad0d9a9bc0a15aaeef7e4490babebd6a1c1111050c7dbcdb6a56ce7ab513
Instruction ID: de2c432db361b7edfc35fbb043c1e19e3a345b219b18fd1900557ef84d4ce016
Opcode Fuzzy Hash: 9ae0ad0d9a9bc0a15aaeef7e4490babebd6a1c1111050c7dbcdb6a56ce7ab513
Instruction Fuzzy Hash: 99B1A171604340AFC324DF24C885F2A7BA9EF84318F54895CF4569B2E2DB71ED86CB92

Function 008C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008C5D30
GetWindowRect.USER32(?,?), ref: 008C5D71
ScreenToClient.USER32(?,?), ref: 008C5D99
GetClientRect.USER32(?,?), ref: 008C5ED7
GetWindowRect.USER32(?,?), ref: 008C5EF8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1a797a37bdc4461ecb51e9082b1a7064d9a8560baf2d41baf711d24d9ff3756d
Instruction ID: f950a9fa127b7c42b6d1b4d0d5e5b728bd17e885650a72b6753926fe60f40e07
Opcode Fuzzy Hash: 1a797a37bdc4461ecb51e9082b1a7064d9a8560baf2d41baf711d24d9ff3756d
Instruction Fuzzy Hash: 11B14675A0074ADFDB14CFA9C480BEAB7B5FF48310F14841AE9A9D7290DB30EA91DB50

Function 008F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F00D6
__allrem.LIBCMT ref: 008F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F010B
__allrem.LIBCMT ref: 008F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F0140

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: e91f8bfcc515e17792653a7bbe998432b8b34aa36f4a48a961cceff4ff971278
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: EF81B472A00B0A9FE724AB79CC41B7A73E9FF91724F24452AF651D6282EF70D9408B51

Function 008F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008E82D9,008E82D9,?,?,?,008F644F,00000001,00000001,8BE85006), ref: 008F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008F644F,00000001,00000001,8BE85006,?,?,?), ref: 008F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008F63D8
__freea.LIBCMT ref: 008F63E5

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

__freea.LIBCMT ref: 008F63EE
__freea.LIBCMT ref: 008F6413

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cf8ff5e412ef17b3f494fc1f12c722ccc43f9bde1b2836b286f0ee58f81d5840
Instruction ID: 6384d39c8bd37b9a10f387c6fd804dcc32ed2ee8ab7df3f7e764fc7ad391eec6
Opcode Fuzzy Hash: cf8ff5e412ef17b3f494fc1f12c722ccc43f9bde1b2836b286f0ee58f81d5840
Instruction Fuzzy Hash: 9951EE72A0021AABEB258F74CC81EBF77AAFB54750F154329FA05D6240EB34DC64D6A1

Function 0094BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0094BD25
RegCloseKey.ADVAPI32(00000000), ref: 0094BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0094BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0094BDF3
RegCloseKey.ADVAPI32(?), ref: 0094BDFF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: b9ab5f51f0957b0ef58fb50d5588d8cf07bc7239d413a22b2c2f0470f87b04c2
Instruction ID: 18118ba3b5c29b7c10f78067c40333e78d128bd080b031c1ab03fe85cf9a0096
Opcode Fuzzy Hash: b9ab5f51f0957b0ef58fb50d5588d8cf07bc7239d413a22b2c2f0470f87b04c2
Instruction Fuzzy Hash: C6817E70508241AFD714DF24C895E2ABBF9FF84308F14899CF5998B2A2DB31ED45CB92

Function 0091F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0091F7B9
SysAllocString.OLEAUT32(00000001), ref: 0091F860
VariantCopy.OLEAUT32(0091FA64,00000000), ref: 0091F889
VariantClear.OLEAUT32(0091FA64), ref: 0091F8AD
VariantCopy.OLEAUT32(0091FA64,00000000), ref: 0091F8B1
VariantClear.OLEAUT32(?), ref: 0091F8BB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e2af1ce45db78be5681e6b2bba3ffc3459be309dc4f6a18d7814c7ba11c2c203
Instruction ID: eab3a8e4e8dff0e5a4b5883dc3eee44475527d7d862d32f3a245246ca8ddd0d7
Opcode Fuzzy Hash: e2af1ce45db78be5681e6b2bba3ffc3459be309dc4f6a18d7814c7ba11c2c203
Instruction Fuzzy Hash: BD51D73570031CBBCF14AF65D8A5BA9B3A9EF45310F1444A7E906DF291D7748C80DB96

Function 0093910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009394E5
_wcslen.LIBCMT ref: 00939506
_wcslen.LIBCMT ref: 0093952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00939585

Strings

X, xrefs: 00939412

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 60f79a558f465e5f902e88e73727f142ae27ec18d5d4a94574b80bf58cea2299
Instruction ID: aeb5d1a108648bbe5cd7c3a69370ead771a01bbb108be9e79686e1879d24fd2d
Opcode Fuzzy Hash: 60f79a558f465e5f902e88e73727f142ae27ec18d5d4a94574b80bf58cea2299
Instruction Fuzzy Hash: 42E159716083409FC724EF28C885B6AB7E4FF85314F04896DF8999B2A2DB71DD45CB92

Function 008D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

BeginPaint.USER32(?,?,?), ref: 008D9241
GetWindowRect.USER32(?,?), ref: 008D92A5
ScreenToClient.USER32(?,?), ref: 008D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008D92D3
EndPaint.USER32(?,?,?,?,?), ref: 008D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009171EA

Part of subcall function 008D9339: BeginPath.GDI32(00000000), ref: 008D9357

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3dbec4252323c6c08f3b5903d2e8a87c18f532b1c63b00e3acc9840424518ffe
Instruction ID: d4e8916c587511b7d08347fecba6703886df2a35f4e13189343d22f44d0f498d
Opcode Fuzzy Hash: 3dbec4252323c6c08f3b5903d2e8a87c18f532b1c63b00e3acc9840424518ffe
Instruction Fuzzy Hash: 0841DE70208306AFD711DF69DC84FBA7BB8FB45365F04062AF9A4C72A1C7309845EB62

Function 009307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0093080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00930847
EnterCriticalSection.KERNEL32(?), ref: 00930863
LeaveCriticalSection.KERNEL32(?), ref: 009308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00930921

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1055c83b625e4e76dfda5d2fbcbdcc7f533889d798195341fa0f75e2a1914646
Instruction ID: 20bcf761f3eec1c7135c384a979762d5532e9ad8afedbaa238719b142584e7d2
Opcode Fuzzy Hash: 1055c83b625e4e76dfda5d2fbcbdcc7f533889d798195341fa0f75e2a1914646
Instruction Fuzzy Hash: C9415771900205AFDF14AF58DC85A6AB7B9FF44300F1440A5E905DE297DB31DE60EFA1

Function 009581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0091F3AB,00000000,?,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 0095824C
EnableWindow.USER32(?,00000000), ref: 00958272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009582D1
ShowWindow.USER32(?,00000004), ref: 009582E5
EnableWindow.USER32(?,00000001), ref: 0095830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0095832F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8dadda82a9d744b80ffc4a48622e1c330b6a1e9f70d6f19eeb649d382bdcaaaf
Instruction ID: e43eced53fab7f4074b6579b222e54029b259b6097a25465b9f4ed14ef20703e
Opcode Fuzzy Hash: 8dadda82a9d744b80ffc4a48622e1c330b6a1e9f70d6f19eeb649d382bdcaaaf
Instruction Fuzzy Hash: CD41F530605701AFDF16CF16D899BE57BE4FB0A756F180169E9189B272CB31A849CF50

Function 00924C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00924C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00924CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00924CEA
_wcslen.LIBCMT ref: 00924D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00924D10
_wcsstr.LIBVCRUNTIME ref: 00924D1A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 98be29849ac33c4c9465e097477b1c43ff72882d6a800f09fa79eda4d777bb64
Instruction ID: 230317f21538abfe94ba5da4eba3a901ff44cf68c578322e55322e9bc133c7c7
Opcode Fuzzy Hash: 98be29849ac33c4c9465e097477b1c43ff72882d6a800f09fa79eda4d777bb64
Instruction Fuzzy Hash: 66212672205221BBEB159B3AFC09E7B7B9CEF45750F10803AF809DA196EA61DD0097A1

Function 0093581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

_wcslen.LIBCMT ref: 0093587B
CoInitialize.OLE32(00000000), ref: 00935995
CoCreateInstance.OLE32(0095FCF8,00000000,00000001,0095FB68,?), ref: 009359AE
CoUninitialize.OLE32 ref: 009359CC

Strings

.lnk, xrefs: 00935876, 009358C1, 00935985

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ae5111428e39e3b4f11a3bfc0165be04585389cc78f551251677f0901d445e07
Instruction ID: b71763125f5ee11c269131202e8b35b499aec9bb2eb32729dc86587e85a68e6e
Opcode Fuzzy Hash: ae5111428e39e3b4f11a3bfc0165be04585389cc78f551251677f0901d445e07
Instruction Fuzzy Hash: 22D13D716086019FC714DF28C480A2ABBF5FF89724F16885DF88A9B261DB31ED45CF92

Function 0092175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00920FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00920FCA
Part of subcall function 00920FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00920FD6
Part of subcall function 00920FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00920FE5
Part of subcall function 00920FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00920FEC
Part of subcall function 00920FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00921002

GetLengthSid.ADVAPI32(?,00000000,00921335), ref: 009217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009217BA
HeapAlloc.KERNEL32(00000000), ref: 009217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009217DA
GetProcessHeap.KERNEL32(00000000,00000000,00921335), ref: 009217EE
HeapFree.KERNEL32(00000000), ref: 009217F5

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dfd615d0c8d9fa16cb596e2c749e0bee123e3b94ad645f06ad4d526e47b80c68
Instruction ID: 69dc29643a6415d2cd51d71ad1437fc27db40f04ebdc211cdc0f85af15991dc7
Opcode Fuzzy Hash: dfd615d0c8d9fa16cb596e2c749e0bee123e3b94ad645f06ad4d526e47b80c68
Instruction Fuzzy Hash: 3C11EB72618715FFDB208FA4EC48BAF7BACEB91316F104018F481A7215C736A910DBA0

Function 009214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00921506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00921515
CloseHandle.KERNEL32(00000004), ref: 00921520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0092154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00921563

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e9ecdd734e7ad940225778ffad56a5f65d2f32dabda5bcd7ba6c7d7195a079ff
Instruction ID: ed9b4abfecb31d2dee01d3bd3bc26e4c203e4cf9d1c7a0ab611043b340c4056f
Opcode Fuzzy Hash: e9ecdd734e7ad940225778ffad56a5f65d2f32dabda5bcd7ba6c7d7195a079ff
Instruction Fuzzy Hash: 1A1144B260420DAFDF118FA8ED49FDA7BA9EB48705F044064FA05A20A0C3758E60EB60

Function 008E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008E3379,008E2FE5), ref: 008E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008E33B7
SetLastError.KERNEL32(00000000,?,008E3379,008E2FE5), ref: 008E3409

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2641e2c0678720b2c0b5faccf28fc8f06b60141d1cff51e41a0f0ef996ff3b69
Instruction ID: 2fba58c2bef376518c33c4d6796612493c8b0c96d7ae5ad69b2895813399c5e4
Opcode Fuzzy Hash: 2641e2c0678720b2c0b5faccf28fc8f06b60141d1cff51e41a0f0ef996ff3b69
Instruction Fuzzy Hash: 5401DE7221C351BEEA262B7B7C8D9662A94FB273B97300229F410C33F0EF614E016665

Function 008F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008F5686,00903CD6,?,00000000,?,008F5B6A,?,?,?,?,?,008EE6D1,?,00988A48), ref: 008F2D78
_free.LIBCMT ref: 008F2DAB
_free.LIBCMT ref: 008F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008EE6D1,?,00988A48,00000010,008C4F4A,?,?,00000000,00903CD6), ref: 008F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008EE6D1,?,00988A48,00000010,008C4F4A,?,?,00000000,00903CD6), ref: 008F2DEC
_abort.LIBCMT ref: 008F2DF2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 007748f38abda8442dbfbf92590871dac71b2fe66607510d0bdaf75e088c5bad
Instruction ID: 440e1ad276db29ee14d43b95c6b5aecd0186797c513c09853885112949e0a760
Opcode Fuzzy Hash: 007748f38abda8442dbfbf92590871dac71b2fe66607510d0bdaf75e088c5bad
Instruction Fuzzy Hash: 2FF0C871549B0D6BC612373DBC1AE3F2559FFC17A6F240519FB24D22E2EF3489015262

Function 00958A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D9693
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96A2
Part of subcall function 008D9639: BeginPath.GDI32(?), ref: 008D96B9
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00958A4E
LineTo.GDI32(?,00000003,00000000), ref: 00958A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00958A70
LineTo.GDI32(?,00000000,00000003), ref: 00958A80
EndPath.GDI32(?), ref: 00958A90
StrokePath.GDI32(?), ref: 00958AA0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7f0b525a8336fd3fff90f8f2215b9c25f9b78d3c67c54e5838757d9c52ab79c6
Instruction ID: f33be8e3f03ab3a1a26b66a819d85f7b55a17cd977b7592691d58fd26f7799ff
Opcode Fuzzy Hash: 7f0b525a8336fd3fff90f8f2215b9c25f9b78d3c67c54e5838757d9c52ab79c6
Instruction Fuzzy Hash: 35111E7600420DFFDF119F95DC88EAA7F6CEB04391F048012FA19951A1C7719D55EF60

Function 009251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00925218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00925229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00925230
ReleaseDC.USER32(00000000,00000000), ref: 00925238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0092524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00925261

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 25d318a1129aa884810c09c82a87ac5521d6c2ae30377095e1ff272758447516
Instruction ID: 23bea0baf7ced69b58f78316ec9194555fba4b97a93a69731aa53d6d391cd29f
Opcode Fuzzy Hash: 25d318a1129aa884810c09c82a87ac5521d6c2ae30377095e1ff272758447516
Instruction Fuzzy Hash: 2A014FB5A05719BFEF109BA69C49A5EBFB8EB48752F044065FA04A7281D6709900DBA0

Function 008C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 008C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 008C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008C1C22

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 442f262c9b03fa16867e7c9f8f56bbd66d33fb9c986ceab2b29182acbd71cf02
Instruction ID: a32fdda494ca86202f313dc683eb2534b92dbb0b5ba683b9a39e18a69a222c5e
Opcode Fuzzy Hash: 442f262c9b03fa16867e7c9f8f56bbd66d33fb9c986ceab2b29182acbd71cf02
Instruction Fuzzy Hash: 060167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0092EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0092EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0092EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0092EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0092EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0092EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0092EB75

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3a6b5ed5b314ff17ecc8231c527eae6adb855a7856f285c8f18af2657f5cb974
Instruction ID: 4bf4ece03a18fd17f98a4e50e5e186c23caeb55624542271de9190541e62dae6
Opcode Fuzzy Hash: 3a6b5ed5b314ff17ecc8231c527eae6adb855a7856f285c8f18af2657f5cb974
Instruction Fuzzy Hash: D5F017B2255759BFE7215B63AC0EEAB3A7CEBCAB12F000158F601D109196A05A01A7B5

Function 00917439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00917452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00917469
GetWindowDC.USER32(?), ref: 00917475
GetPixel.GDI32(00000000,?,?), ref: 00917484
ReleaseDC.USER32(?,00000000), ref: 00917496
GetSysColor.USER32(00000005), ref: 009174B0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 17264f21dd0e95249e84dd1da3dfba16f6495e2896f3fb6e5566b88efe99acb9
Instruction ID: c158cbf0d8e5301441ab3cf3b20cb170b128fb324eea9bd18177191adde86379
Opcode Fuzzy Hash: 17264f21dd0e95249e84dd1da3dfba16f6495e2896f3fb6e5566b88efe99acb9
Instruction Fuzzy Hash: 7301787151830AFFEB105FA5DC48BEABBB6FB04312F100160F916A21A0CB311E41EB10

Function 00921874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0092187F
UnloadUserProfile.USERENV(?,?), ref: 0092188B
CloseHandle.KERNEL32(?), ref: 00921894
CloseHandle.KERNEL32(?), ref: 0092189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009218A5
HeapFree.KERNEL32(00000000), ref: 009218AC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a4cd409df1d3f92154da03d253863eef75af748740e839564b7e56247ac65a31
Instruction ID: 590246aa47335a20049f0f07f615a82b033274df7a1cd2030d6b395f8281085c
Opcode Fuzzy Hash: a4cd409df1d3f92154da03d253863eef75af748740e839564b7e56247ac65a31
Instruction Fuzzy Hash: D3E052B6118705BFDA015BA6ED0C94ABB69FB49B22B508625F22681471CB32A4A1EB50

Function 0092C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0092C6EE
_wcslen.LIBCMT ref: 0092C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0092C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0092C7CA

Strings

0, xrefs: 0092C6AF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 27787aeec8ec4980920001abca94663be4a5baaacc3ad7edf6eb935b6f3302b6
Instruction ID: 66a0d09cf30306b91c2f9e9b042fe906c36980cf95de902c23ad2272803098b9
Opcode Fuzzy Hash: 27787aeec8ec4980920001abca94663be4a5baaacc3ad7edf6eb935b6f3302b6
Instruction Fuzzy Hash: 0851E0B16043219BD714AF28E884B6E77ECEF49314F040A2DF995E32A5DB74D904DB52

Function 0094AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0094AEA3

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

GetProcessId.KERNEL32(00000000), ref: 0094AF38
CloseHandle.KERNEL32(00000000), ref: 0094AF67

Strings

<, xrefs: 0094AE6B
@, xrefs: 0094AE72

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 7b4a473782c2e7fd3ecfd65187ab0c58366924eac3f65835cbb93fb7df5954d8
Instruction ID: fa36f030eac2715df30516c5107b2c4b354b99f10cb1143b216d5369e73e277c
Opcode Fuzzy Hash: 7b4a473782c2e7fd3ecfd65187ab0c58366924eac3f65835cbb93fb7df5954d8
Instruction Fuzzy Hash: 9D712471A00619DFCB14DF59C485A9EBBF4FF08314F048499E856AB3A2CB74ED45CB92

Function 0092719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00927206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0092723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0092724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009272CF

Strings

DllGetClassObject, xrefs: 00927242

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8f8fff02f53114f270c15116f21453684f5d951199bf6be2a9c1754818697d3d
Instruction ID: d55c71d7de969038476c22c3a194c6a4a832e212312c4255b5920de2f8ff8419
Opcode Fuzzy Hash: 8f8fff02f53114f270c15116f21453684f5d951199bf6be2a9c1754818697d3d
Instruction Fuzzy Hash: 55417CB1A04214EFDB15DF94D884B9ABBA9EF84310F1480ADFD05AF20ED7B0D944CBA0

Function 00953D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00953E35
IsMenu.USER32(?), ref: 00953E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00953E92
DrawMenuBar.USER32 ref: 00953EA5

Strings

0, xrefs: 00953D89

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 42c782844d2ab4cae2512c4cc3c85f571319d75e1713a138cae08a6dd419a9b7
Instruction ID: 6cb7211a1d2cb01b1c9ab73ed34d5889d8bac9f9390bddc74e940294fc086fbf
Opcode Fuzzy Hash: 42c782844d2ab4cae2512c4cc3c85f571319d75e1713a138cae08a6dd419a9b7
Instruction Fuzzy Hash: 6E418A74A10209AFDB10DF96D885EAABBF9FF48391F048029FC0597250D330AE49DF60

Function 00921DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00921E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00921E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00921EA9

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Strings

ComboBox, xrefs: 00921DF0
ListBox, xrefs: 00921E25

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 1a7da0d789fd3934794054209a6e697154a40072c17ac8aaf6d396693b60642b
Instruction ID: cfe95ead056489afb0bc46203011c72cf702a85ab2ce3711d1debe99c615307a
Opcode Fuzzy Hash: 1a7da0d789fd3934794054209a6e697154a40072c17ac8aaf6d396693b60642b
Instruction Fuzzy Hash: 732147B1A00204BEDB14AB68EC49DFFB7BCEF51360B114529F825E72E1DB384E199720

Function 00952F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00952F8D
LoadLibraryW.KERNEL32(?), ref: 00952F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00952FA9
DestroyWindow.USER32(?), ref: 00952FB1

Strings

SysAnimate32, xrefs: 00952F68

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 97e428adb04ed8bcc9cb9c9367c84ba9f9da4f533fd19f7f3ad96210186fd247
Instruction ID: 1b71c08243ae53f2f7ddbbe81ccd3444fa1197820a1c87e60fb8ce0c3088999b
Opcode Fuzzy Hash: 97e428adb04ed8bcc9cb9c9367c84ba9f9da4f533fd19f7f3ad96210186fd247
Instruction Fuzzy Hash: B021C071204205AFEB108F66EC80FBB77BDEB5A366F100618FD50E6190D771DC55AB60

Function 008E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008E4D1E,008F28E9,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002), ref: 008E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008E4D1E,008F28E9,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002,00000000), ref: 008E4DC3

Strings

CorExitProcess, xrefs: 008E4D98
mscoree.dll, xrefs: 008E4D86

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2d1eb540ebd76f36c4246c0330c2cc9c51a42feaf80c18e73192072a67746715
Instruction ID: 331c555f62253cea95a31f41487b8cd1bf1ebfb6583aa823a6255638739dfa9c
Opcode Fuzzy Hash: 2d1eb540ebd76f36c4246c0330c2cc9c51a42feaf80c18e73192072a67746715
Instruction Fuzzy Hash: 8AF04F74A54318BFDB119F96DC49BAEBBB5EF45752F0000A4F909E2260CB705D40EB91

Function 008C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008C4EAE
FreeLibrary.KERNEL32(00000000,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EC0

Strings

kernel32.dll, xrefs: 008C4E94
Wow64DisableWow64FsRedirection, xrefs: 008C4EA8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 97bb33a9e21cfe370cacff3895dea0ee7e29b3fba78c4d9ab687e201f01b02fc
Instruction ID: 785593daa6ce6d3a8415bbfe47ea99e9ed4e8f500aae11c92aedfc6e57d9887c
Opcode Fuzzy Hash: 97bb33a9e21cfe370cacff3895dea0ee7e29b3fba78c4d9ab687e201f01b02fc
Instruction Fuzzy Hash: 2DE08675A19B225F932117266C28F5B6664FFC1F737060119FC04E2200DB74CD4592A0

Function 008C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4E74
FreeLibrary.KERNEL32(00000000,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E87

Strings

kernel32.dll, xrefs: 008C4E5B
Wow64RevertWow64FsRedirection, xrefs: 008C4E6E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 954aaa5dbc1d5679d30f3e97265aa5c8a231977837c4bb11644baabba89e0a75
Instruction ID: dd9429b6c304f5f1c88559b43d348d25ca794b22337d029d4989229f6e0cb780
Opcode Fuzzy Hash: 954aaa5dbc1d5679d30f3e97265aa5c8a231977837c4bb11644baabba89e0a75
Instruction Fuzzy Hash: 44D0C23151AB215B46221B2ABC28E8B2A28FF81F263460118BC04E2110CF30CD41D3D0

Function 00932947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00932C05
DeleteFileW.KERNEL32(?), ref: 00932C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00932C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00932CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00932CC0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 43c95e08fd7f8045e11471ac6ee974030f28043c8cbd256537365c76c904c326
Instruction ID: d58cabff6d32ad9f4f3c2ba5645182bf845771e0dd9ff84e6db467b16334fdcb
Opcode Fuzzy Hash: 43c95e08fd7f8045e11471ac6ee974030f28043c8cbd256537365c76c904c326
Instruction Fuzzy Hash: 1DB13D71D00219ABDF25DBA9CC85EDEB7BDFF49350F1040A6F609E6151EA30AA448F61

Function 0094A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0094A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0094A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0094A468
CloseHandle.KERNEL32(?), ref: 0094A63D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 0a6c13a051390d8f171e4d74f42903669b76fc681b3305b600cda3e162559adb
Instruction ID: f8b93627aa5e3d9f2ecc7e25bc5088c33c48ea927809b63a1adb7ccf0ea17c11
Opcode Fuzzy Hash: 0a6c13a051390d8f171e4d74f42903669b76fc681b3305b600cda3e162559adb
Instruction Fuzzy Hash: 9DA17C71644300AFD720DF28D886F2AB7E5EB84714F14895DF59ADB392DBB0EC418B92

Function 008FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00963700), ref: 008FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0099121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00991270,000000FF,?,0000003F,00000000,?), ref: 008FBC36
_free.LIBCMT ref: 008FBB7F

Part of subcall function 008F29C8: HeapFree.KERNEL32(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FBD4B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: bb5e3fd877f4306c84ac7a176b1693f1d1dde5ffd28178f7df8795d53d2a5526
Instruction ID: f8292c6f44bd2393a7492fd9b6415ef2a7aa7fe0cd20e5a24d6f0733b7fe22b4
Opcode Fuzzy Hash: bb5e3fd877f4306c84ac7a176b1693f1d1dde5ffd28178f7df8795d53d2a5526
Instruction Fuzzy Hash: EB51C57190420DEFCB14EF79DC819BEB7B8FF41360B10426AE664D72A1EB709E419B91

Function 0092E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0092CF22,?), ref: 0092DDFD

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0092CF22,?), ref: 0092DE16

Part of subcall function 0092E199: GetFileAttributesW.KERNEL32(?,0092CF95), ref: 0092E19A

lstrcmpiW.KERNEL32(?,?), ref: 0092E473
MoveFileW.KERNEL32(?,?), ref: 0092E4AC
_wcslen.LIBCMT ref: 0092E5EB
_wcslen.LIBCMT ref: 0092E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0092E650

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2f7a0baf3b02d23c599413641db204a1a6c999f26309b84f6c8e5baedfc928dd
Instruction ID: f127f46d45dd93365bbfefbbdc23615d4fcfefd64a6cd51f98e7828ba01d9350
Opcode Fuzzy Hash: 2f7a0baf3b02d23c599413641db204a1a6c999f26309b84f6c8e5baedfc928dd
Instruction Fuzzy Hash: 9D5161B24083955BC724EB94E885EDF73ECEF85340F00492EF689D3195EF74A6888766

Function 0094B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0094BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0094BB63
RegCloseKey.ADVAPI32(?,?), ref: 0094BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0094BBB3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 56cf6b874051f8b10077b039f5a03095b5766702bead1d3de445a62966aa705b
Instruction ID: ba17e12f9a68cb897931d80fc7ec013f37e29b5a69b621d145a8980a81480935
Opcode Fuzzy Hash: 56cf6b874051f8b10077b039f5a03095b5766702bead1d3de445a62966aa705b
Instruction Fuzzy Hash: C5615071208241AFD714DF24C495E2ABBF9FF84308F54899DF4998B292DB31ED45CB92

Function 00928BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00928BCD
VariantClear.OLEAUT32 ref: 00928C3E
VariantClear.OLEAUT32 ref: 00928C9D
VariantClear.OLEAUT32(?), ref: 00928D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00928D3B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a2d4529006f60a6a3dbb06b910a3cae51e0740b47ada83f2109258852b018273
Instruction ID: 5d45aa1d9b1e10709988e2f08b4e6a5f99215c50fecbe3952156cfd2a9cab99e
Opcode Fuzzy Hash: a2d4529006f60a6a3dbb06b910a3cae51e0740b47ada83f2109258852b018273
Instruction Fuzzy Hash: 1F5178B1A11219EFDB10CF68D884AAAB7F9FF89310B118559E909DB354E730E911CFA0

Function 00938AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00938BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00938BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00938C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00938C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00938C5F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 78ce8d42dd6d55273cd524c5cdb648561345abe23a0934ee3dc2de4d5fbf6382
Instruction ID: da3fdb38a53ad7f66eb2ad537f464679d9329915c5a632b0e05af32f0d19ffd6
Opcode Fuzzy Hash: 78ce8d42dd6d55273cd524c5cdb648561345abe23a0934ee3dc2de4d5fbf6382
Instruction Fuzzy Hash: 81514835A002159FCB00DF69C881E6ABBF5FF48314F088459E849AB362CB31ED51DF91

Function 00948EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00948F40
GetProcAddress.KERNEL32(00000000,?), ref: 00948FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00948FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00949032
FreeLibrary.KERNEL32(00000000), ref: 00949052

Part of subcall function 008DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00931043,?,7529E610), ref: 008DF6E6
Part of subcall function 008DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0091FA64,00000000,00000000,?,?,00931043,?,7529E610,?,0091FA64), ref: 008DF70D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9d3363e28554da0997dd5636fa5d3fce22fb8c5b59c9ed28aae12a0d0529db9e
Instruction ID: 84bb0b68c2c9af5cfbfbd4da5dccbc18876062776d95411100992e300be9bcb2
Opcode Fuzzy Hash: 9d3363e28554da0997dd5636fa5d3fce22fb8c5b59c9ed28aae12a0d0529db9e
Instruction Fuzzy Hash: 12514935604205DFCB11DF68C484DAEBBF5FF49324B0480A9E80A9B762DB31ED86CB91

Function 00956B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00956C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00956C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00956C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0093AB79,00000000,00000000), ref: 00956C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00956CC7

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 73ce1d043e36018b3810163cfe8a041cc42a9a57ea51a27ebd1cf05b30ad4b37
Instruction ID: cd06f4e81d481c64e05b2210308562cd6fc2b277b2a74c98f741759e9bfaf45d
Opcode Fuzzy Hash: 73ce1d043e36018b3810163cfe8a041cc42a9a57ea51a27ebd1cf05b30ad4b37
Instruction Fuzzy Hash: D4410835A08204AFD724CF2ACC55FA97BA8EB09361F940228FED5A72E0C371ED45DB40

Function 008F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008F20C3
_free.LIBCMT ref: 008F20E3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d4299aecfd68bdeb1e7584286f605dd614448a7a413e635963fe8303676a62f1
Instruction ID: b48d185bfa14ece7d872c8ee40c2cf7fb9a6561504cef7387e673a80650750ba
Opcode Fuzzy Hash: d4299aecfd68bdeb1e7584286f605dd614448a7a413e635963fe8303676a62f1
Instruction Fuzzy Hash: C441D172A002089FCB24DF78C881A6DB7A5FF89314F1545A9E615EB392DA31AD01DB91

Function 008D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008D9141
ScreenToClient.USER32(00000000,?), ref: 008D915E
GetAsyncKeyState.USER32(00000001), ref: 008D9183
GetAsyncKeyState.USER32(00000002), ref: 008D919D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9452f7a943e4a2a2fff9b19e45b1109acf6083e0ef01694ee14e9049ae24aafd
Instruction ID: 23464dbce720b13de89a8c6aefade2900baccb5d7b2c05b6ba1916e0aad05ba6
Opcode Fuzzy Hash: 9452f7a943e4a2a2fff9b19e45b1109acf6083e0ef01694ee14e9049ae24aafd
Instruction Fuzzy Hash: 80415E71A0C60BFBDF199FA8C844BEEF774FB05324F208316E465A2290C7346994DB91

Function 00933874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00933922
TranslateMessage.USER32(?), ref: 0093394B
DispatchMessageW.USER32(?), ref: 00933955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00933966

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5e990a4076583e0b0b15f738652295521315f7ad99296017282eabb56a046b79
Instruction ID: cae16b027cd204f47a1ca59dc2b07d5d0e1d75e2cf73068c2965e64f119c8ea6
Opcode Fuzzy Hash: 5e990a4076583e0b0b15f738652295521315f7ad99296017282eabb56a046b79
Instruction Fuzzy Hash: 5031D77059C342DFEB39CB399849BB637ACEB05300F04856AE452C21A0E7B49A85EF11

Function 0093CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0093CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0093CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0093C21E,00000000), ref: 0093CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0093C21E,00000000), ref: 0093CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0093C21E,00000000), ref: 0093CFF2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: dd43fe9d5bb24b72c33d9fe2cbc9455c74df488541be33b8834caea5e8ab818e
Instruction ID: 208cb8b3702990d0a6f42e19252b3861cff15bc6031b89901f8e17a4abb770f5
Opcode Fuzzy Hash: dd43fe9d5bb24b72c33d9fe2cbc9455c74df488541be33b8834caea5e8ab818e
Instruction Fuzzy Hash: 31313AB1504B05AFDB20DFA6C884AABBBFDEB14355F10442EF516E2241DB30EE419F60

Function 00921901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00921915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009219E2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: aa5f6768740b9ac3f8a3277fc3f69247bd12e61c313bea167152b1b74c84091d
Instruction ID: 5b6f4f9fc457746328e395cbc8c530df65f3f120ed5928d234e6628d25deaa30
Opcode Fuzzy Hash: aa5f6768740b9ac3f8a3277fc3f69247bd12e61c313bea167152b1b74c84091d
Instruction Fuzzy Hash: 1831C275900329EFCB00CFA8ED99ADE7BB5EB54315F104225F921A72D1C7709A94DB90

Function 00955706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00955745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0095579D
_wcslen.LIBCMT ref: 009557AF
_wcslen.LIBCMT ref: 009557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00955816

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: c13ebac62da0abf1eb859787bb36925a5f7a3132bd8952e6a864f86d6fd1131a
Instruction ID: 60aef8b8e51a3969e63ed6b7893282e7ca6f8ef555ad99441ece6d79eb64bd6a
Opcode Fuzzy Hash: c13ebac62da0abf1eb859787bb36925a5f7a3132bd8952e6a864f86d6fd1131a
Instruction Fuzzy Hash: 7621D770904608DADB20DFA6CC44AED77BCFF04322F104116ED29EA191D7748A89CF50

Function 008D990E Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008D98CC
SetTextColor.GDI32(?,?), ref: 008D98D6
SetBkMode.GDI32(?,00000001), ref: 008D98E9
GetStockObject.GDI32(00000005), ref: 008D98F1
GetWindowLongW.USER32(?,000000EB), ref: 008D9952

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 4000470bf308fe2e29bcdc0a0a5934af0e34de8d422eb422c14ef2fa7e4f035e
Instruction ID: 7b1a5f507c043ea184f114bd4099cc40c2342639c73e8d350ad78a285767b78e
Opcode Fuzzy Hash: 4000470bf308fe2e29bcdc0a0a5934af0e34de8d422eb422c14ef2fa7e4f035e
Instruction Fuzzy Hash: A121C171149354AFDB228F69AC64AE93F64EB12332F08026AE592CB2E1C7754942EB50

Function 00940930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00940951
GetForegroundWindow.USER32 ref: 00940968
GetDC.USER32(00000000), ref: 009409A4
GetPixel.GDI32(00000000,?,00000003), ref: 009409B0
ReleaseDC.USER32(00000000,00000003), ref: 009409E8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a659fdb5b8e516af32f599947e4106f0e13511aec4cce24f1d11792c4637bd24
Instruction ID: 44cf188b681366ad7477f6bad9aa81484de59ea2507337323fb2289c952e9d5c
Opcode Fuzzy Hash: a659fdb5b8e516af32f599947e4106f0e13511aec4cce24f1d11792c4637bd24
Instruction Fuzzy Hash: 35219D75604214AFD714EF69C889EAEBBF9EF88741F00842CE84AD7362CB30AD04DB50

Function 008FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008FCDE9

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008FCE0F
_free.LIBCMT ref: 008FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008FCE31

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 59bd2652b08beb3a486c52417f3db994d2e785999461c1c8d86b00fcf3d186a6
Instruction ID: 35475c62d7087c8209ea2e1b4851ba8017509027d63336804fb584859ba622d3
Opcode Fuzzy Hash: 59bd2652b08beb3a486c52417f3db994d2e785999461c1c8d86b00fcf3d186a6
Instruction Fuzzy Hash: 660188B2A0571D7F2321167BAD48DBB6D6DFEC6BA13150129FA05D7201DB618E0192F1

Function 008D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D9693
SelectObject.GDI32(?,00000000), ref: 008D96A2
BeginPath.GDI32(?), ref: 008D96B9
SelectObject.GDI32(?,00000000), ref: 008D96E2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3c9f44ab955227f2c355929bb030cce4d203cc6bd041b18b4c01887a172a4df1
Instruction ID: d3e92b0e34e21168c0068c5668900973dd0e2155cb3b2cd2a894fd9600afaefc
Opcode Fuzzy Hash: 3c9f44ab955227f2c355929bb030cce4d203cc6bd041b18b4c01887a172a4df1
Instruction Fuzzy Hash: BF213D7082A306EFDB119F69FC147A97BA8FB60396F104317F451A62A0D3709891EB94

Function 00925711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00925726
_memcmp.LIBVCRUNTIME ref: 00925744
_memcmp.LIBVCRUNTIME ref: 00925757
_memcmp.LIBVCRUNTIME ref: 0092576F
_memcmp.LIBVCRUNTIME ref: 00925787

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a1b68b5b1af565dd9016106846c428eb9410b1641092a0ea3e53d6a06842876d
Instruction ID: 26d56633afedcb2262faa80920dcbf37f87c401a4146f86c33f9ee953955385c
Opcode Fuzzy Hash: a1b68b5b1af565dd9016106846c428eb9410b1641092a0ea3e53d6a06842876d
Instruction Fuzzy Hash: A401F571681669FBD6089116AE86FBB734CEB623A9F010030FD08DA249F734EE1483E1

Function 008F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008EF2DE,008F3863,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6), ref: 008F2DFD
_free.LIBCMT ref: 008F2E32
_free.LIBCMT ref: 008F2E59
SetLastError.KERNEL32(00000000,008C1129), ref: 008F2E66
SetLastError.KERNEL32(00000000,008C1129), ref: 008F2E6F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8faeab14cced6cb1fdc7b3fa9006b4e11bdc97d498efcde2d27aa2266ec950cc
Instruction ID: fdbd13c11ddd9a70d9e8ba213f4f2fb0f65669c7ccd20d576ccf145e55b26f45
Opcode Fuzzy Hash: 8faeab14cced6cb1fdc7b3fa9006b4e11bdc97d498efcde2d27aa2266ec950cc
Instruction Fuzzy Hash: 4001F47225970C6BC61267796C89D3B2A59FBC17B6B300029FB21E22D3FB708C015221

Function 0092000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?,?,0092035E), ref: 0092002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?), ref: 00920064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920070

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1b9aedb834c026763de512ea61bb25f49f9468f208592f0d659d536e48eeff54
Instruction ID: 5d6f4c90721b11295b960049c2f6f29125bb466ecb19bb6db1687e65fc064e47
Opcode Fuzzy Hash: 1b9aedb834c026763de512ea61bb25f49f9468f208592f0d659d536e48eeff54
Instruction Fuzzy Hash: A601A2B2650328BFEB104F69EC44BAA7AEDEF84792F144124F905D2225E775DD40DBA0

Function 009210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00921114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 0092112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092114D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e4a45dcd45396590b01fee521c5b6841b4d584269da1c8d24f802689b1814c1f
Instruction ID: 203b299983bcd1d4d881863a54ad826323482b2c167c118706b0f8b6005cf46a
Opcode Fuzzy Hash: e4a45dcd45396590b01fee521c5b6841b4d584269da1c8d24f802689b1814c1f
Instruction Fuzzy Hash: B2016DB5104315BFDB114F65EC49A6A3F6EEF89361B100414FA41D3350DB31DC10DB60

Function 00920FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00920FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00920FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00920FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00920FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00921002

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d3400cf33a32c69f5e8f38c258959ccbb1101fe6edd12dfe8e13315999e2a5a9
Instruction ID: a289d92dc652a6a583a1c41ea571fd53b335fad83273a8740f86d514355c4c49
Opcode Fuzzy Hash: d3400cf33a32c69f5e8f38c258959ccbb1101fe6edd12dfe8e13315999e2a5a9
Instruction Fuzzy Hash: 4FF0A9B5245315AFDB210FA6AC49F5A3BADEF89762F100414FA06C62A0CA30DC909B60

Function 00921014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0092102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00921036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0092104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921062

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 53e473dd634d5bf61ce405e51a7c99a443b57105572f553533f550f517c2d9cd
Instruction ID: ba14e36e87d9afe401590a10e791b808ed6ae135a3679ca8942a7b97b8cb9e1a
Opcode Fuzzy Hash: 53e473dd634d5bf61ce405e51a7c99a443b57105572f553533f550f517c2d9cd
Instruction Fuzzy Hash: C8F0CDB5244315EFDB211FA6EC48F5A3BADEF89762F100414FA06C7290CA30D890DB60

Function 0093030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930324
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930331
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 0093033E
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 0093034B
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930358
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930365

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 876e68ff55a98765a999bfbd4f246d63d54924467efab677dd6179821b5b4530
Instruction ID: 253951d80cfe682ee2355366c7ae338c8b9be9650b0fbd751844d7eec69bc6ef
Opcode Fuzzy Hash: 876e68ff55a98765a999bfbd4f246d63d54924467efab677dd6179821b5b4530
Instruction Fuzzy Hash: EE01AA72800B159FCB30AF66D8A0812FBF9FFA03153158A3FD19652931C3B1A998DF80

Function 008FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008FD752

Part of subcall function 008F29C8: HeapFree.KERNEL32(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FD764
_free.LIBCMT ref: 008FD776
_free.LIBCMT ref: 008FD788
_free.LIBCMT ref: 008FD79A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 53a217213d16c2ef00c07d620888bf2c46b77d653801b3c1e6e46d7e929e55f5
Instruction ID: 055c363f070b1db11d0a0673d7ab7222e697d511168b1a1e79c5e4a66c8d5389
Opcode Fuzzy Hash: 53a217213d16c2ef00c07d620888bf2c46b77d653801b3c1e6e46d7e929e55f5
Instruction Fuzzy Hash: 1EF0197269430DABC625BB78F981D2A7BDAFB043107A40805F248EB611C730F8809671

Function 00925C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00925C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00925C6F
MessageBeep.USER32(00000000), ref: 00925C87
KillTimer.USER32(?,0000040A), ref: 00925CA3
EndDialog.USER32(?,00000001), ref: 00925CBD

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9c1b18c557d7ddc6ba8835a1cf51b9b7a367cdf636ccdc8c9429671dd72f4e69
Instruction ID: 58a663761afa5a9bf2f1a9dbdd175a5706ae1b7b8e44f97754c37b8c42a4deb4
Opcode Fuzzy Hash: 9c1b18c557d7ddc6ba8835a1cf51b9b7a367cdf636ccdc8c9429671dd72f4e69
Instruction Fuzzy Hash: 4F018170514B14AFEB219B11ED4EFA677B8FB04B06F010569B583A14E1EBF4AA849B90

Function 008F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008F22BE

Part of subcall function 008F29C8: HeapFree.KERNEL32(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008F22D0
_free.LIBCMT ref: 008F22E3
_free.LIBCMT ref: 008F22F4
_free.LIBCMT ref: 008F2305

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9052106cef403852abe672e829efddfac2cd4bd605999072fa6b73da46f6ad4e
Instruction ID: 8c22fb2efb9464a2fc9e980c8c1efb12c4b23fdbf34b3a50c1bc43756c2628fd
Opcode Fuzzy Hash: 9052106cef403852abe672e829efddfac2cd4bd605999072fa6b73da46f6ad4e
Instruction Fuzzy Hash: 10F03AB19A82268BC612BF6CBC01D2C3FA4FB28761700050BF524D73B1C7714911BBA5

Function 008D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008D95D4
StrokeAndFillPath.GDI32(?,?,009171F7,00000000,?,?,?), ref: 008D95F0
SelectObject.GDI32(?,00000000), ref: 008D9603
DeleteObject.GDI32 ref: 008D9616
StrokePath.GDI32(?), ref: 008D9631

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ccaa3ce086573d65a34a06ceffc4e2c4d4a2a3ac1398b69c8a735f35bf5d731c
Instruction ID: 513412bec7034123c70b43eb1fa5d631d9d70b110fc3785f3c72c933f46fbd7d
Opcode Fuzzy Hash: ccaa3ce086573d65a34a06ceffc4e2c4d4a2a3ac1398b69c8a735f35bf5d731c
Instruction Fuzzy Hash: EAF0E430029709EFDB125F6AFD187643B65FB113A6F048316E465951F0CB318991EF20

Function 008F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008F10F9
__freea.LIBCMT ref: 008F1117

Part of subcall function 008F1537: _free.LIBCMT ref: 008F154F

Strings

am/pm, xrefs: 008F117A
a/p, xrefs: 008F11DE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0816818cd9b7ce6606e36bcba0e9f2945743d064061c633ea2349d6d8b6cb7fa
Instruction ID: 1d2f9ba585323e8dc210bd583f311e5c01f01e237c1e4b26c89864df8a951117
Opcode Fuzzy Hash: 0816818cd9b7ce6606e36bcba0e9f2945743d064061c633ea2349d6d8b6cb7fa
Instruction Fuzzy Hash: 8FD1DF3190020EDADF289F78C85DABAB7B5FF05704F280159EB01EBA51D7799D80CBA1

Function 00947B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008E0242: EnterCriticalSection.KERNEL32(0099070C,00991884,?,?,008D198B,00992518,?,?,?,008C12F9,00000000), ref: 008E024D
Part of subcall function 008E0242: LeaveCriticalSection.KERNEL32(0099070C,?,008D198B,00992518,?,?,?,008C12F9,00000000), ref: 008E028A

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 008E00A3: __onexit.LIBCMT ref: 008E00A9

__Init_thread_footer.LIBCMT ref: 00947BFB

Part of subcall function 008E01F8: EnterCriticalSection.KERNEL32(0099070C,?,?,008D8747,00992514), ref: 008E0202
Part of subcall function 008E01F8: LeaveCriticalSection.KERNEL32(0099070C,?,008D8747,00992514), ref: 008E0235

Strings

Variable must be of type 'Object'., xrefs: 00947C3A
G, xrefs: 00947C7F
5, xrefs: 00947C78

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f189b7324a72b14e55f2197f59f415b5459111acd288a08646251a1d4bae147e
Instruction ID: 13914ec71064333dd5a0879440ec22837135f7c591048512a86eab0532f7482e
Opcode Fuzzy Hash: f189b7324a72b14e55f2197f59f415b5459111acd288a08646251a1d4bae147e
Instruction Fuzzy Hash: B5916A70A04209AFCB14EF98D891EBDB7B5FF89304F108459F846AB392DB71AE45CB51

Function 00922716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009221D0,?,?,00000034,00000800,?,00000034), ref: 0092B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00922760

Part of subcall function 0092B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0092B3F8

Part of subcall function 0092B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0092B355
Part of subcall function 0092B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00922194,00000034,?,?,00001004,00000000,00000000), ref: 0092B365
Part of subcall function 0092B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00922194,00000034,?,?,00001004,00000000,00000000), ref: 0092B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0092281A

Strings

@, xrefs: 00922832

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8e3329d947c9940932820e6117fb7d893d44a6e5afdd0892a5040b28e928a8cd
Instruction ID: 2b1c215c059a8defe6c61d21ee55f1c69cfd4740280de610561734ef679f3c15
Opcode Fuzzy Hash: 8e3329d947c9940932820e6117fb7d893d44a6e5afdd0892a5040b28e928a8cd
Instruction Fuzzy Hash: F2414D72901228BFDB10DBA4DC85BEEBBB8EF45300F008055FA55B7195DB70AE45CB61

Function 008F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 008F1769
_free.LIBCMT ref: 008F1834
_free.LIBCMT ref: 008F183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 008F1760, 008F1767, 008F1796, 008F17CE

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 8fcce3347e9e75c87e29c553c69d3e5952d677e909aa4f82bb330f414daec671
Instruction ID: ee61855e4912e0f53ec89f029deff0138b2e2f24e4d25fdc9d2ce6ce8c1e7b07
Opcode Fuzzy Hash: 8fcce3347e9e75c87e29c553c69d3e5952d677e909aa4f82bb330f414daec671
Instruction Fuzzy Hash: E4318D71A1421CEFDF21EBA99989DAEBBFCFB85350F104166EA04D7211D6B08A40DB91

Function 0092C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0092C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0092C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00991990,01245280), ref: 0092C395

Strings

0, xrefs: 0092C2DF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 4fa1986a24c4b126dc842fd224559e42625932e8433ea1d637d4c36674496e42
Instruction ID: cfacee27535428980638e08ce8cb1b4c21720115ef99d00308051c36aed3af34
Opcode Fuzzy Hash: 4fa1986a24c4b126dc842fd224559e42625932e8433ea1d637d4c36674496e42
Instruction Fuzzy Hash: 8D41BFB12083519FD720DF29E884B5EBBE8EF85321F008A5DF9A5972D5D730E904CB52

Function 00954416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0095CC08,00000000,?,?,?,?), ref: 009544AA
GetWindowLongW.USER32 ref: 009544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009544D7

Strings

SysTreeView32, xrefs: 0095447C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 380cd37909a5800ec4c43dbec349822ca14bab6cd6651d1472f782952d79e492
Instruction ID: f4513fa66b5ec717a9f3885b91f3d9f98f393a0768068533a430f59ab52c5ca0
Opcode Fuzzy Hash: 380cd37909a5800ec4c43dbec349822ca14bab6cd6651d1472f782952d79e492
Instruction Fuzzy Hash: 3931DC31254605AFDF608E39DC45BEA77A9EB08339F204315FD79A21E0D730EC959B50

Function 0094304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00943077,?,?), ref: 00943378

inet_addr.WSOCK32(?), ref: 0094307A
_wcslen.LIBCMT ref: 0094309B
htons.WSOCK32(00000000), ref: 00943106

Strings

255.255.255.255, xrefs: 00943095, 0094309A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0e8d41a372f9164b4cdfd6027150be7dd652f4d8f52d8e76d254e4a7182b85b7
Instruction ID: 31bd4a725075c21a1d3af103aac161ee0d8b6411ad636021110274ce6757586c
Opcode Fuzzy Hash: 0e8d41a372f9164b4cdfd6027150be7dd652f4d8f52d8e76d254e4a7182b85b7
Instruction Fuzzy Hash: CE31CF392042019FDB20CF79C486EAA77E4EF58318F24C199E9159B7A2DB72EE41C761

Function 00953EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00953F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00953F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00953F78

Strings

SysMonthCal32, xrefs: 00953F0B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 14b1b82ab05d210c34a9e88b4ba50196eb9f46d6693281d167ec229ebb7bed60
Instruction ID: e35030411edd0638c955588c1daeb1a7456cedebed742ac74d95806a41f56566
Opcode Fuzzy Hash: 14b1b82ab05d210c34a9e88b4ba50196eb9f46d6693281d167ec229ebb7bed60
Instruction Fuzzy Hash: 5B21DD32610219BFEF11CE51CC42FEA3B79EB88754F110214FE056B1D0D6B1A9549BA0

Function 00954653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00954705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00954713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0095471A

Strings

msctls_updown32, xrefs: 00954684

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2d2264b91af2f91530e5feaf41ae3af180265696664b746326a934497f28632f
Instruction ID: f14542caf187266306f3c88dde86936b1bdc59dd12590d5338da82b193c7fce9
Opcode Fuzzy Hash: 2d2264b91af2f91530e5feaf41ae3af180265696664b746326a934497f28632f
Instruction Fuzzy Hash: F22190B5605209AFDB10DF69ECC1DA737ADEB8A3A9B000459FA00DB251CB30EC55DB60

Function 009295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092961D

Strings

#OnAutoItStartRegister, xrefs: 009295F3
#notrayicon, xrefs: 009295B7
#requireadmin, xrefs: 009295D9

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 68941fb7fbffa708127bfe9e760be88952905490c880c149c699ab025fa19293
Instruction ID: a103dbe52f2007e8cc1075bbc5cf9f64939e15eb68762694705c10e753d72f10
Opcode Fuzzy Hash: 68941fb7fbffa708127bfe9e760be88952905490c880c149c699ab025fa19293
Instruction Fuzzy Hash: D2213832204261A6D331BA29AC16FBB73DCEF92310F10442AFD49DB149EB659D45C396

Function 009537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00953840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00953850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00953876

Strings

Listbox, xrefs: 0095380F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 771101f4ab2b4732af70350eda02977258f5375bcbe9519d44717d1d805e6c91
Instruction ID: 9b0a6c77495ec39963b623f10c3781d429b1ec08e8c27f8bf462aa422f824396
Opcode Fuzzy Hash: 771101f4ab2b4732af70350eda02977258f5375bcbe9519d44717d1d805e6c91
Instruction Fuzzy Hash: 1E21C272610218BBEF11CFA6DC41FBB376EEF89795F108124FA10AB190C671DC569BA0

Function 009349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00934A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00934A5C
SetErrorMode.KERNEL32(00000000,?,?,0095CC08), ref: 00934AD0

Strings

%lu, xrefs: 00934A6F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 3e84f3b0012edff3e976024b49cc904130a4379a87e936443cd1f4a8bcad0339
Instruction ID: c51dcfa364edebdaf848a1b86155a4e335c06f7e4f7ad4a1151ee50c8229f9c5
Opcode Fuzzy Hash: 3e84f3b0012edff3e976024b49cc904130a4379a87e936443cd1f4a8bcad0339
Instruction Fuzzy Hash: 4D313E75A04209AFDB10DF58C885EAA7BF8EF48308F1580A9F909DB252D771ED45CB62

Function 009541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0095424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00954264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00954271

Strings

msctls_trackbar32, xrefs: 00954226

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0c8392a7b2d622d92ffa102df5dca7e95688d2945df6a3622c3d55ebb7f08134
Instruction ID: 8b35707415a207721b3fab2ff5644afca95e934e80b9351dd249b585afbf3c1d
Opcode Fuzzy Hash: 0c8392a7b2d622d92ffa102df5dca7e95688d2945df6a3622c3d55ebb7f08134
Instruction Fuzzy Hash: 10110631240308BEEF209F6ACC06FAB3BACEF95B59F110524FE55E20A0D271DC619B20

Function 00922F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Part of subcall function 00922DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00922DC5
Part of subcall function 00922DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00922DD6
Part of subcall function 00922DA7: GetCurrentThreadId.KERNEL32 ref: 00922DDD
Part of subcall function 00922DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00922DE4

GetFocus.USER32 ref: 00922F78

Part of subcall function 00922DEE: GetParent.USER32(00000000), ref: 00922DF9

GetClassNameW.USER32(?,?,00000100), ref: 00922FC3
EnumChildWindows.USER32(?,0092303B), ref: 00922FEB

Strings

%s%d, xrefs: 00922FFF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 37f45edf08fe617dbe073eef0b571e2933060c380e6d1fc6dba8ef7b8e91d439
Instruction ID: 4e4be584f139278d68874a0b77b9bc50c039918c8364dca8035442fc1b832ec2
Opcode Fuzzy Hash: 37f45edf08fe617dbe073eef0b571e2933060c380e6d1fc6dba8ef7b8e91d439
Instruction Fuzzy Hash: 5711D2B12002156BCF00BF75AC95FED37AAEFC4314F048079B909AB296DE349A499B70

Function 00955882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009558EE
DrawMenuBar.USER32(?), ref: 009558FD

Strings

0, xrefs: 0095588F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b90681aeb46944e12723f30a5052add61d54348d416d655d7cc6b166cb8d0073
Instruction ID: f3220cfd35103b382055d7adb6da39671ff6a8adbb443bfb8a8e92e0fb61eac5
Opcode Fuzzy Hash: b90681aeb46944e12723f30a5052add61d54348d416d655d7cc6b166cb8d0073
Instruction Fuzzy Hash: 5E01C431504208EFDB109F52DC44BAEBBB8FF45362F008099F849DA262DB348A84EF21

Function 0091D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0091D3BF
FreeLibrary.KERNEL32 ref: 0091D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0091D3B9
X64, xrefs: 0091D2A8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 015db444f501a023acbe0be713dc2486793531c97fc4e3c270087c67265cd715
Instruction ID: 1ea8979c78ffb1b6512f49e68bf5e7bb457d5224111fc272a447881b0f21ac9a
Opcode Fuzzy Hash: 015db444f501a023acbe0be713dc2486793531c97fc4e3c270087c67265cd715
Instruction Fuzzy Hash: BCF055B1B0BB398FD73552114C989ED3328AF01706B54491AE832E2245EB34CDC8D3D2

Function 0092007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739494643d9915c7ed0c8c161f91982d068ab5d7acbe7e5da75b7d67f954ace2
Instruction ID: 39818a4c3e790dce466fc9b77e1c8381bdeb4a288ed674d31074995da1e1123c
Opcode Fuzzy Hash: 739494643d9915c7ed0c8c161f91982d068ab5d7acbe7e5da75b7d67f954ace2
Instruction Fuzzy Hash: 6FC16C75A0022AEFDB14CFA4D894EAEB7B9FF88304F108599E505EB256D731ED41CB90

Function 008F3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 008F3F0B
__alldvrm.LIBCMT ref: 008F410C
__alldvrm.LIBCMT ref: 008F412E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 5fd6ff175a0949d7536e2f57a7739c6fafc03fdc7bde23cf4a84fd1e949f935a
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: FEA1257190078E9FDB25CE38C8917BBBBE4FFA1350F24416EE685DB281D6348981C750

Function 0094342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00943459
CoUninitialize.OLE32 ref: 00943463
VariantInit.OLEAUT32(?), ref: 0094346E
VariantClear.OLEAUT32(?), ref: 0094371B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6498dfc86300cfa3d229f9be4d267b91308c855dbb67fab6c3d67f1590f61353
Instruction ID: 7d6416cac69087bd38a9de4867e3e7756ce1e14431b10a6a672f2ce0a7f81460
Opcode Fuzzy Hash: 6498dfc86300cfa3d229f9be4d267b91308c855dbb67fab6c3d67f1590f61353
Instruction Fuzzy Hash: ABA1F3756046019FCB10DF28C585E2AB7E9FF88714F05895DF98A9B362DB30EE019B92

Function 00920436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0095FC08,?), ref: 009205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0095FC08,?), ref: 00920608
CLSIDFromProgID.OLE32(?,?,00000000,0095CC40,000000FF,?,00000000,00000800,00000000,?,0095FC08,?), ref: 0092062D
_memcmp.LIBVCRUNTIME ref: 0092064E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e4341db1d26601766fdec93356a70f335f71166c6d3f2f8d030b1b1251b7a0dc
Instruction ID: b5de89f8627ce8a0aee5755ca4bb29224d1af6d5da9a9549622728f646fc7aa7
Opcode Fuzzy Hash: e4341db1d26601766fdec93356a70f335f71166c6d3f2f8d030b1b1251b7a0dc
Instruction Fuzzy Hash: 4A81FA71A00219EFCB04DF94C988EEEB7B9FF89315F204558F506AB255DB71AE06CB60

Function 00901391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009014C0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 48005dcb1e03facc96748a76c87bdc53909bb9d187e27bca91c8b15d80e99129
Instruction ID: ce7e261ba5350dfd53a66bfadec6e6a79c82079a1997c4d5d1fe1c4c1fe41fc5
Opcode Fuzzy Hash: 48005dcb1e03facc96748a76c87bdc53909bb9d187e27bca91c8b15d80e99129
Instruction Fuzzy Hash: 9F414831A00615AFDB256BBE8C46BBE3AA8FF52370F244625F618D71F2E77488415363

Function 00956278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009562E2
ScreenToClient.USER32(?,?), ref: 00956315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00956382

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 85bc3fe41bc8816471f61b34d17f156b1fc2182f5d17cc8fe57bbc1bfd5df6b9
Instruction ID: aadbfc25689dd432f418cb2635386a23fd4bd83b9b17b2f35d29f549bb3bb892
Opcode Fuzzy Hash: 85bc3fe41bc8816471f61b34d17f156b1fc2182f5d17cc8fe57bbc1bfd5df6b9
Instruction Fuzzy Hash: 0A513A74A00209EFCF14DF69D880AAE7BB9FB45361F508169F8259B2A0D730EE85DB50

Function 00941AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00941AFD
WSAGetLastError.WSOCK32 ref: 00941B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00941B8A
WSAGetLastError.WSOCK32 ref: 00941B94

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ca448675349af9cee715dc7f0d709d59764647fa1c66d19ad6b16a5553fecfdb
Instruction ID: daaca1e7ca34c0bf2056bf22be91233de9c194703598874f316fdbd991cfcee6
Opcode Fuzzy Hash: ca448675349af9cee715dc7f0d709d59764647fa1c66d19ad6b16a5553fecfdb
Instruction Fuzzy Hash: 36418F74600200AFE720AF28C886F2977E5EB44718F54855CF91A9F7D2EB72DD828B91

Function 008FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8aca61afae5c56779209aa9a6e1d06d595d07c8e5d5030b76243618bca5694
Instruction ID: e2abd9af54cd6ce806b1c4021bf004976343a2cfa872081aa51182a49dd3a966
Opcode Fuzzy Hash: fd8aca61afae5c56779209aa9a6e1d06d595d07c8e5d5030b76243618bca5694
Instruction Fuzzy Hash: A2410875A00708AFD724AF3CCC41B7ABBE9FB98710F10452AF651DB682E771A9018B80

Function 009356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00935783
GetLastError.KERNEL32(?,00000000), ref: 009357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009357FA

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6c9c28897bd4c90a4fb8368a682b7a4285572f68b12b791ee34b79471cbfda4e
Instruction ID: 93532774fe288395806c84ed4577d39a60d8ee4c7c6e100e2a2b93933b82bf8c
Opcode Fuzzy Hash: 6c9c28897bd4c90a4fb8368a682b7a4285572f68b12b791ee34b79471cbfda4e
Instruction Fuzzy Hash: 3F41F735600610DFCB11DF19C445A1ABBF6EF89320B198488E84AAB362CB34ED019F92

Function 008FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008E6D71,00000000,00000000,008E82D9,?,008E82D9,?,00000001,008E6D71,8BE85006,00000001,008E82D9,008E82D9), ref: 008FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008FD9AB
__freea.LIBCMT ref: 008FD9B4

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2e9cd2985a3b478ae7ffb6e332a5c8f135068bf5e2d423d936816415fdcd28a4
Instruction ID: b82568c37ea9d477bef9039e44a0cb3645a471c278a5f0403e07dd0a22608b98
Opcode Fuzzy Hash: 2e9cd2985a3b478ae7ffb6e332a5c8f135068bf5e2d423d936816415fdcd28a4
Instruction Fuzzy Hash: E631CE72A1030AABDF249FB5DC45EBE7BA6FB41310B050168FE04DA250EB75CD50CBA0

Function 009552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00955352
GetWindowLongW.USER32(?,000000F0), ref: 00955375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00955382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009553A8

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 50272dfaae72e0973e939fca435786c14ee732f72ced5c4c25b2425f7cd4f9af
Instruction ID: 24cfcfb6c0ef5d320db48ba09de2dd72178eb46d8ebf69b3069ea1e39c0b7022
Opcode Fuzzy Hash: 50272dfaae72e0973e939fca435786c14ee732f72ced5c4c25b2425f7cd4f9af
Instruction Fuzzy Hash: 85310630A55A08EFEB30DF16CC25BE83769EB043D2F594002FE08961E2C3B49D88E741

Function 0092AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0092ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0092AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0092AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0092ACC6

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 929532d3dfa22ff5d6503e90605397240586bbc04803372a8b1b6a03c73f8e5c
Instruction ID: c5e96fa32d39a8590f62a92f6f17a8de626ceace17e6f5d348af293eaddfe2b8
Opcode Fuzzy Hash: 929532d3dfa22ff5d6503e90605397240586bbc04803372a8b1b6a03c73f8e5c
Instruction Fuzzy Hash: 8D312872A04328AFFF34CF65EC047FE7BA9AB85310F04461AE4C5521E9C3788D859792

Function 00957674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0095769A
GetWindowRect.USER32(?,?), ref: 00957710
PtInRect.USER32(?,?,00958B89), ref: 00957720
MessageBeep.USER32(00000000), ref: 0095778C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cf1a949670fe0f0adf6a2445f21a55cf2fda20f8c2c5d3e95f0e884fa1497d28
Instruction ID: c2eb650e33c6f5a10bee28c66cb43d2d321c41e469a5564f62a85977a27105a4
Opcode Fuzzy Hash: cf1a949670fe0f0adf6a2445f21a55cf2fda20f8c2c5d3e95f0e884fa1497d28
Instruction Fuzzy Hash: 5741AD34609215DFCB02CF9AF894FA9B7F4FB49302F1440A9E8149B261C330AA4ADF90

Function 009516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009516EB

Part of subcall function 00923A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00923A57
Part of subcall function 00923A3D: GetCurrentThreadId.KERNEL32 ref: 00923A5E
Part of subcall function 00923A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009225B3), ref: 00923A65

GetCaretPos.USER32(?), ref: 009516FF
ClientToScreen.USER32(00000000,?), ref: 0095174C
GetForegroundWindow.USER32 ref: 00951752

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0ebf2bd2c87f1ec542af00ed488f3b84362ca2587a93b30732747a1269c8aee2
Instruction ID: b495c3d131bee7a685ec4c3a902defb6ea1156f7068ba54f881c248f5ade60ca
Opcode Fuzzy Hash: 0ebf2bd2c87f1ec542af00ed488f3b84362ca2587a93b30732747a1269c8aee2
Instruction Fuzzy Hash: 51313071D00249AFC700DFAAC881DAEB7F9FF48304B508069E415E7211E635DE45CBA1

Function 0092DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

_wcslen.LIBCMT ref: 0092DFCB
_wcslen.LIBCMT ref: 0092DFE2
_wcslen.LIBCMT ref: 0092E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0092E018

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 10545487521b284d93a5fe807e602fe866d6d8705173e36c571063dab3bfa5c0
Instruction ID: 1b6b0bee7304e3c5cd67a8a5b9667ce296a8eaf08f4407ee33d3359af9e28a69
Opcode Fuzzy Hash: 10545487521b284d93a5fe807e602fe866d6d8705173e36c571063dab3bfa5c0
Instruction Fuzzy Hash: 8B218671940224AFCB10AF69D981BAEB7F8FF46750F144065E905FB246D6709E418BE2

Function 0092D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0092D501
Process32FirstW.KERNEL32(00000000,?), ref: 0092D50F
Process32NextW.KERNEL32(00000000,?), ref: 0092D52F
CloseHandle.KERNEL32(00000000), ref: 0092D5DC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2313e2ea137772a457188fb475378c7297fd7f5e9f35a98eb5ba0ce6a02df3e7
Instruction ID: b946e45c5de8e1028d53293b1e67914d359e087428d029047f5092fe9ac07234
Opcode Fuzzy Hash: 2313e2ea137772a457188fb475378c7297fd7f5e9f35a98eb5ba0ce6a02df3e7
Instruction Fuzzy Hash: 66314D711083009FD305EF64D885EAABBF8EF99354F14092DF585862A1EB71E949CBA3

Function 00958FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

GetCursorPos.USER32(?), ref: 00959001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00917711,?,?,?,?,?), ref: 00959016
GetCursorPos.USER32(?), ref: 0095905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00917711,?,?,?), ref: 00959094

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6b5f63352190d88bf072fb89af456f851ed2583c9627e6f39569cdee10a5182c
Instruction ID: bb09bc365e38eee57214a9bc7707f3db029867ad6c9dad10ff23f0d1eabd8254
Opcode Fuzzy Hash: 6b5f63352190d88bf072fb89af456f851ed2583c9627e6f39569cdee10a5182c
Instruction Fuzzy Hash: 0A21BF31611118EFEB25CFAACC58EEB3BB9FB49362F044455F905872A1C3319990EB60

Function 0092D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0095CB68), ref: 0092D2FB
GetLastError.KERNEL32 ref: 0092D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0092D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0095CB68), ref: 0092D376

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 61cbaea89924e2dcb7334302b8aed0b80fd950c31cbc14c862970b68ddc83c38
Instruction ID: 1f06d600b77514577430f9155147570e50501ba94ef8e8077ae56c767b5fb206
Opcode Fuzzy Hash: 61cbaea89924e2dcb7334302b8aed0b80fd950c31cbc14c862970b68ddc83c38
Instruction Fuzzy Hash: 9321A37050A3119F8300DF28D8859AE77E8FE56368F104A1DF499C32A1D730D945CB93

Function 00921571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00921014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0092102A
Part of subcall function 00921014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00921036
Part of subcall function 00921014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921045
Part of subcall function 00921014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0092104C
Part of subcall function 00921014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009215BE
_memcmp.LIBVCRUNTIME ref: 009215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00921617
HeapFree.KERNEL32(00000000), ref: 0092161E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6341d75dc54b36364d2980d7333f2b39ae7d19f55d882634815d72318d36ba6c
Instruction ID: 9a6327818f054fac6210cedf0c52e2da2ee8fc07d87a5e1ad6dd3f85fd3ab432
Opcode Fuzzy Hash: 6341d75dc54b36364d2980d7333f2b39ae7d19f55d882634815d72318d36ba6c
Instruction Fuzzy Hash: 0A21CC71E00219EFDF04DFA4D948BEEB7F8EF90345F084499E401AB244E730AA04DBA0

Function 00952782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0095280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00952824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00952832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00952840

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6c395b31566674453269b6e4f0ffd6fe5311d4eb536f348ce6931d3a3a2eac87
Instruction ID: 8c4c196efdab2653ef69914b5be4d193a68efb426cff11b5796b328296dd444e
Opcode Fuzzy Hash: 6c395b31566674453269b6e4f0ffd6fe5311d4eb536f348ce6931d3a3a2eac87
Instruction Fuzzy Hash: 6021C431208611AFD714DB25C845F6A77A9EF86325F148158F826CB6D2C775FC46C7D0

Function 009278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00928D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0092790A,?,000000FF,?,00928754,00000000,?,0000001C,?,?), ref: 00928D8C
Part of subcall function 00928D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00928DB2
Part of subcall function 00928D7D: lstrcmpiW.KERNEL32(00000000,?,0092790A,?,000000FF,?,00928754,00000000,?,0000001C,?,?), ref: 00928DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00928754,00000000,?,0000001C,?,?,00000000), ref: 00927923
lstrcpyW.KERNEL32(00000000,?), ref: 00927949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00928754,00000000,?,0000001C,?,?,00000000), ref: 00927984

Strings

cdecl, xrefs: 0092797B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1be97d926571ecf092e1f4b3bb3d958aceccb6f42d02569d80bfe4b3d359220f
Instruction ID: 25890959cd78b95cc7d9114bd6b1131e95b8ad781f0a3c20dc433ad0dd69e184
Opcode Fuzzy Hash: 1be97d926571ecf092e1f4b3bb3d958aceccb6f42d02569d80bfe4b3d359220f
Instruction Fuzzy Hash: 8611293E204311AFCB155F79E844E7BB7A9FF85390B00402AF906CB3A8EB319841D751

Function 00957CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00957D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00957D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00957D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0093B7AD,00000000), ref: 00957D6B

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9b78bd04e69424c4dc8803474477f956e385cf2b8b6d1a5cc2a466fdd274f4f0
Instruction ID: 5e6792dbed4d7740cb905c31c72dd05edc336555c0857e532855c8e853a6170b
Opcode Fuzzy Hash: 9b78bd04e69424c4dc8803474477f956e385cf2b8b6d1a5cc2a466fdd274f4f0
Instruction Fuzzy Hash: 3A11DE31118615AFCB10CFAAEC04A667BA8BF45362B114724FC35C72E0E7308A54DB40

Function 00955660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009556BB
_wcslen.LIBCMT ref: 009556CD
_wcslen.LIBCMT ref: 009556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00955816

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c07e8d70818fb0be545b28b7d21a508c4aee4db1636a9fffadf6bca9bf12989a
Instruction ID: d6fe722c22facd4bdaa27ebfbc7493e5c1bc9618f6e8ac0ed86af3f082d1067f
Opcode Fuzzy Hash: c07e8d70818fb0be545b28b7d21a508c4aee4db1636a9fffadf6bca9bf12989a
Instruction Fuzzy Hash: 9C11E17160060996DB20DFA7CC91AEE77BCFF01362F504426FD15D6092E7748A88CB60

Function 008F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d53bf9c00444061e70c9a149825f55e2c6c2d5f88ce9b8e2f5862e4d6602a15
Instruction ID: ad54826e843bdb948c85cb68d4498f22e28ac9333fd8f12d80dc42024e5aad9b
Opcode Fuzzy Hash: 0d53bf9c00444061e70c9a149825f55e2c6c2d5f88ce9b8e2f5862e4d6602a15
Instruction Fuzzy Hash: 70014FB2209B1EBEFA1126796CC5F77662DFF413B8B341325F721E11D2DB608C405161

Function 00921A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00921A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00921A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00921A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00921A8A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 32464951f0301466af80d12f066ce0753500763f72d42895b8b57bb084694fbb
Instruction ID: 07de4bca50989bf2e2c5c85015f4be4c528f4afff5aa6d78cfcf6dda843dd542
Opcode Fuzzy Hash: 32464951f0301466af80d12f066ce0753500763f72d42895b8b57bb084694fbb
Instruction Fuzzy Hash: 9411273A901229FFEF109BA5C985FADBB78EB18750F2000A1EA00B7294D6716E50DB94

Function 0092E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0092E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0092E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0092E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0092E24D

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ce68b9c28ee2306d5b9ba7983e81c072af5680c5beed56f1fbfa4f0570b0f3db
Instruction ID: ce36c1397aaa7a62831cf78aeae15130c6eb01d6c68d4492aee10e44ec684063
Opcode Fuzzy Hash: ce68b9c28ee2306d5b9ba7983e81c072af5680c5beed56f1fbfa4f0570b0f3db
Instruction Fuzzy Hash: ED1108B6918365FFC7019BACAC45A9E7FACEB45311F104216F925E3290D270890497A0

Function 008ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008ECFF9,00000000,00000004,00000000), ref: 008ED218
GetLastError.KERNEL32 ref: 008ED224
__dosmaperr.LIBCMT ref: 008ED22B
ResumeThread.KERNEL32(00000000), ref: 008ED249

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 6c4322a614e94b0b5839e6fdc234204adc8e0e32ab2bb5d0ded67c83964fe3b6
Instruction ID: 71cf89b8d3e1236e5433f10a2439845cab7811f5428195a2533248e1a4f4ca3d
Opcode Fuzzy Hash: 6c4322a614e94b0b5839e6fdc234204adc8e0e32ab2bb5d0ded67c83964fe3b6
Instruction Fuzzy Hash: 48010476809348BFC7105BABDC05AAE7A69FF83331F104219FA24D21D0CB719805D7A1

Function 00959EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

GetClientRect.USER32(?,?), ref: 00959F31
GetCursorPos.USER32(?), ref: 00959F3B
ScreenToClient.USER32(?,?), ref: 00959F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00959F7A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 98cff5b823b09d8806c16503f45ea02599b7adffa8f6a17db47d2a4f5e0e1cbd
Instruction ID: 7f53535c5c010963ff71e3159fb7bd06ac765f2bb82e1e4bf1b6211305c7309f
Opcode Fuzzy Hash: 98cff5b823b09d8806c16503f45ea02599b7adffa8f6a17db47d2a4f5e0e1cbd
Instruction Fuzzy Hash: 8511337291421AEBEB10DFAAE8899EE77B8FB45312F400451FD01E3140D330BE89DBA1

Function 008C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008C604C
GetStockObject.GDI32(00000011), ref: 008C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 008C606A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b14fe132d6aa48bb34d348d6e7d9897749ccb62fdc9191ca6b706b6b1ee6587e
Instruction ID: d59599938aa5b5a655c513fd971867d35edab5583aa7635bbef6d95f607a3bb9
Opcode Fuzzy Hash: b14fe132d6aa48bb34d348d6e7d9897749ccb62fdc9191ca6b706b6b1ee6587e
Instruction Fuzzy Hash: 70115EB2505A09BFEF124F949C44FEA7B79FF18765F050125FA14A2110D732DC60AB90

Function 008E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008E3B56

Part of subcall function 008E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008E3AD2
Part of subcall function 008E3AA3: ___AdjustPointer.LIBCMT ref: 008E3AED

_UnwindNestedFrames.LIBCMT ref: 008E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008E3BA4

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7186a06ccb528a01edcf35a8dfc6190d21b425437ad7bce72c6308fca9c1da88
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 57012D32100189BBDF125E9ACC46DEB3B69FF8A754F044014FE5896121C732D961DBA1

Function 008F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008C13C6,00000000,00000000,?,008F301A,008C13C6,00000000,00000000,00000000,?,008F328B,00000006,FlsSetValue), ref: 008F30A5
GetLastError.KERNEL32(?,008F301A,008C13C6,00000000,00000000,00000000,?,008F328B,00000006,FlsSetValue,00962290,FlsSetValue,00000000,00000364,?,008F2E46), ref: 008F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008F301A,008C13C6,00000000,00000000,00000000,?,008F328B,00000006,FlsSetValue,00962290,FlsSetValue,00000000), ref: 008F30BF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1eaea211209bac8084c58bbe524a6735d8d36cff306258777ec7f0577e62bb39
Instruction ID: f1e24e0be9085db21aa3b63af144a14740f26acdedf50b14e2473880663ddb54
Opcode Fuzzy Hash: 1eaea211209bac8084c58bbe524a6735d8d36cff306258777ec7f0577e62bb39
Instruction Fuzzy Hash: 3D01D472319B2AAFCB214A799C449777B98FF85BA1B100621FA15E3240CF21D941C6E0

Function 00927464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0092747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00927497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009274CA

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 28757efebc8d5cecadba9da2462b50014c1c151b37700eda062bf4fcaf14ec4a
Instruction ID: 8850c226e8a11850a44aa38cf21c1698dca5698d74e9f8df398859f7b54c0eae
Opcode Fuzzy Hash: 28757efebc8d5cecadba9da2462b50014c1c151b37700eda062bf4fcaf14ec4a
Instruction Fuzzy Hash: EF11C4B12093249FE720AF95FC08F92BFFDEB00B00F108969E616E6165D774E904DB51

Function 0092B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B126

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0104201c3ad1176b3afd739a836dc80cc3df1cbb0c889fe94c85f9886625efe5
Instruction ID: 0f65c09887381562b8a1118b80d18a9e8ee0feb7e435f3932f41d88dd55224ef
Opcode Fuzzy Hash: 0104201c3ad1176b3afd739a836dc80cc3df1cbb0c889fe94c85f9886625efe5
Instruction Fuzzy Hash: 60116171C09A3DDBCF00AFE5E9686EEBBB8FF09711F104485D941B224ACB3455509B51

Function 00957E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00957E33
ScreenToClient.USER32(?,?), ref: 00957E4B
ScreenToClient.USER32(?,?), ref: 00957E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00957E8A

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1b21e5ef3971831e44b10bf5aa0e5ff3989948707988f32696f3da883dca0bdb
Instruction ID: 3e2edc1fa9a30d3b8d10aa4ad9f742b3e6e248b1c0884c52834072842566da4a
Opcode Fuzzy Hash: 1b21e5ef3971831e44b10bf5aa0e5ff3989948707988f32696f3da883dca0bdb
Instruction Fuzzy Hash: F11142B9D0420AAFDB41CF99D884AEEBBF9FF08311F509066E915E3210D735AA54DF90

Function 00922DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00922DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00922DD6
GetCurrentThreadId.KERNEL32 ref: 00922DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00922DE4

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7a7078946e8b6b70d92fc5b7502d617d72a6e5f424c492eb9df84a6956328828
Instruction ID: 5e7e9bef1543b3501913629601e874e719cf9cb1cdfb1b9cf4c3e5a588c7bc3e
Opcode Fuzzy Hash: 7a7078946e8b6b70d92fc5b7502d617d72a6e5f424c492eb9df84a6956328828
Instruction Fuzzy Hash: AEE06DB211A3347BD7202B73AC0DFEB3E6CEB42BA2F000015B105D50809AA48940D7B0

Function 00958863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D9693
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96A2
Part of subcall function 008D9639: BeginPath.GDI32(?), ref: 008D96B9
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00958887
LineTo.GDI32(?,?,?), ref: 00958894
EndPath.GDI32(?), ref: 009588A4
StrokePath.GDI32(?), ref: 009588B2

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 757204b9dcc2d933842dd100fbced19a7b6d46b49586c17d5db93f0080be7d12
Instruction ID: 4352e333295ec5718feafa47dd93dba649bba66987515c45dc93bbbb504544a1
Opcode Fuzzy Hash: 757204b9dcc2d933842dd100fbced19a7b6d46b49586c17d5db93f0080be7d12
Instruction Fuzzy Hash: 79F09A36019319BADB126FA9AC09FCE3B19AF06312F048001FA21610E1C7755510EBA5

Function 008D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008D98CC
SetTextColor.GDI32(?,?), ref: 008D98D6
SetBkMode.GDI32(?,00000001), ref: 008D98E9
GetStockObject.GDI32(00000005), ref: 008D98F1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b8097f5c6a1577b1f712ce536981d517d0e2885ef5ccdddf86a7919699e0b318
Instruction ID: aaf7d104618ee424fd930fd057818171018089fa9e5e5450219b389a16ae3d4c
Opcode Fuzzy Hash: b8097f5c6a1577b1f712ce536981d517d0e2885ef5ccdddf86a7919699e0b318
Instruction Fuzzy Hash: 45E0657125C744AEDB215B75AC09BE87F21EB11336F048219F6F9540E1C7714640AB10

Function 0092162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00921634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009211D9), ref: 0092163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009211D9), ref: 00921648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009211D9), ref: 0092164F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1fb7f7348dbbcf6b39a9383db51e128da4cb188fb229cfc2533b51d23960b284
Instruction ID: 8901a2affa579f71771f3545711175813e8ac2c1022f668b5383629585d0d593
Opcode Fuzzy Hash: 1fb7f7348dbbcf6b39a9383db51e128da4cb188fb229cfc2533b51d23960b284
Instruction Fuzzy Hash: CBE04FB1616321AFDB201BB2AD0DB4A3B6CAF54B92F144808F245D9080D7348440D750

Function 0091D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0091D858
GetDC.USER32(00000000), ref: 0091D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0091D882
ReleaseDC.USER32(?), ref: 0091D8A3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e875a00999c79e1e5c34c2882f4844678158d164895f41d5ed761ff3d27df92e
Instruction ID: 244dc9b90f783b5d0c89dd9228f36cb5f0ea58d1b1c64822668adf153092d1e1
Opcode Fuzzy Hash: e875a00999c79e1e5c34c2882f4844678158d164895f41d5ed761ff3d27df92e
Instruction Fuzzy Hash: 8BE01AB0815309DFCF419FA1D80CA6DBBB1FB08312F108449E80AE7250CB389A41EF40

Function 0091D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0091D86C
GetDC.USER32(00000000), ref: 0091D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0091D882
ReleaseDC.USER32(?), ref: 0091D8A3

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c7edec8d63dbba76edf23eb43dcb25c6ee7c108fcf725232c1f7be4efba5af07
Instruction ID: 7213489580afe1a6909ed6b74ed523865992eaa65aa715aeff3ef00a0646205c
Opcode Fuzzy Hash: c7edec8d63dbba76edf23eb43dcb25c6ee7c108fcf725232c1f7be4efba5af07
Instruction Fuzzy Hash: F6E01AB0815305DFCF409FA1D80C66DBBB1FB08312B108009E80AE7250CB385A01EF40

Function 00934D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00934ED4

Strings

*, xrefs: 00934E10
LPT, xrefs: 00934DFB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9e293dd423f0e44a910173af90c511ca870709de0cfc7a0f7721b6f6ab7b4cdc
Instruction ID: cab643f8acaf1c7657ac8e93939b442e79f8d165a1c625c88e56747dbcea779f
Opcode Fuzzy Hash: 9e293dd423f0e44a910173af90c511ca870709de0cfc7a0f7721b6f6ab7b4cdc
Instruction Fuzzy Hash: 49911875A002049FCB14DF58C484EAABBF5BF49304F198099E84A9B3A2D735EE85CF91

Function 008EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008EE30D

Strings

pow, xrefs: 008EE2E5, 008EE302

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9234ec9e2ee8e4eaa3ee4d9728746e42a4ed41c7bb2b5a5fabf8b1cdb6f2b9dc
Instruction ID: b1fbdd184dfcfb132cd3c4f59f185395885795b32726481b3e077af576df9d77
Opcode Fuzzy Hash: 9234ec9e2ee8e4eaa3ee4d9728746e42a4ed41c7bb2b5a5fabf8b1cdb6f2b9dc
Instruction Fuzzy Hash: 5D518961A1C64A96EB117B39CD0137A3BA4FB41B40F30496DF1D5C23EDEB318C91AA46

Function 008DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008DE1B1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: bbab301c0722d94452cc56a84c76adf16c060c46f0ab8325068a99729d28faff
Instruction ID: aba91ef062d3d9f07d9c93f9ff48bbef7071f723ac2635fe2df8eb7592e0a0c9
Opcode Fuzzy Hash: bbab301c0722d94452cc56a84c76adf16c060c46f0ab8325068a99729d28faff
Instruction Fuzzy Hash: 17512475A0424ADFEB15EF28C481AFA7BA8FF55320F24415AFC91DB2D0D6349D82CB91

Function 008DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008DF2BB

Strings

@, xrefs: 008DF2AF

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f07d4cab410bac3938ba30e37b0a825c928ce417f32c1f3d82ee8ad326d453f4
Instruction ID: 606ba5bc102cd81346bb0657d12100ef8147badd0b35c7195ae1b44743e7ba5c
Opcode Fuzzy Hash: f07d4cab410bac3938ba30e37b0a825c928ce417f32c1f3d82ee8ad326d453f4
Instruction Fuzzy Hash: 8851277241C7449BD320AF18DC86BABBBF8FB84300F81885DF2D981195EB719569CB67

Function 00945745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009457E0
_wcslen.LIBCMT ref: 009457EC

Strings

CALLARGARRAY, xrefs: 009457E6, 009457EB

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 837a826e9e89c784c9f684d9fda329eb48ec01af100a0a757f09ab6dd65110fc
Instruction ID: 1f0b630e098967a31b8d32e87feb2b50d07e557cba61509233219a3ee39db59f
Opcode Fuzzy Hash: 837a826e9e89c784c9f684d9fda329eb48ec01af100a0a757f09ab6dd65110fc
Instruction Fuzzy Hash: 6E41AE71E002099FCB14EFA9C881DAEBBF9FF59324F114169E505A7362EB309D81CB90

Function 0093D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0093D13A

Strings

|, xrefs: 0093D10B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e09adb1efa14cf1fc9601ca3227f43cad164d58cd9030ee4cf440067a69e3641
Instruction ID: 3030b379ef11165156cbcf73fb4e4b400728c7302b7310819bdb71a75430f9ff
Opcode Fuzzy Hash: e09adb1efa14cf1fc9601ca3227f43cad164d58cd9030ee4cf440067a69e3641
Instruction Fuzzy Hash: BD313971D01209ABCF15EFE5DC95EEE7FB9FF05300F100029E819A6162E731AA16CB51

Function 0095356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00953621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0095365C

Strings

static, xrefs: 009535BC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5dcbff822db1585d2ce65b8c2bfaefc04dcfd1e699a26bec986dd0e478f0297a
Instruction ID: 3bb5b872715a2b254202df74d0398c7d5c6e3da673ee742be1b076be19a7081f
Opcode Fuzzy Hash: 5dcbff822db1585d2ce65b8c2bfaefc04dcfd1e699a26bec986dd0e478f0297a
Instruction Fuzzy Hash: 2C319C71110604AEDB10DF29D881FBB73A9FF88765F00961DF8A597280DA30AD86D760

Function 00954537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0095461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00954634

Strings

', xrefs: 0095458E

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9fff10e3823a787d1ddb7667f0c47059068a7112ff6e0c750265d9b7064588db
Instruction ID: 22a6099cdbdc602f52ef250c6fe7f373770c27a519b6fae289442baaebfe3b1c
Opcode Fuzzy Hash: 9fff10e3823a787d1ddb7667f0c47059068a7112ff6e0c750265d9b7064588db
Instruction Fuzzy Hash: BA312874A0130A9FDB54CF6AC990BDA7BB9FF09305F10406AED04AB341E770A986CF90

Function 009531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0095327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00953287

Strings

Combobox, xrefs: 00953249

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0dada58eb400cac10ec410068466cbb495d671638df5500b7f9f97e990dcf641
Instruction ID: 041b4414861d76d5ae644c2f9666053b837169c5cce7146b7c88c40e9738c012
Opcode Fuzzy Hash: 0dada58eb400cac10ec410068466cbb495d671638df5500b7f9f97e990dcf641
Instruction Fuzzy Hash: 2E11E2713046087FEF21DE96DC80EBB376EEB943A5F108128F928E7290D631DD559760

Function 00953710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008C604C
Part of subcall function 008C600E: GetStockObject.GDI32(00000011), ref: 008C6060
Part of subcall function 008C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C606A

GetWindowRect.USER32(00000000,?), ref: 0095377A
GetSysColor.USER32(00000012), ref: 00953794

Strings

static, xrefs: 00953757

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4c895a028e20693829723601d855cd0851e000cba85c738ebb9329c897e42543
Instruction ID: 3c2f5f98e123c04240c15be4d95bd5fbcf5dda31d7a62e553e7f93439190df45
Opcode Fuzzy Hash: 4c895a028e20693829723601d855cd0851e000cba85c738ebb9329c897e42543
Instruction Fuzzy Hash: B91129B2A1020AAFDB00DFA9CC45EEA7BB8FB08355F004915FD55E2250E735E955DB50

Function 0093CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0093CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0093CDA6

Strings

<local>, xrefs: 0093CD66

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 38cf3fece13ebff6f9d3e7e040cc550d490e3ee5e8858fa81323bd83a4c689a1
Instruction ID: 2a9928dadf5d41cdab9f2ac97b8b5d717b48feede8f0beeb4c2762cb29171795
Opcode Fuzzy Hash: 38cf3fece13ebff6f9d3e7e040cc550d490e3ee5e8858fa81323bd83a4c689a1
Instruction Fuzzy Hash: EB11C6F5215A317AD7344B668C45EE7BEACEF127A4F004626B129A71C0D7749840DBF0

Function 00953429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009534BA

Strings

edit, xrefs: 0095348F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 28f196d80f6a4abdfd8df622c255a13960cb23f8fbb3ae85227240be26dd724a
Instruction ID: e7024ebe2c39075234f539074cb462dc4f087b78e66636adb54623df9269e2ef
Opcode Fuzzy Hash: 28f196d80f6a4abdfd8df622c255a13960cb23f8fbb3ae85227240be26dd724a
Instruction Fuzzy Hash: DA11BF71100208AFEB118F66EC40ABB376EEB043B9F508724FD61931E0C731DC99A750

Function 00926C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00926CB6
_wcslen.LIBCMT ref: 00926CC2

Strings

STOP, xrefs: 00926CBC, 00926CC1

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f915e9852bfe590b387a3fc4f8e86a17e47813c8f45c9a916fcd0867b918a2f8
Instruction ID: e92e90f7c80c107fa0fa5c1b9e8e24c46c6ae14a1a8e8612ed55a325ef6edae4
Opcode Fuzzy Hash: f915e9852bfe590b387a3fc4f8e86a17e47813c8f45c9a916fcd0867b918a2f8
Instruction Fuzzy Hash: C9010432A0053A8BCB20AFBDEC809BF37B8FB617147000928E9A2D3598EB31D900C650

Function 00921CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00921D4C

Strings

ComboBox, xrefs: 00921CEB
ListBox, xrefs: 00921D16

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 54675a4258413dbb75ae0038c80472f8b630cba0df03ec96f05b8f60cb1a359f
Instruction ID: 0beeadbc56f124a65f0769ba811c866a3cce09056fb0cf87cdec6e9882878ec7
Opcode Fuzzy Hash: 54675a4258413dbb75ae0038c80472f8b630cba0df03ec96f05b8f60cb1a359f
Instruction Fuzzy Hash: 1701D875601224ABCB08EFA4EC55EFE7778FB66350B040919F872973C5EA34991C8761

Function 00921BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00921C46

Strings

ComboBox, xrefs: 00921BE5
ListBox, xrefs: 00921C10

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cba536945c395a5ecf1559e7ec08bcfd1a960bf96d1029980301c08b5e349cbe
Instruction ID: 3a328164811fa65d57ad1c4f7b663c9fd1fe2b2317b0a3dcb7cc4fc84e8e6935
Opcode Fuzzy Hash: cba536945c395a5ecf1559e7ec08bcfd1a960bf96d1029980301c08b5e349cbe
Instruction Fuzzy Hash: DD01A7756811186BCB04FB94D956EFF77ACEB61340F140029E896B7285EA349F1CC7B2

Function 00921C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00921CC8

Strings

ComboBox, xrefs: 00921C69
ListBox, xrefs: 00921C94

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 897d8baac55c4dcff643dd56843ad18b130326482cbbfc0eea0fc77166dc8c66
Instruction ID: ce8be2879ff212c1c27d9608fa043dd19163de0c093e4e6bceec2a27bfe710d5
Opcode Fuzzy Hash: 897d8baac55c4dcff643dd56843ad18b130326482cbbfc0eea0fc77166dc8c66
Instruction Fuzzy Hash: E501DB7564112467CB04FB94DA15FFE77ACEB21340F140029B881B3285EA34DF18C772

Function 00921D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00921DD3

Strings

ComboBox, xrefs: 00921D75
ListBox, xrefs: 00921DA0

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 373ecad615b4cee79d30f39b2c4e091f68f240fa3bf4b7cf457b777ca4c94d19
Instruction ID: 4a188d682fee5f01a08859027bdc290a61f1dc53cfa10b92c797c064292158be
Opcode Fuzzy Hash: 373ecad615b4cee79d30f39b2c4e091f68f240fa3bf4b7cf457b777ca4c94d19
Instruction Fuzzy Hash: 69F0F471A51228A6CB04FBA8DC56FFE777CFB51340F040929F862A32C5DA749A188261

Function 0094747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00947493
_wcslen.LIBCMT ref: 009474B9

Strings

3, 3, 16, 1, xrefs: 00947483

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0af1f04dd70847063551a7d34fe4ecfcbd39e1c73ba476fcc765ba3305aabf18
Instruction ID: 1569011ec2d7add59f2010663621efbe7f5178de91103cc5d197e710d98e5b5b
Opcode Fuzzy Hash: 0af1f04dd70847063551a7d34fe4ecfcbd39e1c73ba476fcc765ba3305aabf18
Instruction Fuzzy Hash: 74E0E50220426010923122BAACC1E7F9A8EDECA750710282BF985D227BEB948D9193A2

Function 00920B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00920B23

Strings

AutoIt, xrefs: 00920B17
Error allocating memory., xrefs: 00920B1C

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 2764ee8451e5a2997153454dc1a30dee0573c26848156eb5c0d3bd41ecdc7871
Instruction ID: 190133a1edfa8376e2aec45a949669e397799788d0e81b56ec2ce7088637b10b
Opcode Fuzzy Hash: 2764ee8451e5a2997153454dc1a30dee0573c26848156eb5c0d3bd41ecdc7871
Instruction Fuzzy Hash: 79E0D8712443182ED224369A7C03F897B84DF09F65F10042BFB88D55C38AE2645057AA

Function 008E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008E0D71,?,?,?,008C100A), ref: 008DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,008C100A), ref: 008E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008C100A), ref: 008E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008E0D7F

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b163a5340cdbd87d3c8c00d33625ccd146e05c7fdc9ef2e32a68cc43b4fdf39a
Instruction ID: f40d996b2d1b02d646dd217731ad3631ed077dc535d770c72852d750e54041eb
Opcode Fuzzy Hash: b163a5340cdbd87d3c8c00d33625ccd146e05c7fdc9ef2e32a68cc43b4fdf39a
Instruction Fuzzy Hash: 1EE039B02007818BD720AFAEE8057467BE0FB04745F004A2DE892C6655DBF0E4889FA2

Function 00933017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0093302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00933044

Strings

aut, xrefs: 00933038

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: df9b76298602465d89bba68d39f4d9990def1a0b24b6d0270c0d9b5ccc53bac7
Instruction ID: cc32d4abd709b3563113c05289fe9835a80a294b76f8b458826ccd9ff7b61310
Opcode Fuzzy Hash: df9b76298602465d89bba68d39f4d9990def1a0b24b6d0270c0d9b5ccc53bac7
Instruction Fuzzy Hash: 52D0A7B25003287BDB30A7A5AC4EFCB3B6CDB04751F4002A1B665E60D5EAF0D984CBD0

Function 0091D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0091D220

Strings

X64, xrefs: 0091D2A8
%.3d, xrefs: 0091D22B

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 07ab59d89469bf2de7fb16df53e34b2a7996e0c2a04223a79df7f122de401ca7
Instruction ID: df23d7d7f52b57aef820b39cc3f29fbd915f78f159a64a9d602d15a4d2bdc5b8
Opcode Fuzzy Hash: 07ab59d89469bf2de7fb16df53e34b2a7996e0c2a04223a79df7f122de401ca7
Instruction Fuzzy Hash: A6D012A190A21CE9CB5096D0DC459F9B37CFB59301F608C53F936D1140D63CD588A762

Function 00952322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0095232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0095233F

Part of subcall function 0092E97B: Sleep.KERNELBASE ref: 0092E9F3

Strings

Shell_TrayWnd, xrefs: 00952325

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 07bb8b1b137c25935b6f4c2c811ea3dcc7c6344729ae52aab51eaac3df8166f4
Instruction ID: 93a82dbfdc37f97c9ec80b9cd078d0eda5db67de81b6aa37e57c89b57b484022
Opcode Fuzzy Hash: 07bb8b1b137c25935b6f4c2c811ea3dcc7c6344729ae52aab51eaac3df8166f4
Instruction Fuzzy Hash: 8AD022B63A8310BBE364B371EC1FFC67A049B40B01F00090A7305AA1D0C8F0A801CB44

Function 00952356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0095236C
PostMessageW.USER32(00000000), ref: 00952373

Part of subcall function 0092E97B: Sleep.KERNELBASE ref: 0092E9F3

Strings

Shell_TrayWnd, xrefs: 00952365

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 57c176d5e7ba6ef7ad0c6de84031b59c3f1e83685d992567f350dfafbb63518c
Instruction ID: 1fa97635ebfe21f9c8a768526598ad014dd80bf92025dfa10e9876a553865f43
Opcode Fuzzy Hash: 57c176d5e7ba6ef7ad0c6de84031b59c3f1e83685d992567f350dfafbb63518c
Instruction Fuzzy Hash: 76D0A9B23993107AE264B371AC0FFC666049B40B01F00090A7201AA1D0C8A0A8018B48

Function 008FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008FBE93
GetLastError.KERNEL32 ref: 008FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008FBEFC

Memory Dump Source

Source File: 00000000.00000002.3270726586.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.3270696802.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270846469.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270900709.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3270922613.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 607abf7a84db4855d7a911dbeb9f84e8361b40117c7b3c968b1f8543f8391dc8
Instruction ID: 45daf6ffbc936d40f1b1522ec84e06e9178ff3b248d820b0efb9401d8c6d21c9
Opcode Fuzzy Hash: 607abf7a84db4855d7a911dbeb9f84e8361b40117c7b3c968b1f8543f8391dc8
Instruction Fuzzy Hash: 5A41C33460420EAFCB218FB9CC44ABA7BA5FF42320F244169FA59D71A1EF308D00DB61

Source: Joe Sandbox View	IP Address: 13.107.246.67 13.107.246.67
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 23.54.161.105 23.54.161.105
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=-3354676388932911196&ACHANNEL=4&ABUILD=117.0.5938.132&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=132 HTTP/1.1Host: arc.msn.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 938Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=-3354676388932911196&ACHANNEL=4&ABUILD=117.0.5938.132&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=132 HTTP/1.1Host: arc.msn.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=OTnC7wC6xbEs4vV&MD=ayeo8n2E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=OTnC7wC6xbEs4vV&MD=ayeo8n2E HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 20.96.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.80.99
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\0d16eacb-a6c6-42e9-8e2e-6d7c64f8e972.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\16b15956-486a-4f24-a986-1aad6ac13a11.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\301f0f04-1448-4445-b0c9-e7239fb90a05.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3397d546-6aa4-4a80-803a-7046983e2934.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\423315f3-586b-4f7b-acf4-09d59a3de992.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\831fd321-0bfd-4d69-9daf-4909a7820883.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9f5ab39f-0ba2-4158-8aa0-3394a8b4e068.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\db4ea3ad-184b-4f57-92f8-17dac850b0c2.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CE467B-1084.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CE467B-1788.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0cdb8624-f31d-4456-9aac-ac1421d7a32e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\57867539-7f33-4a34-8921-87470ea51ba2.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7460913b-ef39-4495-b818-e3c7458e9b0f.tmp

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre