Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1500390
MD5:	c3ac879f55d769f91be14ebfcf568f4a
SHA1:	9232232646d0ed1b0c92034463e8835728735182
SHA256:	10acf950ae7a3d5a17e14d54cf12ed0472f6ccee7444f86529429fcfdfd34a41
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

file.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C3AC879F55D769F91BE14EBFCF568F4A)

msedge.exe (PID: 5464 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7216 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1952,i,11849779078856253836,7449960238563698719,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7260 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7608 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8628 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4040 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8636 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6912 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9024 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7272 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2936 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6680 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2896 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9320 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9536 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9624 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: protocols.json.5.dr	String found in binary or memory: https://.onedrive.com
Source: protocols.json.5.dr	String found in binary or memory: https://.onedrive.live.com
Source: file.exe, 00000000.00000002.3319274764.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3319274764.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: protocols.json.5.dr	String found in binary or memory: https://sharepoint.com
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50935
Source: unknown	Network traffic detected: HTTP traffic on port 62108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50936
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 62107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62105

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:50935 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001EED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001EEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001DAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00209576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00209576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2068786737.0000000000232000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9aaeaf9e-a
Source: file.exe, 00000000.00000000.2068786737.0000000000232000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_6f1c664e-d
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_97e73abe-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c5d6d141-8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001DD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001DE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E2046	0_2_001E2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00178060	0_2_00178060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D8298	0_2_001D8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001AE4FF	0_2_001AE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A676B	0_2_001A676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00204873	0_2_00204873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019CAA0	0_2_0019CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017CAF0	0_2_0017CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018CC39	0_2_0018CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A6DD9	0_2_001A6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018B119	0_2_0018B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001791C0	0_2_001791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191394	0_2_00191394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191706	0_2_00191706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019781B	0_2_0019781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00177920	0_2_00177920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018997D	0_2_0018997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001919B0	0_2_001919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00197A4A	0_2_00197A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191C77	0_2_00191C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00197CA7	0_2_00197CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001FBE44	0_2_001FBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A9EEE	0_2_001A9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00191F32	0_2_00191F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017BF40	0_2_0017BF40

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00179CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00190A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0018F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@73/320@12/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E37B5 GetLastError,FormatMessageW,

0_2_001E37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D10BF AdjustTokenPrivileges,CloseHandle,		0_2_001D10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001D16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001E51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001FA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001E648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001742A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\500bd79c-9910-495b-8ec5-ee5b809ed55f.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

Virustotal: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1952,i,11849779078856253836,7449960238563698719,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4040 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6912 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2936 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2896 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1952,i,11849779078856253836,7449960238563698719,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4040 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6912 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2936 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2896 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00190A76 push ecx; ret

0_2_00190A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0018F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00201C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00201C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97154

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6544

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.9 %

Source: C:\Users\user\Desktop\file.exe TID: 5756

Thread sleep time: -65440s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6544 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001DDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001AC2A2 FindFirstFileExW,	0_2_001AC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E68EE FindFirstFileW,FindClose,	0_2_001E68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001E698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001DD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001DD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001E9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001E979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001E9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001E5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96505

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EEAA2 BlockInput,

0_2_001EEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001A2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00194CE8 mov eax, dword ptr fs:[00000030h]

0_2_00194CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001D0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001A2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0019083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001909D5 SetUnhandledExceptionFilter,	0_2_001909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00190C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00190C21

Source: C:\Users\user\Desktop\file.exe

0_2_001D1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001B2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0018F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_0018F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001F22DA

Source: C:\Users\user\Desktop\file.exe

0_2_001D0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001D1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00190698 cpuid

0_2_00190698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001E8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CD27A GetUserNameW,

0_2_001CD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_001AB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001742DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001F1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	17%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
s-part-0032.t-0009.t-msedge.net	0%	Virustotal	Browse
bzib.nelreports.net	0%	Virustotal	Browse
chrome.cloudflare-dns.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://.onedrive.live.com	0%	Avira URL Cloud	safe
https://.onedrive.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://sharepoint.com	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse
https://.onedrive.com	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://.onedrive.live.com	1%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://sharepoint.com	0%	Virustotal		Browse
https://www.office.com/Office	0%	Virustotal		Browse
https://msn.com	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	0%, Virustotal, Browse	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	0%, Virustotal, Browse	unknown
bzib.nelreports.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bzib.nelreports.net/api/report?cat=bingbusiness	false	URL Reputation: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://msn.com	data_10.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://.onedrive.live.com	protocols.json.5.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://.onedrive.com	protocols.json.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://sharepoint.com	protocols.json.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.179.84	unknown	United States	15169	GOOGLEUS	false
142.251.40.206	unknown	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.81.228	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
23.54.161.105	unknown	United States	20940	AKAMAI-ASN1EU	false
142.251.40.110	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.16
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500390
Start date and time:	2024-08-28 11:50:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@73/320@12/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 142.251.168.84, 13.107.21.239, 204.79.197.239, 13.107.6.158, 2.19.126.145, 2.19.126.152, 142.250.186.67, 142.250.185.163, 2.23.209.157, 2.23.209.162, 2.23.209.158, 2.23.209.161, 2.23.209.163, 2.23.209.156, 2.23.209.169, 2.23.209.160, 2.23.209.166, 20.223.35.26, 199.232.210.172, 192.229.221.95, 72.21.81.200, 93.184.221.240, 142.250.80.35, 142.251.40.163, 142.251.40.99, 142.250.80.99
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, arc.msn.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com, dual-a-0036.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:51:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
11:51:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
23.54.161.105	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	RmwvP67C7X.exe	Get hash	malicious	Amadey, Babadeda, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
	file.exe	Get hash	malicious	Babadeda	Browse
239.255.255.250	CXWk52EmUt.exe	Get hash	malicious	Unknown	Browse
	Remittance_Details_#20O8N7B.html	Get hash	malicious	HTMLPhisher	Browse
	https://s3.amazonaws.com/i0a07640/3/reschedule8.htm	Get hash	malicious	Unknown	Browse
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://dropbox-files-online.tiiny.site/?token=69090208-80b8-4346-ad00-dfe054582d02=&ci=example@domain.com	Get hash	malicious	HTMLPhisher	Browse
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
s-part-0032.t-0009.t-msedge.net	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	CXWk52EmUt.exe	Get hash	malicious	Unknown	Browse	104.22.44.142
	Remittance_Details_#20O8N7B.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	Rebina.exe	Get hash	malicious	LummaC	Browse	104.21.66.182
	setup.exe	Get hash	malicious	LummaC	Browse	104.21.42.119
	Payment Details.exe	Get hash	malicious	FormBook	Browse	104.21.72.245
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	172.67.153.202
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	104.18.36.155
AKAMAI-ASN1EU	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	23.59.250.25
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.54.161.97
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.9
	file.exe	Get hash	malicious	Unknown	Browse	23.54.161.105
	https://newbostondentalcare-my.sharepoint.com/:b:/g/personal/maryellen_newbostondental_com/ERDvxS5UJSxPtXyWuklCyAMBDYWal6mJXrTJHUf_OfHqfg?e=5l0sTu	Get hash	malicious	Phisher	Browse	23.54.139.47
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.38
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
MICROSOFT-CORP-MSN-AS-BLOCKUS	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	150.171.27.10
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://iv1tm.ykrbkt.ru/iV1TM/#hans.wurst@us.com	Get hash	malicious	HTMLPhisher	Browse	204.79.197.203
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://my-apps-885d2a67.azurewebsites.net	Get hash	malicious	HTMLPhisher	Browse	40.112.243.105
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.64

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	CXWk52EmUt.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://wpspublish.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://pub-10050726d25949d8bd6cb438a8b6b09c.r2.dev/home.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	http://get-verified-free-badge.vercel.app/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://onoff.vn/blog/wp-content/builds/app/smserror2.php	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://rondgeusbe-f69b39.ingress-erytho.ewp.live/wp-content/plugins/esidem/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://office.microsoftoniline.com/common/oauth2/v2.0/authorize/?clinet_id=2e5d6a57-eb8c-44bf3-8bd3-fc61824af882	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://urlz.fr/rRBY	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://appeal-right.netlify.app/	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	CXWk52EmUt.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	Remittance_Details_#20O8N7B.html	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	https://s3.amazonaws.com/i0a07640/3/reschedule8.htm	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	SharkHCShark.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	13.85.23.86 184.28.90.27
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://en.aiacademy.tw	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27
	https://dropbox-files-online.tiiny.site/?token=69090208-80b8-4346-ad00-dfe054582d02=&ci=example@domain.com	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2957
Entropy (8bit):	5.584891495082806
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afQLY6acy4fTnKrp55kHB+S5drxgvBJ68R3YnaJkXCcmwlRWq:Xq8NkC1fQ06xhfTKrp5ABtz6vbH3YaJG
MD5:	380BC6243505CD4136857B38738A4E39
SHA1:	20A3A77313C923040B8CC21997C1CABC56809C18
SHA-256:	3606698F47843C594904EF256049DBFE2969453941639700C48E7A3FF5FA9A86
SHA-512:	7172B937AFC19FB64B5120071B7D7EB98ADC615BE79AF7EC0F83DEF74F845FD3CE34693610F8405E7908EF3542DFFCA7F68A389E93813CA1488077345BDDEAC7
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"policy":{"last_statistics_update":"13369312261140398"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\129618f1-61e7-4148-a0df-41719c74ce70.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	69576
Entropy (8bit):	6.072300095706978
Encrypted:	false
SSDEEP:	1536:LMSzvKYqsts7ZFx5KtjkeRGeGfyIsOVX/BQBzRU/K0tO:LMS2dKsdNOjZRjGfdsY/BQBzRU/K/
MD5:	591DD7A80A8DA1BF1C8D1ED0F9CBAE5A
SHA1:	094D0E8493457D908757CF291689943FDEC1806D
SHA-256:	689C99220209922BF307B88F9EF22CCAA0EC0789D7F1AA6D75768D832B8CC1FC
SHA-512:	D123606BEFCB1AAE356C1CE7013B49F2C963FE5622631850676DE9FB663B70FB3F9F9528E8941CC6EB86FB2C4F7E3344E92C5D5BB07A2C9C411413A2904104AA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1faec218-0ebf-4651-9b9b-55a613986089.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	29192
Entropy (8bit):	6.0627526959516045
Encrypted:	false
SSDEEP:	768:LM7X2zt1jKYqHkZeMcKNFL7a8NQBzb9nU/KdfstO:LMSzvKYqstJ7PQBzRU/O0tO
MD5:	5386CDA6E4648AE38E2CA656BC39B83D
SHA1:	38E915544101E70A5CB209747F9FC2BDFE04C05D
SHA-256:	6AEC50A8016E94FBB585BFDF4373422790B4D5AAE240A7A074A803C5F9A00D4F
SHA-512:	69E33C9DE4A0BCFDFD26857274AC2292AC024D4FE046B394C6046E619D17EFA9EF51877FAB213D48A16ECD966CD9F00F97A9E1D62EBD85454A5B60B848A44DB3
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5e195fbc-e770-4a3e-b564-965795c1cc88.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	69704
Entropy (8bit):	6.072780989646445
Encrypted:	false
SSDEEP:	1536:LMSzvKYqst/7ZFx5KtjkeRGeGfyIsOVX/BQBzRU/K0tO:LMS2dK/dNOjZRjGfdsY/BQBzRU/K/
MD5:	B4B2288097D056817A94175A5A9E5AA2
SHA1:	F02D3C93DF1696486CB5676C7F72179E7FFE8D47
SHA-256:	720151536A4942241C017B859F1A4D72161643F3B850BA6D08A1F28F0DFF4F3F
SHA-512:	3657045A453658E8E803386B2235BD980C30CFF372D95450849D2BD4F05DA8EBF6AC9A757D01BE789AF704767A8114839EE4B5172614C551106684492731B344
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\7e8b4564-6ad0-433a-b11b-9b81061981ed.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3334
Entropy (8bit):	5.6078824108350975
Encrypted:	false
SSDEEP:	96:0q8NkC1fQ06xhfTKrp5+3Btz6vbwWYFJkycJSDS4S4SDShI4a:/8Nb56xIe5Wgky0
MD5:	FC1C3B2D1DFFC0CE0A1E8B3C9920ED35
SHA1:	87CB472BAAD15D8348C661B3A6BF9D51B95E1A96
SHA-256:	150ECAAAA59BF99C15F6EC576F149D5F0104C0D058A18A1CF078971254011A0F
SHA-512:	E03B84C6A61E4EE5BC820F6BF0825DAA3EF047746EDB90436916E65EA83749806F6F66AB7A1F8EC6A07A504717BD3A5CC4782025EB212E60F5627D124430A850
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\850d6b3a-ebd4-4ce7-a792-fffac87e1160.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4234
Entropy (8bit):	5.495760330892057
Encrypted:	false
SSDEEP:	96:0q8NkGS1fQ06xhfTKrp58rh/cI9URoDotofFRBtz6vbwWYFJkycJSDS4S4SDShI7:/8NBS56xIueoDUq5Wgky0
MD5:	DA792DEF6D73545E0D56AFCB949D3264
SHA1:	FCBF40A83CF95BE10795DB86631D4D2C096D4BE4
SHA-256:	01DF144CF444B0B433E2E9B1DE7FC90BA4F65D05AD4A63E8ECEE8A239224676C
SHA-512:	35208B15BF343CF9C01919931A0153E798A793D1A24E8244E7B06F07010E509CE375190C92F363680986D3C5515C53B5EDEB7FD83D7792E995F482CC80F12009
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\979bd243-a712-42a3-a2af-0f2e2fe8b222.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20986
Entropy (8bit):	6.0663816959951165
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NBSKI0yKXLyZ/NbNdUWkuBstWBkcz:LM7X2zt1jKYqHkZeMXKXLyddfstO
MD5:	4E8D7409386B61E2D9F49BA633F730A3
SHA1:	174264F386A9070CFA39B3ACB98536704E32C589
SHA-256:	4FE2B5E0AA8E21CCBDEBBF7670804A4796D386FD272BCBE9F8BD3AFD4CFCE47F
SHA-512:	CE069F23013E2D1A52C91A631727B25FE5F79A30B65546F66D61867A116D123F688D4F48F7C86DF5665188A1DE5B56DB157D12287A40D424EC3CD13E1C10650F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\b130fc92-2212-4491-80d2-e8e26f305032.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640169812365318
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7g:fwUQC5VwBIiElEd2K57P7g
MD5:	D317A1069717AF45FC861714DD0A22C5
SHA1:	35541055A1413A913A3367FBEC466E4B7ABC21A6
SHA-256:	5575BEA8664FF1D946BDF20A229510DB85D24B8722CBFBD0DC77583D93900EF3
SHA-512:	ABDDB701867F9D4322511ED7E2DC8EF0596C11CE6573F0CF1469C527B27CD13BADCA877E53050200FFAF4CC0269CDAA1AF4B885A1BE30364C44026DBD89667F3
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640169812365318
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7g:fwUQC5VwBIiElEd2K57P7g
MD5:	D317A1069717AF45FC861714DD0A22C5
SHA1:	35541055A1413A913A3367FBEC466E4B7ABC21A6
SHA-256:	5575BEA8664FF1D946BDF20A229510DB85D24B8722CBFBD0DC77583D93900EF3
SHA-512:	ABDDB701867F9D4322511ED7E2DC8EF0596C11CE6573F0CF1469C527B27CD13BADCA877E53050200FFAF4CC0269CDAA1AF4B885A1BE30364C44026DBD89667F3
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CEF304-1558.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04049371531772917
Encrypted:	false
SSDEEP:	192:btGUjLYiVWK+ggCdlk5JtD+FX9X4XokgV8vYhXxNEq4bcRQMYuSBn8y08Tcm2RGY:sUjjlw5qaMnhBCQbSB08T2RGOD
MD5:	374F956C623BA36711BF3A35CDD34622
SHA1:	039788684FDC1BA6042765E9D377A2EB778EE6DD
SHA-256:	B7908CA90C8628B4083A0FACC780A12769BF776452A3C9F61D12D9A57543F7A1
SHA-512:	0078E608ED0F17032010ED262505DC74CA31BADB72230AAA856A8BB939D5B35D00FF6B32B6EDB8ADD041B646853E03A8C3E06C3FD374B9A4A17FE9DAD47E3632
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".pdrhwe20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.............$.....................$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z..... .H@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CEF305-1C5C.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4515169032118016
Encrypted:	false
SSDEEP:	3072:/culsiE3qQ4tThM9pQJ4+3QdDiUf4qXRUIShDg1HFsBJiuKZJA/VqYIqa1RzPf/e:IihgzShDaHOYAazjaH6AZJbM43
MD5:	34F0210A23A570C12AA0111EB2E5D1C2
SHA1:	0DF74DB1C0A65DD2F92C11F123EF4F17A84726D9
SHA-256:	F126DD53D91FF6D0E21EF516F563D919EE3B995F626DDBEFF152CD7F25E17742
SHA-512:	F33DF68D6B3E7E8CE1E2D37D24935AA09109BE32F8B46484332C76946E29A351A3F600713132E7CE06E0DEE21176955A139D20EC66923577E12DBADD35639E55
Malicious:	false
Preview:	...@..@...@.....C.].....@...............x,..................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30....\|.........117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".pdrhwe20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.154300452362144
Encrypted:	false
SSDEEP:	3:FiWWltlnIQFPm4HSRqOFhJXI2EyBl+BVP/Sh/JzvSJU6yyB/sltl:o1ntFe4yRqsx+BVsJDS7slX
MD5:	825EC5EC4B4A7BAF00499146E02512C4
SHA1:	3B6DEEADFA45B57F8BE189904E919CD55C3AF9FB
SHA-256:	9D5E284811C6C2DA8F2A10529563368A97A5F593732973A37C15F3C2BEB81005
SHA-512:	5D9B9C258A85944411193FDFE5FD9BDA7F0E400AE0BD98E1B35498C7C6119E7434265F3D86CBBA9714CD4BEE1D31E8791E92227ACFD80710F8AC743FAE175A1D
Malicious:	false
Preview:	sdPC....................}_...+.C.!UW.F.."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................ba31f831-5ea5-4283-9b9e-06ba99cc1fdf............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\1ed43701-8a60-45d1-8457-6b5fb10faa26.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97158656978404
Encrypted:	false
SSDEEP:	96:st3+XqfHuzis1gb90Gu8pN8zBQCs85eh6Cb7/x+6MhmuecmAenueQ7MYn2Mi/EJ:st6EsO/pNkfs88bV+FiADPiMJ
MD5:	E63AE1BB0F8DF989C30C1457FCFB3BB4
SHA1:	E8052DF1CA230DC6C88B2D5D90FA552AC70767D9
SHA-256:	1462CA9FAED0B96960EA97874ED9F957C866086EC73B2F83A241C2DF63F306A3
SHA-512:	F1B9315A81B3B17D1ADD60C7669EEE2F23753D4C4FBD133D4E925114C11CCA6C83F79870E6F1B0CBF432CBB4474C2F5FD72D6421937D0201B88B8092D925A05E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312262857211","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369312263488304"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\546f0035-47c1-43e9-a3d2-1257c9a99ba8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\6e8b79c9-5196-40a7-b873-16ec8458ea2f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.5656302414440635
Encrypted:	false
SSDEEP:	768:Ltl0gTWPfPfyg8F1+UoAYDCx9Tuqh0VfUC9xbog/OV5USrqrwttpGtu3:Ltl0gTWPfPfygu1jaERrPt6t0
MD5:	1102CCE5803A407FBDDBE1CD5DF88A4D
SHA1:	BEDDC76A22180005B77F304818DF02FEA1FF8E3D
SHA-256:	62617FEDE63CB553893123942CDAB3FF30751F292C2D258DEA9CB0BA3ECB1A4F
SHA-512:	CB3193C4942F3646ED33B3232389DCF3A558272239AF4B8B8924291694F33C70188532C2FB31FB08CBD867435CD8A7A96009D536D8EB3498F24E3C077C6B218A
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369312261789502","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369312261789502","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.320726451125218
Encrypted:	false
SSDEEP:	192:iiAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:iFOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	F70D7983CBDF6F3B3BBD58540E293853
SHA1:	5BC69B132D5F20B7A9AAB39CDA2C09FE210F78F3
SHA-256:	EDEF8F1E90CA156AEA82038586456450EC64FBAC0A1B7E5E12EDB9B1AA4C30D8
SHA-512:	201E05B0D7A1F8271767CA7A92846BC62C5C39B0CD462FE171A5575751F23B8C1B19C13FB3194EB3A59CF6DD256F289DCB72ED83F5FA3FB0519BC5C529CF4550
Malicious:	false
Preview:	...m.................DB_VERSION.1..uZ.................QUERY_TIMESTAMP:arbitration_priority_list4...13369312268173683.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.128251242631933
Encrypted:	false
SSDEEP:	6:NAnY2oM1923oH+TcwtOEh1ZB2KLlLAwIq2P923oH+TcwtOEh1tIFUv:NeohYebOEh1ZFL1fIv4YebOEh16FUv
MD5:	839B672A8DDF6DE08D9990D914447329
SHA1:	E617BC7D2BA9BFE3F7B189DFBAFB53A6068C382A
SHA-256:	321AFA0407920DF6C2D469440BA2E1CE913C8BF9D48C2261CCCE5B800FEEA364
SHA-512:	04308D2557C60B21E388436D01758F32237B75D9D93D7F2364C50E21AFF58A32428E395E19402D995C691767AFC8D88170A3C06BD95AD82DC3A6A5F3C094C0EC
Malicious:	false
Preview:	2024/08/28-05:51:07.061 21d4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/28-05:51:07.129 21d4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.04378691516207644
Encrypted:	false
SSDEEP:	6:/Fii2BJuTPM/lSH69RSRn4Dn2zgllQm9H/lO:dWJu7ESuRSRn47mg/TNO
MD5:	2B044C29326BE783A1AE8138BD8ADFCF
SHA1:	73408CEA906894ABE040A29CF0762D175F25843D
SHA-256:	ECCAD6C865E639B58B76544999A09E9B8232A34BAC62186007ED845413D6B86D
SHA-512:	87A8FFFAD7C9EB7FBD0671351931B674A9010FF637BF8CED7CABFE748E9ADFADECF4B484483A4A6B79FE1C2771C34D75738DE8A39DF9A3A325C9A7FB21AA33C6
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09574734214342934
Encrypted:	false
SSDEEP:	48:NlV4A3eslV4Xes3NUeYAP2T3lWp4iFEy:3V4A33lV4X33NLYAA3L6Ey
MD5:	377BA1C36A0D8AE2CD3F6E5DDFFD6353
SHA1:	B5D0222FBF40E77BB533D2BDC8428E83B5787DFE
SHA-256:	75B79F67076B1A32ACF982DB9BEEF3E4C580E6B73F78DD5792FB2FE62EED7A1F
SHA-512:	78B95CE90E2EFB7E8471A9899E4923E11D0CA2AEA8FC07577D0F946819944698C26D2CA57DADA654283DA71A2527AA419517450644DB6056D6197A529E366D2B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.2833895009150242
Encrypted:	false
SSDEEP:	192:V/FT8wLJZbtMXf/2T8wLJZbtMXz/BA90JZbtM4D7Z/3OLbJZbtMynUoD/0/qJZb9:jgSJtMGgSJtMW9AJtbXKJtpy6Jtb
MD5:	2A95876A02110E9627BA7A1951DA8CAE
SHA1:	EADC45A0A66E5F61DED7CD9C13F7752F8BA77D4A
SHA-256:	F5894163ACBBC3A4A2D98E95B999BC557101BC7145383B1285234BCE4F904A3C
SHA-512:	E7999B48FECB151FDBF1E395A50D4A27D8DF5EA2D3D54947E87BD46B8C3D19ECC1843FDA2E88C5C1638259454BAFD2F7B4C5B952A509B396A54BD690BC1D2DB2
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:Lsulx/xj:Lsmxj
MD5:	A9FD6637D4C373B652457E195D733C85
SHA1:	EA61D8280D22B80DC0A6788BE2806BEBB9FAA674
SHA-256:	E67AC44FEBE346A7503F91CE4E6CF7098557DCD9BC15AE2DB4DD25ECFC5B88BE
SHA-512:	F9BD1989A5F78BB0B9D88D5C9367618CF9EA34B7CA47E8C4096B801D371EA5055672E3EBFEA0BB2B5334CBCAECFC2413F0418E58D74886AEFCA670E157365FEB
Malicious:	false
Preview:	..........................................Z.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9555576533947305
Encrypted:	false
SSDEEP:	3:LFK0X00Eqb+:xK0Xgd
MD5:	D76DF635B216CD616CAD9A0DD7521CAE
SHA1:	A15F1ABFF2DCAAB34B689AABD0E6B1876A7668ED
SHA-256:	2E729D60837A7E91DB801A3AC1888FCE44696C81F912D7497E71936D7001542E
SHA-512:	2DCB26949F4921F9BB292317B36D0CBB00516C6EA6C45805B634D0D8FD5BE720D3CA78358CA5B317BD0FCB43276B9FDA13673C1214DE488D687DBAD2D07B24AA
Malicious:	false
Preview:	(...Vod.oy retne.........................jD.Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9555576533947305
Encrypted:	false
SSDEEP:	3:LFK0X00Eqb+:xK0Xgd
MD5:	D76DF635B216CD616CAD9A0DD7521CAE
SHA1:	A15F1ABFF2DCAAB34B689AABD0E6B1876A7668ED
SHA-256:	2E729D60837A7E91DB801A3AC1888FCE44696C81F912D7497E71936D7001542E
SHA-512:	2DCB26949F4921F9BB292317B36D0CBB00516C6EA6C45805B634D0D8FD5BE720D3CA78358CA5B317BD0FCB43276B9FDA13673C1214DE488D687DBAD2D07B24AA
Malicious:	false
Preview:	(...Vod.oy retne.........................jD.Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:rHNTEOH0Cn:hgo0Cn
MD5:	4A60023242CC32A5493220BEB4C94CF8
SHA1:	98CDA74104C58144716F702B09ABBA1F1304E784
SHA-256:	D3735A32996E5263BC3EBD4EA9C8F12A2CBE01B63862E957D9D7726117F531FE
SHA-512:	B5A28A9483C4F966A4EFFA60944D38660D37BFA54EDA014E5FCEF9BEE24969649DACFBC0A4F7161FAA9E46C4D61751A212060BB13E9433E91F2C1EC93E0722CF
Malicious:	false
Preview:	(...v.FPoy retne........................."E.Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:rHNTEOH0Cn:hgo0Cn
MD5:	4A60023242CC32A5493220BEB4C94CF8
SHA1:	98CDA74104C58144716F702B09ABBA1F1304E784
SHA-256:	D3735A32996E5263BC3EBD4EA9C8F12A2CBE01B63862E957D9D7726117F531FE
SHA-512:	B5A28A9483C4F966A4EFFA60944D38660D37BFA54EDA014E5FCEF9BEE24969649DACFBC0A4F7161FAA9E46C4D61751A212060BB13E9433E91F2C1EC93E0722CF
Malicious:	false
Preview:	(...v.FPoy retne........................."E.Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlC2l:Ls3x
MD5:	28596F9412A316F5722EC71015E2B39A
SHA1:	C39747A82877620FCA07E24CA790261253388C94
SHA-256:	F387CF677FB7812DD791BE54998274C14FD51A560D898C181B7948C86F5035F1
SHA-512:	5D05467D42C3004F4AB20B3D5C5C7B0EBD3C79DCADC27837CC2560FD99A3850183B004FD269A4C92E9B43ECAC65CF8E19BABA8F8720FD25CD6366526F81C4D83
Malicious:	false
Preview:	.........................................9`.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	375520
Entropy (8bit):	5.354155530061664
Encrypted:	false
SSDEEP:	6144:+A/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:+FdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	53D3F9821851C7F2C2B05676E0012653
SHA1:	9412759D0A527C7214AFA81C5879676C3042059E
SHA-256:	D0D76CEA47F43C69140712545A53050D35D769AC4FA7148637903166D9B8AC46
SHA-512:	F2AC6B206ED835E1F72A2692A4485C077319E5C7ADED2FA92E452F4F0723B347C439939B9099B9216C42B7162C3F8A47E5BF129D0DC1ED711DEAA17436A03EC2
Malicious:	false
Preview:	...m.................DB_VERSION.1....q...............&QUERY_TIMESTAMP:domains_config_gz2...13369312268187801..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.172031515203731
Encrypted:	false
SSDEEP:	6:NAnGcQEq1923oH+Tcwtj2WwnvB2KLlLA1aIq2P923oH+Tcwtj2WwnvIFUv:NLcRfYebjxwnvFL18v4YebjxwnQFUv
MD5:	B25293709B0A06AE34214F317E0AB7AA
SHA1:	F2FA37335D4B78CB082E2DCCDD80E1B34955BF62
SHA-256:	DD1FA355170850B15002E114DFB8E974808756B25F79062E8191868F18DB5AEA
SHA-512:	1E907983149B631EDA5509E58EB3CC8843D4091435D2F580A0C0DC571789F6DB45B9D25F91DCE0B78F8CA4DCF32D390692A7676467DB64C68F88DF810AECA0FF
Malicious:	false
Preview:	2024/08/28-05:51:07.091 21f0 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/28-05:51:07.170 21f0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	358860
Entropy (8bit):	5.324613879081809
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6Rv:C1gAg1zfvn
MD5:	B8C5E15C1CAD195A53916BD5E393D736
SHA1:	C9828F11FE1FFA1882E4EA1BB93AC65EC0840ABD
SHA-256:	540AC39A6C814BADEC0D2490277CC678D09381F4335D32850ECF4954E726CE9F
SHA-512:	449D84B4A3D1B24F6324AC2DB548A8CEAA0C4A6879DD65E9A8B65277B9DE413C039F351AB0B0B7691304F3D0C1613C23734788991D831CF9258686DB22F76535
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.197960818639038
Encrypted:	false
SSDEEP:	6:NAu4M1923oH+TcwttaVdg2KLlLAFYX4q2P923oH+TcwttaPrqIFUv:N/4hYebDL174v4Yeb83FUv
MD5:	FB78FB435E8119DE6AFE23E9C61FB184
SHA1:	5DF1E04B8B8F44F2231706CF81F3FFB3B6A647AA
SHA-256:	48788F6B5F85285BCBB228AB229922F7274EFE042F489DB76B5A3FC74A6563AD
SHA-512:	776D093B02E855924E0B443B7BD4FACB03C18493A08509B598310FA8960A2310182405D0275C2A5781F62E1A53CF17182EDA0EE4146F22793A5BD44BE6908450
Malicious:	false
Preview:	2024/08/28-05:51:01.901 1d64 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/28-05:51:01.943 1d64 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.1841271501513955
Encrypted:	false
SSDEEP:	6:NATUz4M1923oH+Tcwtt6FB2KLlLAfy4q2P923oH+Tcwtt65IFUv:N2Uz4hYeb8FFL1sy4v4Yeb8WFUv
MD5:	3B8B66D3A3AE89A80F71BA38CD43ADC6
SHA1:	A773BA47386FB87A7D16C8F6DED5CAA16BF16F32
SHA-256:	687D7B1C0ECFC703EF320AA465EC8FA6B53B8EA0F2BBC6C0906848A092A16054
SHA-512:	56AFD1481D754442BA626604C8CA0F76FB2CA3745AFC9D497C829C2C8E390A4FC8BA4B0DA5A69D479FAF365B641F4DCB481BF46F4CCC01DC53A5096BC52F462B
Malicious:	false
Preview:	2024/08/28-05:51:01.945 1d64 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/28-05:51:01.958 1d64 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.1895707719267
Encrypted:	false
SSDEEP:	6:NA5IXhq1923oH+TcwttYg2KLlLAO+q2P923oH+TcwttNIFUv:NpYebJL1qv4Yeb0FUv
MD5:	2EF0030A55BB770AF126927DF9A7252A
SHA1:	ED83AF0A74D9EFF7FAB85EE6DE59ECDBF42DAE4C
SHA-256:	5359392ED36C6822FE20BFD3AB35593908595D4466D2D0B534A14BC92DDBE3BB
SHA-512:	1081E8501DCB1ED28A3866E4FE42CAF28935EC0BE876765294C62EC68C81D376D094F486D0E8369D5479C07DAFDDA2AF9EF1BE39B83D3F8F59809037F50C3914
Malicious:	false
Preview:	2024/08/28-05:51:03.752 1d38 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/28-05:51:03.766 1d38 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlsl:Ls3E
MD5:	1540BC3B1AEC1793076DE3F45762096F
SHA1:	DEE0E206E71A049ADE3AC5445D26ACC0B6532A3F
SHA-256:	C4650E47E7B7A6E0C914229F4379612CA631D3AD53579A53FAD1E0206F950883
SHA-512:	4690040F83ADADFA001A0D3727E75629023591E7F78428824DF64167358621DE4E354D6ABA59D2D1E68693733CD1A58E6EA6725A9CDD2AD47606226929D9A0D9
Malicious:	false
Preview:	.........................................^.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21880421027789762
Encrypted:	false
SSDEEP:	3:gW/BntFlljq7A/mhWJFuQ3yy7IOWUIc/+/dweytllrE9SFcTp4AGbNCV9RUI9Y:gGK75fOv/+/d0Xi99pEYE
MD5:	F3A8818BB78348A519253798864DCF5A
SHA1:	769417F2AD20AF341923CE286114E7C60475C09D
SHA-256:	B2A0744610E4F9A19A09629E46B440A068C1431BA118D33DDB156BFE0BF83C8E
SHA-512:	8BF5F29ABF3A152670EDE11C42ED614AF91EF120BAABFB5E0A64FBC1C0231B5A8A20B912F7F64D907D14011F4B462C006BA2F3034FE29C08AE5A459E6391673A
Malicious:	false
Preview:	............-......&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.209529341224489
Encrypted:	false
SSDEEP:	6:NASLX5RM1923oH+TcwtRage8Y55HEZzXELIx2KLlLASLcVq2P923oH+TcwtRages:NxpRhYebRrcHEZrEkVL1xkv4YebRrcH0
MD5:	494D976C0DC1F9B6E49E5E719F0DCCB4
SHA1:	00994C397E03CFD16E783BE46E9DBC9761FFD702
SHA-256:	AD8B68669B4A77852318E27E714C5BC52AB85F2AE5CABF268B586B8FA660F502
SHA-512:	59C25D2F887F68984E81F990EA937F1E2C9C05965F9EA630D5E0F39036A7FA5E95D2809006F603C100DE6D4DF842A5BC65C0368276B2A357A78EB2C48C098910
Malicious:	false
Preview:	2024/08/28-05:51:04.712 1d24 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/28-05:51:04.724 1d24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.184567576974364
Encrypted:	false
SSDEEP:	6:NA1/g1923oH+TcwtRa2jM8B2KLlLA3KQ+q2P923oH+TcwtRa2jMGIFUv:NI9YebRjFL1GKQ+v4YebREFUv
MD5:	74C5A04B608E25BA61EDAB5351674371
SHA1:	567CA3B822CF6859BB2FAC4C4E65563DD144302B
SHA-256:	365017FE5F3C970F2C144917D84F37F6579BEA7A840D0304FC0714A426E41B8D
SHA-512:	CC5C641E4B6EA2027A4EED9B9D9A03E1F63DAECD19032ABEEBB4338F8ED3ED5577422FB1B58B66DAFCFA22ABD9718DC61E7CE1FECF3A6368F0D96C2C218B41A3
Malicious:	false
Preview:	2024/08/28-05:51:03.352 1e4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/28-05:51:03.373 1e4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\0ca52be4-b4b0-4fd4-8a26-74a6f3a5211d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.89042451592505
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbQpwhYMKWKWMS7PMVKJq0nMb1KKtiVY:YHpo03h6ubQ+a4MS7PMVKJTnMRK3VY
MD5:	89DA93E9471CD8C8C255E72CA2CF45CB
SHA1:	BEE1905E765B0BB06275A2D6F91598BDA84B3B5A
SHA-256:	79F1C11C178CA0BC1E11CC6569FCFAB5D1B54F0359D878CBD7862F649076EDBA
SHA-512:	09D068514220CDCDF00D73A47E2362B02DF6F227D4666A7E077D8B2B9FC82E29449D2B2ACFC4340C3654C46ECDB9A90373F5B2E2F4F454A1CA334B98CDE74CD9
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\0ebb717f-5fe4-4ffb-9757-dbdb39077330.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\8574c4a1-d290-4ce4-9049-dca18ce9f875.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF459d4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7597837216507011
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBku/:uIEumQv8m1ccnvS6j
MD5:	A3BB90B09DBBEBDAADC9097BC33FD2C5
SHA1:	177E47187CC86FFC5F2BE07111606A6EB8034B41
SHA-256:	539F51A67ADD77AF8935797814E4AF74A60A3235C572197D7BEE936F1E0854CC
SHA-512:	A9AF3DF60DE508E303148AC55423086A58A1CADE3FEE7BB53FB2DC10E81AC16D8EA0094B2DF813397769B9002A47DCB0C38B1E4278F78417683BDBF0D6943D31
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF337ca.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\bbb2d495-2abc-443a-be9f-e86e41213a06.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\c1abacaa-d8f6-4b46-9039-19399492ac6a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97158656978404
Encrypted:	false
SSDEEP:	96:st3+XqfHuzis1gb90Gu8pN8zBQCs85eh6Cb7/x+6MhmuecmAenueQ7MYn2Mi/EJ:st6EsO/pNkfs88bV+FiADPiMJ
MD5:	E63AE1BB0F8DF989C30C1457FCFB3BB4
SHA1:	E8052DF1CA230DC6C88B2D5D90FA552AC70767D9
SHA-256:	1462CA9FAED0B96960EA97874ED9F957C866086EC73B2F83A241C2DF63F306A3
SHA-512:	F1B9315A81B3B17D1ADD60C7669EEE2F23753D4C4FBD133D4E925114C11CCA6C83F79870E6F1B0CBF432CBB4474C2F5FD72D6421937D0201B88B8092D925A05E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312262857211","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369312263488304"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3c843.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97158656978404
Encrypted:	false
SSDEEP:	96:st3+XqfHuzis1gb90Gu8pN8zBQCs85eh6Cb7/x+6MhmuecmAenueQ7MYn2Mi/EJ:st6EsO/pNkfs88bV+FiADPiMJ
MD5:	E63AE1BB0F8DF989C30C1457FCFB3BB4
SHA1:	E8052DF1CA230DC6C88B2D5D90FA552AC70767D9
SHA-256:	1462CA9FAED0B96960EA97874ED9F957C866086EC73B2F83A241C2DF63F306A3
SHA-512:	F1B9315A81B3B17D1ADD60C7669EEE2F23753D4C4FBD133D4E925114C11CCA6C83F79870E6F1B0CBF432CBB4474C2F5FD72D6421937D0201B88B8092D925A05E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312262857211","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369312263488304"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF43d73.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.97158656978404
Encrypted:	false
SSDEEP:	96:st3+XqfHuzis1gb90Gu8pN8zBQCs85eh6Cb7/x+6MhmuecmAenueQ7MYn2Mi/EJ:st6EsO/pNkfs88bV+FiADPiMJ
MD5:	E63AE1BB0F8DF989C30C1457FCFB3BB4
SHA1:	E8052DF1CA230DC6C88B2D5D90FA552AC70767D9
SHA-256:	1462CA9FAED0B96960EA97874ED9F957C866086EC73B2F83A241C2DF63F306A3
SHA-512:	F1B9315A81B3B17D1ADD60C7669EEE2F23753D4C4FBD133D4E925114C11CCA6C83F79870E6F1B0CBF432CBB4474C2F5FD72D6421937D0201B88B8092D925A05E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312262857211","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369312263488304"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565578220897076
Encrypted:	false
SSDEEP:	768:Ltl0gTWPfPf1g8F1+UoAYDCx9Tuqh0VfUC9xbog/OV5USrqrwv/AtpGtuc:Ltl0gTWPfPf1gu1jaERrPv46tH
MD5:	207755FC844C719C2CC11AA25603BE08
SHA1:	526690656E3AB96AFB0415B70CDD40A7C772B687
SHA-256:	F2CA47FDFFFB9F121DA2A5F5DF7362FBD14DBEE35D45AEEB141E835439BB09E8
SHA-512:	4AAE9B1D00D502404D12A01B36FE8910E0E7C235B50723768FC4DB5E278EA6864258859A512F6783E7EBE53C9090547DAEC0D784C0709FCFE3506975DE12EEB2
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369312261789502","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369312261789502","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF39869.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565578220897076
Encrypted:	false
SSDEEP:	768:Ltl0gTWPfPf1g8F1+UoAYDCx9Tuqh0VfUC9xbog/OV5USrqrwv/AtpGtuc:Ltl0gTWPfPf1gu1jaERrPv46tH
MD5:	207755FC844C719C2CC11AA25603BE08
SHA1:	526690656E3AB96AFB0415B70CDD40A7C772B687
SHA-256:	F2CA47FDFFFB9F121DA2A5F5DF7362FBD14DBEE35D45AEEB141E835439BB09E8
SHA-512:	4AAE9B1D00D502404D12A01B36FE8910E0E7C235B50723768FC4DB5E278EA6864258859A512F6783E7EBE53C9090547DAEC0D784C0709FCFE3506975DE12EEB2
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369312261789502","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369312261789502","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.134650324740927
Encrypted:	false
SSDEEP:	6:NADi1923oH+TcwtSQM72KLlLADEeSQ+q2P923oH+TcwtSQMxIFUv:NQYeb0L1bQ+v4YebrFUv
MD5:	04A9EB4ABB388E859220C74B61697BBD
SHA1:	CF0B2D20D8DCC243067A9E07A4D47E811F883460
SHA-256:	C7066099AB31C55F87C9E4B362BE7AB5FBF06CD5190A7645F592EAC77A0C4C25
SHA-512:	6AC691081D413F22CD2C91C304D9A948F483AF8217F002C44DA9D55D8506270DD321C4E42D2717EF0168B72B062B6FDDF5DC8423126AA5ACDF723AA80DB7356B
Malicious:	false
Preview:	2024/08/28-05:51:19.542 1e4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/28-05:51:19.569 1e4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.073536432598792
Encrypted:	false
SSDEEP:	6:NA53QR1923oH+TcwtgUh2gr52KLlLA5f39+q2P923oH+TcwtgUh2ghZIFUv:NytYeb3hHJL1++v4Yeb3hHh2FUv
MD5:	1BF9F1F930F1F2C757B4E43401A5DA7F
SHA1:	C62813A43A0833851C173A1E24C5B3B420811EF9
SHA-256:	8511152D20E494FD1EC682512D8012EA45F84B9ABF9D0037D66CBE3E968619F3
SHA-512:	7CCC8D43BE4F48866F34244927982F80D52C169E4EE2370ECBDED75F53386AA7A0B3DA958568FF0E064B2EC51FC1B69346466284E4ED3443315CE6D08A8EE768
Malicious:	false
Preview:	2024/08/28-05:51:01.809 1d2c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/28-05:51:01.820 1d2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulOm:Lsy
MD5:	E8D16E46B0A6BC0EAB4AF05A885B191C
SHA1:	166F583BCE0C7D7571E819EBF721947BD16393E3
SHA-256:	5986DC423E38230F5025A995E4F24F4F761B63FADADBB116C78EB37D7DEB43DA
SHA-512:	AA577C071D78DB03F47EB3D16940EC7825A9EFE971735E90E4FB28246024A59B4C6044F911FA8240FC7F7A6699185F1261FBE4739ACDFEE9B92259D665ADCCAA
Malicious:	false
Preview:	.........................................Y..Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:rpKE0Edo9n:cwdo9n
MD5:	6D6C3D58699ED83391F3D2FBB6F4C611
SHA1:	37553D7F3C0770331DE20F3327B5E1EA7CFB1BEB
SHA-256:	B823699EE7637F2A7FE90025CDFB086FE07D1848CA3D23035635ECE0D33DB489
SHA-512:	40EC27F5FD776DDC728531690FD80C31FA5130E2633CA59BF6662A01F6598421F526A50BD5394BA5E33D226E4AB00A210B62C53909A5FA5855A940D356F7E29C
Malicious:	false
Preview:	(.......oy retne..........................].Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:rpKE0Edo9n:cwdo9n
MD5:	6D6C3D58699ED83391F3D2FBB6F4C611
SHA1:	37553D7F3C0770331DE20F3327B5E1EA7CFB1BEB
SHA-256:	B823699EE7637F2A7FE90025CDFB086FE07D1848CA3D23035635ECE0D33DB489
SHA-512:	40EC27F5FD776DDC728531690FD80C31FA5130E2633CA59BF6662A01F6598421F526A50BD5394BA5E33D226E4AB00A210B62C53909A5FA5855A940D356F7E29C
Malicious:	false
Preview:	(.......oy retne..........................].Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:GnPVPyEhtl:GnR9hX
MD5:	F0F561A1272B7CD5E9380A3D9A852D4B
SHA1:	02622ABA50D3E1DFB3C3AC94BE3DB221CA8B7883
SHA-256:	823057DA6754FBAAC839C49D361E76086F3E341858B5417E1CCCE661EACE6197
SHA-512:	5DF2E7057FCBE171D1E6BCA122580F96D242C614B08B86FA6C2FDF5269FF02C947AFCA8AACEFA387FEFA440602CE3A146E872DA855F1E846EB544315050FFC8D
Malicious:	false
Preview:	(.....j;oy retne.........................6_.Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:GnPVPyEhtl:GnR9hX
MD5:	F0F561A1272B7CD5E9380A3D9A852D4B
SHA1:	02622ABA50D3E1DFB3C3AC94BE3DB221CA8B7883
SHA-256:	823057DA6754FBAAC839C49D361E76086F3E341858B5417E1CCCE661EACE6197
SHA-512:	5DF2E7057FCBE171D1E6BCA122580F96D242C614B08B86FA6C2FDF5269FF02C947AFCA8AACEFA387FEFA440602CE3A146E872DA855F1E846EB544315050FFC8D
Malicious:	false
Preview:	(.....j;oy retne.........................6_.Q./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlGxj:Ls3G
MD5:	0C562D184022C32198994999916A9FA9
SHA1:	76CE407265E06578B4110203CFA57EF271C715A9
SHA-256:	198212893DB5A16EB7EC515E0A3EEBBDCFBCD9686456C35B4041C405FA6F71CC
SHA-512:	C37B800E591E0FC761E55D0C468CC38D548EB99D4FD3E28D6F17041BE478A00EB45E9BA418EAA3FB733C859D275EC437F2CCA9E1AD0CDD09C16261B9AA13BFA0
Malicious:	false
Preview:	........................................ .f.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlaKl:Ls3a
MD5:	E75706F2C1389B6847FBDB7522A36B00
SHA1:	FAC0B115CFEC42F6ADDF52DA3B0984B4AFAAB9AD
SHA-256:	212E82F3E4D1026ADA118B3A7120B3B3994714235685A12D17C6198EA76ACC42
SHA-512:	C3C079E45D001BF4B3173E80728F27BCDEF571D7F5C28C9C2E6A7322578C952A65DBD74142ED4206AB5AA975A55F1DA972CC2514C39DEE5530232F87DC23D2E9
Malicious:	false
Preview:	..........................................d.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.203767920104467
Encrypted:	false
SSDEEP:	6:NA701923oH+Tcwt0jqEKj3K/2jM8B2KLlLASLkvpQ+q2P923oH+Tcwt0jqEKj3Kk:NK5YebqqBvFL1xSpQ+v4YebqqBQFUv
MD5:	392A813255A99BA46B6A7533125ABBB0
SHA1:	2A8EE68C02B6B940D882E4F28DB8A62B6F5738DC
SHA-256:	9BF586B08C07C02D663A35D95FCF0E8505EDD419AA17210AE5833F3D11005232
SHA-512:	1998B57D10A542B37D93CF0701095B12243EA453D8508D3C322B191BCECE82712ECBB027BBBC2D4B89C723FA8EE5C012FAFF7BB1231E3F82C75CBE45C0A2D8EF
Malicious:	false
Preview:	2024/08/28-05:51:03.776 1e4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/28-05:51:04.144 1e4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\4953c400-06ff-40c9-b0f9-943a7a55dbc3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\544e72fb-c97f-4f35-9e6e-f27134bf7a46.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\609ef57d-b6a6-4786-897e-84ec6f88ba04.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF459e4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\d7891b5d-a82c-497f-a3b3-6fc23d005c15.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.184682777138203
Encrypted:	false
SSDEEP:	6:NADAq1923oH+Tcwt0jqEKj0QM72KLlLADKQoSQ+q2P923oH+Tcwt0jqEKj0QMxIg:NXfYebqqB6L1jQoSQ+v4YebqqBZFUv
MD5:	2DB65DE20ABD110EA08851A7E47E5390
SHA1:	4908A59FAFD668E5A6DA61FFC0FFBEBCAE4693F4
SHA-256:	2DC0263212297B16BBB93FA5B48ECCAE4AC49A39D7597F42EF0BFA218C6C43B9
SHA-512:	465ABB5E2401CDAD8C63FC8AE6D108E3B5CC3DCE08412E8362A8A032B4E854CC29395FBE39407B88814CEB5D8545F9FC818729E8789D593D6309DDE4DA367DD6
Malicious:	false
Preview:	2024/08/28-05:51:19.589 1e4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/28-05:51:19.715 1e4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.227521684244829
Encrypted:	false
SSDEEP:	6:NAeB1923oH+Tcwtkx2KLlLAULVlrM+q2P923oH+TcwtCIFUv:NLMYebkVL1DhZM+v4YebLFUv
MD5:	5F4A032B348EFCFBDB2B3665C43CAEAA
SHA1:	89AF8B7E0492EA696A92C68AE68880B29880B14B
SHA-256:	4E938D9EA90F6878EC776ACB3A3956400C71F377316A459E0B4235CBCAD72051
SHA-512:	A36B8E8E1D9A9F555F0ECE77037F1C672F21B3267DF40ACAE506081D57D5DC8ADBD323BBFB21E809D023FE2F0B808CAD6EAD8421501F076F2E24E48381C88532
Malicious:	false
Preview:	2024/08/28-05:51:01.791 1d6c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/28-05:51:02.083 1d6c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002095330713584969
Encrypted:	false
SSDEEP:	3:ImtV7Fw/ll/:IiVBwX
MD5:	B3BE8974856801F14CD41C05151F2CD2
SHA1:	397DFCFB970C6AA9A17DEDE85F1B43E806484849
SHA-256:	533D10C76A731E9BE02449D90C0A332C791B379E2A45C9C2A25BBF7FE37B38C1
SHA-512:	D7E5CAC7790F2B9359E071EBA3FB483074281BC5761620CEC751757F6737CE6EEE69F4F644DBF82696ACCA849723167245A6E41E2C2A06B3BF5BBF1CB200958B
Malicious:	false
Preview:	VLnk.....?.......u.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.076918559908391
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkO3SAE+WslKOMq+vVumYeA1n66:e/2qOB1nxCkO3SAELyKOMq+vVumj6p
MD5:	9AE2C2477D0060F82C3D0A82DAF02123
SHA1:	97D07BA6EA7D88E89219F8DA2A2202F00C29D78A
SHA-256:	AAA9F06A2A19C9C51A158A8E2BB7F02E683346CD192D8EACD89189FEA985AB57
SHA-512:	958450C74601507DC699A0BBC20C6BA09F856E48DA1845A24AA15F998AB4E0CE1FA3207FBE28AF182B5E6BA05DFA7F0164B87AA9EA40738C8E59447CE0EFC08B
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\b9e5c1c4-7bbe-403e-97dd-f16cbb9a8dbc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565578220897076
Encrypted:	false
SSDEEP:	768:Ltl0gTWPfPf1g8F1+UoAYDCx9Tuqh0VfUC9xbog/OV5USrqrwv/AtpGtuc:Ltl0gTWPfPf1gu1jaERrPv46tH
MD5:	207755FC844C719C2CC11AA25603BE08
SHA1:	526690656E3AB96AFB0415B70CDD40A7C772B687
SHA-256:	F2CA47FDFFFB9F121DA2A5F5DF7362FBD14DBEE35D45AEEB141E835439BB09E8
SHA-512:	4AAE9B1D00D502404D12A01B36FE8910E0E7C235B50723768FC4DB5E278EA6864258859A512F6783E7EBE53C9090547DAEC0D784C0709FCFE3506975DE12EEB2
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369312261789502","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369312261789502","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c4463a87-1fa3-4786-9c89-ff3ebac20df5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6528
Entropy (8bit):	4.980900730599948
Encrypted:	false
SSDEEP:	96:st3+XqfHuzis1gb90Gu8pN8zBQCs85eh6Cb7/x+6MhmuecmAenueJSMQtn2Mi/EJ:st6EsO/pNkfs88bV+FiAHPiMJ
MD5:	5F4C677F7D7A273CC31E93CB91C93932
SHA1:	1E744DFAE9C411E1EA35A4553CE160D343A195A8
SHA-256:	3F2A863528172101FF2A6E3B34220FB9007EDFCDBE7288F787637B348D50FE52
SHA-512:	CAF177CE3F45E75914130DE602023C2DAA01EB21214DA01CFCFCF44E5CEC915908A9F31F63CD979866705E02DAD160CC155B56FB651F6902E45E31D6F23FF421
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312262857211","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369312263488304"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\d1a0156b-49bc-4a2a-95b8-9ca25878bfd2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6426
Entropy (8bit):	4.978853379221659
Encrypted:	false
SSDEEP:	96:st3+XqfHuzis1gb90Gu8pN8zBQCs85eh6Cb7/x+6MhmuecmAenueS7MQtn2Mi/EJ:st6EsO/pNkfs88bV+FiApPiMJ
MD5:	5233E51737A03F15294F85BE4EDEDCF4
SHA1:	8FA5CFADC017B0BB701EF54D102AEBE0F64BBE26
SHA-256:	B13E707DADA4D547AE1F1D5CBA846B8328385B6CC5343F1E4049ADAA9BF23D8A
SHA-512:	DA5D9670F05A3EB7AC70ED39EF72E905C01168B1005B4AE03FB8BFFCAB4386B194D962759929BFE42450C1D79F0AFDB1622103D08C5F0E1F9EB32EC5CF12F792
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312262857211","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369312263488304"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ee448764-e91c-4053-a7b5-4040e33ef39a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28109187076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/wpollHlFll:7+/l/z
MD5:	3B6A5FDEB7233C7438D55A02AA0075A2
SHA1:	3011F5416AB3C619BFEA75090E8116C393D27B69
SHA-256:	38DB572CAB1D8C3255DF152DBBB2FA5B383C9E0DBEC1C60B9624D258487FA8FC
SHA-512:	606CEB12359740B608E1787840BA7AA5F9FD712A59BF62765F2023011B0E92C6D8030EB31BC7B9BEF2E924246B4281DF73817097298C554368DBE42FA4EC57F3
Malicious:	false
Preview:	.... .c....../W.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049163763574177136
Encrypted:	false
SSDEEP:	6:GLW0T2PRW0T2fL9X8hslotGLNl0ml/XoQDeX:aiPZihGEjVl/XoQ
MD5:	38A28DFC6914A15E642D0E647D524DA6
SHA1:	3A3E4215A95B95C5A946D0F71E2089986F07DFCC
SHA-256:	C2E74F08CA0EF86C9666300BA97F1A4C21483B186A273347915682C13686673C
SHA-512:	EA59D91EE058CDD5A8C798A290FA360FD22C963D40F2BAA4CE76CB5B392965CD470D3C196C44E959CE1C2A1DA7B0B74933CBF7FC68FB9574561643669DBF3B35
Malicious:	false
Preview:	..-.....................-.BV..j..[..7...(._@...-.....................-.BV..j..[..7...(._@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.998102098545771
Encrypted:	false
SSDEEP:	48:MzxEslO+OcbX+Yn9VAKAFXX+Uz2VAKAFXX+KaxOqVAKAFXX+YfnUYVAKAFXX+UVc:0xEwItNsKNsnO5NstNsUG
MD5:	8A81A3B1477B568B4E965070EEBD60FE
SHA1:	2E95AF81BC09C91AA883C3BBBA78C434590736DB
SHA-256:	D6827A5C6FFD054779C83D29D4834A25D292224F890147FB3FA51FDB43C4CCF3
SHA-512:	302A11B3D8C5967FB053D3A28B1ABE1C140080343BE70158883DCE57BD4188601A9F6379B29285A77699078A4964A4D08AAAA061F00506DAC82764F247B511ED
Malicious:	false
Preview:	7....-..........j..[..70..} lN.........j..[..7....k...SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.493210402664495
Encrypted:	false
SSDEEP:	48:ge87SBS2QrPyHRHAx2IYjIYczMqktMYjMY5yjAlkfAlkh3:h02QuIYjIYczMbtMYjMYYYcYM3
MD5:	A064315AB1E85C3194B712616F789340
SHA1:	928C1512F847C30AE3E904483159404F81F8A040
SHA-256:	CD98CC60F2D290265F2C4B212FE71028186335593F2EE017CFDDF94DF18DC3B3
SHA-512:	91467FCC6C780D32DEA97A4D2B758F120AE69A8A9DC8A21779D165F41C6D802B07C2FAB7C70FCBFCDDA3AAE74995C1742C628BAC6AB6E4EB82ED4D745E424BDC
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f.............../....................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.251818733476675
Encrypted:	false
SSDEEP:	6:NAB1923oH+Tcwt0rl2KLlLABsyq2P923oH+Tcwt0rK+IFUv:NbYebeL1uv4Yeb13FUv
MD5:	9840D33F53CDBBFCB7FC8649B8DC1BAA
SHA1:	EA1B0352FEB31B34AE1B8CECBEA09FEFAAA0ED65
SHA-256:	E6B7AA45D4F20CE5B79C6CAEF43D7E10F0B9F2629B10A38731913BE908CE3CDF
SHA-512:	20C35F0A4E1E80D5E96CECCFCDACA72E2767725D3440D99BC830CF035D55591B9331013895CEA765336A42723BBC391661E0693D936F2825C76F30C394DFB424
Malicious:	false
Preview:	2024/08/28-05:51:03.497 1d30 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/28-05:51:03.506 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.9559872543691803
Encrypted:	false
SSDEEP:	12:G0nYUteza//z3p/Wui+it/4JbZfPStub/RG0lbANqa:G0nYUtezaD3RXi6FZfc25m
MD5:	218C93CDE07C1848D731CF3A6DA2C778
SHA1:	994EF76CA5497132AB9DD3CC831C629753A029AE
SHA-256:	96C1678803131E47BB2A53D52735F7BC293A5923E433BCF97B19CA6863D9B23C
SHA-512:	29BDDC0BB4703250F65D0ABDA02D9DA4BE43252664746F85BFDE36E06847D1078A3AA43CA2D3BC40C9BECD854B319685F1DE533F2196248FFB6577B2932FAF61
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................21_.....n[.=.................33_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................37_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.197551318298298
Encrypted:	false
SSDEEP:	6:NA8R1923oH+Tcwt0rzs52KLlLA6yq2P923oH+Tcwt0rzAdIFUv:N+Yeb99L1Ov4YebyFUv
MD5:	F14B1A654FCEE79DF5EA14E976B903B1
SHA1:	F28343335373C5132000B348043EE57AA0ACF164
SHA-256:	42405A4C44926EDBBA592F074ED32B4ECD25AF4D14D5D7727DDB700A1DA58133
SHA-512:	0343903B3B237DFA82C48122A2B8BAD732A26C7C125676B6152A879FD1E46FDAD3FB9CEA8EBE118A9BEBBC4525B97EFCBAF509854FE7E5C2DDDD9E5730FCC693
Malicious:	false
Preview:	2024/08/28-05:51:03.485 1d30 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/28-05:51:03.494 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl5E:Ls35E
MD5:	22E8C26EC6535AFB5BA249B41234665F
SHA1:	255786518B3B7FF105CAAB7CF7FD0A5187A08FAE
SHA-256:	4EDFD4D46A6BCB3BA68A29D04476BCA4B5AB9C2C91667276F20E19DC8DB91E12
SHA-512:	92FEDCF27EFE6C74C8343CFB711FC52FE38CCD5A814514CC1E20E38020DFEF3D68BC1A5FA932B07D98FF1E82FF71668BD9A84D8BB2A3879C977DB2EE4F01A774
Malicious:	false
Preview:	..........................................`.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNltEM:Ls3X
MD5:	C34E84791AFF8561BDC32267DCB54EB7
SHA1:	7D844F011A04E8425F882C55815B18C2A316B415
SHA-256:	8A618E2322ECD509EF5086632A396696D9638D1C36EA8FABE211F0D06681B453
SHA-512:	7F84732CE490FF6F7A140E46ED785E529E749B11102AEDBC6806BC9B8245427028F2D389B8EFB1A9A91719601AE085D74726373E992CCFC1F9C735CA2589BAFD
Malicious:	false
Preview:	..........................................a.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF329ff.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF32a0f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF32cbe.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF32cce.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF353af.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF393d5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF41624.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF43d44.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF48614.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF5072b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlxk:Ls3W
MD5:	7392A7036962440CCFCAE116C4C0B71C
SHA1:	4A03DB1B5D29A3A78D77CDF73F8BFBBE0797103A
SHA-256:	A3113A929A19D210E1840576BEF093352FE213BE04B156D89DDB1E9B86BD966F
SHA-512:	80DB422CC1A1005AEC24F9FAADCA021CB45C7E714129E42BE87EC69C8477215B479116468E4867B3C7AC84264EB4A8FFF7025069C8ECAA4ABCD6D72FF161E885
Malicious:	false
Preview:	........................................Bf8.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\a35d8489-6425-43be-b47b-7e3c7daab033.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24302
Entropy (8bit):	6.056604633018913
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NGKI0yKq3qdFVEQBzb9nU/1/NbNdUWN:LM7X2zt1jKYqHkZeMdKqNQBzb9nU/pd/
MD5:	1DED022BFADF348B64ACB153860606B0
SHA1:	0BDD543357B0E5B6678DAB4CC176E1AA56F27E0C
SHA-256:	85DFF90E4AECD68FAF8E77502BC8302204003C09AD036EE3A555C6DFDCED88C0
SHA-512:	14F5132B9732074EB880FA857A61D15A2906BD04E3A7938E9E9CC2EB9621E400D742DF777ED63E4B0FC1DF5C1250162F80EEA6DAB60FFAEC5C256D94BC67DAF4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\a8460ac4-5267-4c51-be03-90308f19bfda.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1370
Entropy (8bit):	5.531900301613077
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtSLY6a4zynh2fTYdT2f4oKO6yikIvxJdXBuBuwBJaUNhOLXIJu:YuBqDPafQLY6acy4fTnKJ55gBzBJtOLv
MD5:	9DC5F51A017B72539E0EFCAE64F3E589
SHA1:	2213FF51CC79642F2F6688A985FDC2069139CDC9
SHA-256:	0E2BD6D5AFEB46965F6A03BB2844AF847C23F28FB87E03BA8C31DE8129CD5CC0
SHA-512:	6557BD1055C3C08D5487AF68FCD70A25D0AAEBD037F45F1A3880CEE4A3F11680276EAD353B2D72600BF5B7054DEC0CED0E705D79162B4057EEC40CB0C0957D5A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369312261106241","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724838660"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\c7b8b970-b94d-4462-82fb-940f5c562e50.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2957
Entropy (8bit):	5.584891495082806
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afQLY6acy4fTnKrp55kHB+S5drxgvBJ68R3YnaJkXCcmwlRWq:Xq8NkC1fQ06xhfTKrp5ABtz6vbH3YaJG
MD5:	380BC6243505CD4136857B38738A4E39
SHA1:	20A3A77313C923040B8CC21997C1CABC56809C18
SHA-256:	3606698F47843C594904EF256049DBFE2969453941639700C48E7A3FF5FA9A86
SHA-512:	7172B937AFC19FB64B5120071B7D7EB98ADC615BE79AF7EC0F83DEF74F845FD3CE34693610F8405E7908EF3542DFFCA7F68A389E93813CA1488077345BDDEAC7
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADrLY1qLdWgR6FV5snyitxAEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAApP9zHrn1+yH+JFa0k8iCURi0RXANN27Xw63oRZrTI3AAAAAAOgAAAAAIAACAAAACFzoUUaERE6rP1jALJXqUspSCO6EkwoH6zPA0wSyAGKjAAAACWoEoTOpKOiBw+UBYVLyr2QHSItJObGxk3/WzRCr4SX+l0aGA8pOnrOHB6p4TwkQpAAAAAqx0zp6eZ9qNZmEpi05tFIw+9BeN6R2awDgpAf51M+HYjholXWyysiOxWbZ1Ksc8EQ/OSjfSkV4nhPn9H/9Ginw=="},"policy":{"last_statistics_update":"13369312261140398"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\e5efb0a9-6914-4f12-8041-6df5f92dc0f8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20986
Entropy (8bit):	6.066378918804091
Encrypted:	false
SSDEEP:	384:RtM7XKnG7EtlXrjYJUoLUJqHsdZsJHaV8NBSKIZyKXLyZ/NbNdUWkuBstWBkcz:LM7X2zt1jKYqHkZeMsKXLyddfstO
MD5:	079907BB06C41406F9E2CC3CCBBCAEEE
SHA1:	3A7FE476827AA98E8508641D1597EA5075E33E22
SHA-256:	F7C370405918B14E4E51178B7E7B658203DBE5D7E7D207C19102B49BCD38F308
SHA-512:	6473B9066869FFF7A80A4527E965B99300F08D7BA80EF4AFE733AB774CE349BF07E99571FCE805B6F4418987DFEAE084CF9A39B9378C21C48579A24E6102C4EF
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5WgIYys3bJeQH8gzYPwfpC896xXwllv1ws/Dov+UhC031uDZGRdc04LmqFm3Cjhfq008PV7a+5hhe79VoH4u4yk308t/Dk18EzpeL4EmYE9h5+MT4qBuMWAoynzi9yFf/z8N4+c7BnX5qaxMXjWWNuUeEuxFZB94cta8JqLbiF2zYWsrF0K38o0/KVgtVMF5aEI/vhxca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0c7fc985-d611-41ce-ba68-4f3de115a314.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44669
Entropy (8bit):	6.096078531047158
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBcFushDO6vP6OAgP6yjFLGocGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEl6gg1chu3VlXr4CRo1
MD5:	05A54D130084B99B8BCE2706EA46B04D
SHA1:	9E3CFA39E0F0624DDB494E519EE24F8278C0B7C3
SHA-256:	06B2DB42C5C8F3A132D1ABD0A0B7CC533AA2695A8A90E2122CCED54B840DD285
SHA-512:	E3A7B078652F1549626CB856E9A0583847517DA1FC7A6DD3DD613F5FF7D2491541941A06928EBECCCB58CE443FC3F6D4399EC745CC41A87FF643D14CDD1982F8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\21d77725-e873-4bb6-97d2-0029bc1f9f0d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\64354878-b993-4d1a-bc79-9e628b810107.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44669
Entropy (8bit):	6.096197334511477
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBcFushDO6vP6OAgLeypEFAEFzD9cGoup1Xl3jVzXq:z/Ps+wsI7yOEl6ggCchu3VlXr4CRo1
MD5:	7634A4C54937D698DCF1B7ACEC411DD7
SHA1:	6B29FF1AD72532C5D457BD1B368ED55C5ADF2883
SHA-256:	F50E57986921480048605DD2D15A6551BA4E1A5C9E65EB279C21085099EB6D8F
SHA-512:	5250D2F503FE2C5E2D23FD40B01E2D55F5DB745B331E46B19FB6A4D522ADE9864F58AB719CE24E8DBCD2BB4A7CBB77BAA45C2D3E5FA12E1E2ADCCCC10DC8BF4C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\78b53755-68e8-455e-bf6f-c8b90438e93d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44669
Entropy (8bit):	6.096197334511477
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBcFushDO6vP6OAgLeypEFAEFzD9cGoup1Xl3jVzXq:z/Ps+wsI7yOEl6ggCchu3VlXr4CRo1
MD5:	7634A4C54937D698DCF1B7ACEC411DD7
SHA1:	6B29FF1AD72532C5D457BD1B368ED55C5ADF2883
SHA-256:	F50E57986921480048605DD2D15A6551BA4E1A5C9E65EB279C21085099EB6D8F
SHA-512:	5250D2F503FE2C5E2D23FD40B01E2D55F5DB745B331E46B19FB6A4D522ADE9864F58AB719CE24E8DBCD2BB4A7CBB77BAA45C2D3E5FA12E1E2ADCCCC10DC8BF4C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\7d1e5180-e2fb-455a-b721-4ff050021daf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44668
Entropy (8bit):	6.0961988769469535
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBcwushDO6vP6OAgLYypEFAEFzD9cGoup1Xl3jVzXq:z/Ps+wsI7yOEs6gggchu3VlXr4CRo1
MD5:	57A3138C5C5614D73C8B670576EC48FD
SHA1:	10D37E9D37EE7284DC544989EF0843C1570AAB3F
SHA-256:	CC228345C74BD5CB762A075962D8A0A114BD5BB8667836C95EB75E882CD7EB3F
SHA-512:	CC7AB571E5045CA8B0DE5939C1C983EC2D0496788DB3E29FAA9DE68E366B13B361279FA84172F3507EF586FE93E93532A476F4E4DBFEBEEE125DDD1DFEFBEAA5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9cd17aaf-1ffd-4196-b399-3bda3098d725.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44669
Entropy (8bit):	6.096067301795967
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBcFushDO6vP6OAgPKyjFLGocGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEl6ggFchu3VlXr4CRo1
MD5:	9807947B1E1A811BA8B34D26BDF20F93
SHA1:	FEB590E2D0B1A3F40666A8F93D9949E9FD31ACE7
SHA-256:	B402D5C6D9AD6D3293A1067C9623C41D5EA2A3699303D3F5CD3225710D90EB46
SHA-512:	24F2E2D8C38CBE6D5973DECFB08C927C598FE76BDA44CB6D00773AD9F51E52C5599EE74DC7AD7A306075B6AFC52AC564DFBAE696680F697D15C9E9212CD39DA7
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66CEF31E-2468.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.13534158195209114
Encrypted:	false
SSDEEP:	1536:HshnCwUfHMYbt18KjHPp3RG2j+uE+iYRG:HsnClfsYx1DvpQ2j+uE+i1
MD5:	3AF1B8107A225455CBC2C4C3701A3F89
SHA1:	BD336AD551FC815B8FA8A3E648210756DDE662CB
SHA-256:	F5783B359917B0555C886554E952ACCE6A2BB712CFAFC565F80B3BB7D1CB4A22
SHA-512:	445468EE2EFE1C256850DDB6A740D2541D6490B3EC5B200CB4E4B1E9448175AF17F22A3B4500FA9B0E7EAB26C3BEDD851EC7C0AA0DCBB50C3EE7C3CAD4BA51A9
Malicious:	false
Preview:	...@..@...@.....C.].....@...............86...%..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".pdrhwe20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U].0r........>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................ .2........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4720b1fd-bc9f-4ab4-b3ed-d3fc68b1a4af.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\864f21ac-f622-49d1-b879-c65ade14d1ce.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\89efa816-f860-443a-bb16-c453af0f9121.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9476c6d7-9260-43b0-a97b-aec97e1f5f5c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7999
Entropy (8bit):	5.092172320674462
Encrypted:	false
SSDEEP:	192:stP/Rsxx8CZihnk3sY8bV+FiA66WbhaFIMYo1bLMJ:stP/Rsxx8xhXbGix6WbhaTYou
MD5:	95C73982520C2E157071736C15491E27
SHA1:	1E1C51E36B3A8A149B6F092C65A7498FFCCD91E5
SHA-256:	79B9A5397B88E241759EC2FAE397427E3B30A54654975F9B238F6AB92A8D5767
SHA-512:	628278BA15734719DBD0728AE2B9671DF489BEFD8C20C54AD7386863A530EEAEAFA8C056A458602EA981F11576C03F4D3209686FF8145E6F65DBED65A0C2779D
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312278493287","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.231884947602785
Encrypted:	false
SSDEEP:	6:NA2nSURDt+q2P923oH+TcwtnG2tMsIFUt88A2nSRt3Zmw+8A2nSRtXVkwO923oHC:N9SIDov4Yebn9GFUt889Sr3/+89Srl5l
MD5:	E7F6393D4B7CB44B229CAED9022B44C0
SHA1:	16F452C41D51D9535B56CACB46B677DEA778633C
SHA-256:	5C220751CBA5CB7CB775877F6F551E2391C115D55C9552C78C35D42584C53689
SHA-512:	CE0F3D022184F83946612D46A7AF99440A898FE80219DCB025DEF1FA98D570923090495D65E2AD7696642960DF4E2422BE75CA6A2BDC80BB5B2AD91A18BC6FBF
Malicious:	false
Preview:	2024/08/28-05:51:26.673 24f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/28-05:51:26.674 24f8 Recovering log #3.2024/08/28-05:51:26.674 24f8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.231884947602785
Encrypted:	false
SSDEEP:	6:NA2nSURDt+q2P923oH+TcwtnG2tMsIFUt88A2nSRt3Zmw+8A2nSRtXVkwO923oHC:N9SIDov4Yebn9GFUt889Sr3/+89Srl5l
MD5:	E7F6393D4B7CB44B229CAED9022B44C0
SHA1:	16F452C41D51D9535B56CACB46B677DEA778633C
SHA-256:	5C220751CBA5CB7CB775877F6F551E2391C115D55C9552C78C35D42584C53689
SHA-512:	CE0F3D022184F83946612D46A7AF99440A898FE80219DCB025DEF1FA98D570923090495D65E2AD7696642960DF4E2422BE75CA6A2BDC80BB5B2AD91A18BC6FBF
Malicious:	false
Preview:	2024/08/28-05:51:26.673 24f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/28-05:51:26.674 24f8 Recovering log #3.2024/08/28-05:51:26.674 24f8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF38d0e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.231884947602785
Encrypted:	false
SSDEEP:	6:NA2nSURDt+q2P923oH+TcwtnG2tMsIFUt88A2nSRt3Zmw+8A2nSRtXVkwO923oHC:N9SIDov4Yebn9GFUt889Sr3/+89Srl5l
MD5:	E7F6393D4B7CB44B229CAED9022B44C0
SHA1:	16F452C41D51D9535B56CACB46B677DEA778633C
SHA-256:	5C220751CBA5CB7CB775877F6F551E2391C115D55C9552C78C35D42584C53689
SHA-512:	CE0F3D022184F83946612D46A7AF99440A898FE80219DCB025DEF1FA98D570923090495D65E2AD7696642960DF4E2422BE75CA6A2BDC80BB5B2AD91A18BC6FBF
Malicious:	false
Preview:	2024/08/28-05:51:26.673 24f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/28-05:51:26.674 24f8 Recovering log #3.2024/08/28-05:51:26.674 24f8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.189780983106503
Encrypted:	false
SSDEEP:	6:NADYXtMq2P923oH+Tcwt8aPrqIFUt88ADYXt9Zmw+8ADYXTFokwO923oH+Tcwt8h:NHXtMv4YebL3FUt88HXt9/+8HXTFo5LE
MD5:	302CF3429144981AD09D5330833A1B0C
SHA1:	46EDB5324B8D4DB651F925B0426D8091CA6048BD
SHA-256:	5E833D72E8CFD4DD8F8A9FCB0BB4FB6C958B250C1A8C1DF089FD49D25FDD755F
SHA-512:	8983C9EC0A3C3B88AF324D6748B582C77F2A4E1EA23BAFB03E7F8F57D6D5912ED402C4288B68B58EC47E16BD9AE72EACD81753F16B1229A216F1DCB7304AA232
Malicious:	false
Preview:	2024/08/28-05:51:18.325 23b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/28-05:51:18.325 23b4 Recovering log #3.2024/08/28-05:51:18.326 23b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.189780983106503
Encrypted:	false
SSDEEP:	6:NADYXtMq2P923oH+Tcwt8aPrqIFUt88ADYXt9Zmw+8ADYXTFokwO923oH+Tcwt8h:NHXtMv4YebL3FUt88HXt9/+8HXTFo5LE
MD5:	302CF3429144981AD09D5330833A1B0C
SHA1:	46EDB5324B8D4DB651F925B0426D8091CA6048BD
SHA-256:	5E833D72E8CFD4DD8F8A9FCB0BB4FB6C958B250C1A8C1DF089FD49D25FDD755F
SHA-512:	8983C9EC0A3C3B88AF324D6748B582C77F2A4E1EA23BAFB03E7F8F57D6D5912ED402C4288B68B58EC47E16BD9AE72EACD81753F16B1229A216F1DCB7304AA232
Malicious:	false
Preview:	2024/08/28-05:51:18.325 23b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/28-05:51:18.325 23b4 Recovering log #3.2024/08/28-05:51:18.326 23b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1868631260094435
Encrypted:	false
SSDEEP:	6:NADYCFq2P923oH+Tcwt865IFUt88ADYCDZZmw+8ADYCDzkwO923oH+Tcwt86+ULJ:NHCFv4Yeb/WFUt88H0/+8H05LYeb/+SJ
MD5:	9C286AC83CA01C7B78A97C6FEE789805
SHA1:	3E61FA806C5781EF183CC71E3CE04CD1BCEF9978
SHA-256:	FB470BD3D2051F2B8171E71BD5BC7325D185B92E368025EA6CC1DFE7718A22DD
SHA-512:	2BF6837CCD52F4E4BAC7283C5956A68AC870539C9DB30F9BCF28B1834DEECF4AC02B3EE2E705C779BF799BD3BE199C8D91B0B94A15F7A0BDBC645BDA80FD58F2
Malicious:	false
Preview:	2024/08/28-05:51:18.332 23b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/28-05:51:18.333 23b4 Recovering log #3.2024/08/28-05:51:18.333 23b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1868631260094435
Encrypted:	false
SSDEEP:	6:NADYCFq2P923oH+Tcwt865IFUt88ADYCDZZmw+8ADYCDzkwO923oH+Tcwt86+ULJ:NHCFv4Yeb/WFUt88H0/+8H05LYeb/+SJ
MD5:	9C286AC83CA01C7B78A97C6FEE789805
SHA1:	3E61FA806C5781EF183CC71E3CE04CD1BCEF9978
SHA-256:	FB470BD3D2051F2B8171E71BD5BC7325D185B92E368025EA6CC1DFE7718A22DD
SHA-512:	2BF6837CCD52F4E4BAC7283C5956A68AC870539C9DB30F9BCF28B1834DEECF4AC02B3EE2E705C779BF799BD3BE199C8D91B0B94A15F7A0BDBC645BDA80FD58F2
Malicious:	false
Preview:	2024/08/28-05:51:18.332 23b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/28-05:51:18.333 23b4 Recovering log #3.2024/08/28-05:51:18.333 23b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.166844355334754
Encrypted:	false
SSDEEP:	6:NA2Y39+q2P923oH+Tcwt8NIFUt88A2Y32WZmw+8A2Y39VkwO923oH+Tcwt8+eLJ:NGN+v4YebpFUt88GmW/+8GNV5LYebqJ
MD5:	4E2F6FB7B7772DACBDFC3D712237B434
SHA1:	F307F6758DE8F5940C248F513C4D230D46A7918D
SHA-256:	ABCAB7B38F97F69E88A6D2C2ABCBDD8F436CDF04CEE695B42904BC8F13E42319
SHA-512:	4BB75A045BD30E2EA3868C4DCCEC7E40BFC0DF0061D9EA41CB2EA2DFA0075418402839FC26ACE8F7492E6F12B5932DFDB5B5EADA2AA54672476CF09B9224C418
Malicious:	false
Preview:	2024/08/28-05:51:26.782 24cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/28-05:51:26.782 24cc Recovering log #3.2024/08/28-05:51:26.782 24cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.166844355334754
Encrypted:	false
SSDEEP:	6:NA2Y39+q2P923oH+Tcwt8NIFUt88A2Y32WZmw+8A2Y39VkwO923oH+Tcwt8+eLJ:NGN+v4YebpFUt88GmW/+8GNV5LYebqJ
MD5:	4E2F6FB7B7772DACBDFC3D712237B434
SHA1:	F307F6758DE8F5940C248F513C4D230D46A7918D
SHA-256:	ABCAB7B38F97F69E88A6D2C2ABCBDD8F436CDF04CEE695B42904BC8F13E42319
SHA-512:	4BB75A045BD30E2EA3868C4DCCEC7E40BFC0DF0061D9EA41CB2EA2DFA0075418402839FC26ACE8F7492E6F12B5932DFDB5B5EADA2AA54672476CF09B9224C418
Malicious:	false
Preview:	2024/08/28-05:51:26.782 24cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/28-05:51:26.782 24cc Recovering log #3.2024/08/28-05:51:26.782 24cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF38d7c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.166844355334754
Encrypted:	false
SSDEEP:	6:NA2Y39+q2P923oH+Tcwt8NIFUt88A2Y32WZmw+8A2Y39VkwO923oH+Tcwt8+eLJ:NGN+v4YebpFUt88GmW/+8GNV5LYebqJ
MD5:	4E2F6FB7B7772DACBDFC3D712237B434
SHA1:	F307F6758DE8F5940C248F513C4D230D46A7918D
SHA-256:	ABCAB7B38F97F69E88A6D2C2ABCBDD8F436CDF04CEE695B42904BC8F13E42319
SHA-512:	4BB75A045BD30E2EA3868C4DCCEC7E40BFC0DF0061D9EA41CB2EA2DFA0075418402839FC26ACE8F7492E6F12B5932DFDB5B5EADA2AA54672476CF09B9224C418
Malicious:	false
Preview:	2024/08/28-05:51:26.782 24cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/28-05:51:26.782 24cc Recovering log #3.2024/08/28-05:51:26.782 24cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.193583884899969
Encrypted:	false
SSDEEP:	6:NA843+q2P923oH+Tcwt8a2jMGIFUt88AXWZmw+8A4UVkwO923oH+Tcwt8a2jMmLJ:NsOv4Yeb8EFUt88D/+8s5LYeb8bJ
MD5:	BD764F0E25FD83DB48D961C4640A131A
SHA1:	8633958F7DA9A7BEE04DD02D83503E83073B01E7
SHA-256:	43EA33E0F15F6C4792FC9BCBC1B0EB94AAABAB7E15383CA6B2481416464432CE
SHA-512:	6E1476D41DA6C92428F7501C3098D7B807A1B25A5812F6CD95BF0D20F3F5D900686D2E2D5FC742A9D0668636000DD6B09F46D308D963506EA496AB0E1409445B
Malicious:	false
Preview:	2024/08/28-05:51:27.092 2638 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/28-05:51:27.093 2638 Recovering log #3.2024/08/28-05:51:27.096 2638 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.193583884899969
Encrypted:	false
SSDEEP:	6:NA843+q2P923oH+Tcwt8a2jMGIFUt88AXWZmw+8A4UVkwO923oH+Tcwt8a2jMmLJ:NsOv4Yeb8EFUt88D/+8s5LYeb8bJ
MD5:	BD764F0E25FD83DB48D961C4640A131A
SHA1:	8633958F7DA9A7BEE04DD02D83503E83073B01E7
SHA-256:	43EA33E0F15F6C4792FC9BCBC1B0EB94AAABAB7E15383CA6B2481416464432CE
SHA-512:	6E1476D41DA6C92428F7501C3098D7B807A1B25A5812F6CD95BF0D20F3F5D900686D2E2D5FC742A9D0668636000DD6B09F46D308D963506EA496AB0E1409445B
Malicious:	false
Preview:	2024/08/28-05:51:27.092 2638 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/28-05:51:27.093 2638 Recovering log #3.2024/08/28-05:51:27.096 2638 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\4fded1fb-4851-4ed6-a2a6-07d52b115347.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\57577e81-d3e7-4c26-94e2-6d29e796d6c9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\83486188-1a10-4040-8196-7d8aa36a6e5a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF38ed3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF38ed3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\d8bde7f4-1439-4bd2-8931-6f9193c39298.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.091530403899123
Encrypted:	false
SSDEEP:	192:stP/Rsg1x8CZihnk3sY8bV+FiA66WbhaFIMYoXbLMJ:stP/Rsg1x8xhXbGix6WbhaTYoQ
MD5:	15415C0B197DA4AFFDC9179057BA01EA
SHA1:	F2835C27BD91832F2B4E1B07482F596D7EB88A53
SHA-256:	8EBDCF1730E54C7342DE7F60B1E03A04D5F19731D77A2B64FFC6F99C154A5797
SHA-512:	F4DE6DFAEC12A833B247CB9E2581CF7ED4168C09FE1403B47B65AD7307B58D18F0AFC17D1F2E27B621D3B57F43E9C7B06CA3DD6653D01AAD55BA39742D4CE156
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312278493287","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF38e37.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.091530403899123
Encrypted:	false
SSDEEP:	192:stP/Rsg1x8CZihnk3sY8bV+FiA66WbhaFIMYoXbLMJ:stP/Rsg1x8xhXbGix6WbhaTYoQ
MD5:	15415C0B197DA4AFFDC9179057BA01EA
SHA1:	F2835C27BD91832F2B4E1B07482F596D7EB88A53
SHA-256:	8EBDCF1730E54C7342DE7F60B1E03A04D5F19731D77A2B64FFC6F99C154A5797
SHA-512:	F4DE6DFAEC12A833B247CB9E2581CF7ED4168C09FE1403B47B65AD7307B58D18F0AFC17D1F2E27B621D3B57F43E9C7B06CA3DD6653D01AAD55BA39742D4CE156
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312278493287","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568329831472549
Encrypted:	false
SSDEEP:	768:qCcpWtWPsXfI38F1+UoAYDCx9Tuqh0VfUC9xbog/OVkhYK3rwFDp8tub:qCcpWtWPsXfI3u1jaJqKkFitQ
MD5:	C029CDDC3816108F724C5634DFC2685B
SHA1:	E1F1054F37E10D23AD71F2E9D32359C08FD25733
SHA-256:	A76B06F59C40122103B3023562ED033975F0BE91BE1D1A921026D64AB10F9BC1
SHA-512:	769F96ED8F01F5E76F32D4FDD3F2464B792DD349851DC65F85E511853D57B5545616631C0E8F29948652DD99A7C208B1163613758D550F340436534D52C25C97
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369312278286152","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369312278286152","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.1657152776360915
Encrypted:	false
SSDEEP:	6:NADV+q2P923oH+Tcwt7Uh2ghZIFUt88ADBZmw+8ADVVkwO923oH+Tcwt7Uh2gnLJ:Nhv4YebIhHh2FUt88c/+8c5LYebIhHLJ
MD5:	126F9D308F513B4D933313D74B1261B8
SHA1:	C9617B51D6F4A99DD25F9A649BD4273FC358847E
SHA-256:	BDF2FF60D88F074D2CCBDA14B9B5D06EEA88E5DB51EB3099AA30B40B67695611
SHA-512:	F5E62AC82715AA42C24BBCAD33F914BA2B527B1B172C28FB093445CB453EAED3A68E1B73495AF18430A3DD7D24BE372DFEE70DEE9AF2D07D4D33A2474E7D8E8E
Malicious:	false
Preview:	2024/08/28-05:51:18.276 23f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/28-05:51:18.276 23f8 Recovering log #3.2024/08/28-05:51:18.276 23f8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.1657152776360915
Encrypted:	false
SSDEEP:	6:NADV+q2P923oH+Tcwt7Uh2ghZIFUt88ADBZmw+8ADVVkwO923oH+Tcwt7Uh2gnLJ:Nhv4YebIhHh2FUt88c/+8c5LYebIhHLJ
MD5:	126F9D308F513B4D933313D74B1261B8
SHA1:	C9617B51D6F4A99DD25F9A649BD4273FC358847E
SHA-256:	BDF2FF60D88F074D2CCBDA14B9B5D06EEA88E5DB51EB3099AA30B40B67695611
SHA-512:	F5E62AC82715AA42C24BBCAD33F914BA2B527B1B172C28FB093445CB453EAED3A68E1B73495AF18430A3DD7D24BE372DFEE70DEE9AF2D07D4D33A2474E7D8E8E
Malicious:	false
Preview:	2024/08/28-05:51:18.276 23f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/28-05:51:18.276 23f8 Recovering log #3.2024/08/28-05:51:18.276 23f8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF38d6c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.1657152776360915
Encrypted:	false
SSDEEP:	6:NADV+q2P923oH+Tcwt7Uh2ghZIFUt88ADBZmw+8ADVVkwO923oH+Tcwt7Uh2gnLJ:Nhv4YebIhHh2FUt88c/+8c5LYebIhHLJ
MD5:	126F9D308F513B4D933313D74B1261B8
SHA1:	C9617B51D6F4A99DD25F9A649BD4273FC358847E
SHA-256:	BDF2FF60D88F074D2CCBDA14B9B5D06EEA88E5DB51EB3099AA30B40B67695611
SHA-512:	F5E62AC82715AA42C24BBCAD33F914BA2B527B1B172C28FB093445CB453EAED3A68E1B73495AF18430A3DD7D24BE372DFEE70DEE9AF2D07D4D33A2474E7D8E8E
Malicious:	false
Preview:	2024/08/28-05:51:18.276 23f8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/28-05:51:18.276 23f8 Recovering log #3.2024/08/28-05:51:18.276 23f8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\07709de8-3f72-49ec-8095-fe2823f9f67d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a50cf51e-1b1c-474a-b3ca-456cb7c14f21.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.216724701630968
Encrypted:	false
SSDEEP:	6:NA2nSuRDpM+q2P923oH+TcwtpIFUt88A2nOZmw+8A2nxMVkwO923oH+Tcwta/WLJ:N9ScpM+v4YebmFUt889O/+89xMV5LYev
MD5:	442E6B6F268694386754ABE652BEEE44
SHA1:	AADC3E3CB37E34077ECA94DAB60C00A039561D2D
SHA-256:	999F232843408B6FF94C82DD4A68243A862F4E6C1E2A31A0EDD1228C1C1C2423
SHA-512:	0DABB8345E267D0AEB2C7FF354D9A12FDA883F129837E89C5C0F774FB8F71F62EDBC7CFF2D732D6C66CCD2C6B92C9C5D543511CA35CB1582E0B3BA28534E536D
Malicious:	false
Preview:	2024/08/28-05:51:26.679 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/28-05:51:26.680 24fc Recovering log #3.2024/08/28-05:51:26.680 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.216724701630968
Encrypted:	false
SSDEEP:	6:NA2nSuRDpM+q2P923oH+TcwtpIFUt88A2nOZmw+8A2nxMVkwO923oH+Tcwta/WLJ:N9ScpM+v4YebmFUt889O/+89xMV5LYev
MD5:	442E6B6F268694386754ABE652BEEE44
SHA1:	AADC3E3CB37E34077ECA94DAB60C00A039561D2D
SHA-256:	999F232843408B6FF94C82DD4A68243A862F4E6C1E2A31A0EDD1228C1C1C2423
SHA-512:	0DABB8345E267D0AEB2C7FF354D9A12FDA883F129837E89C5C0F774FB8F71F62EDBC7CFF2D732D6C66CCD2C6B92C9C5D543511CA35CB1582E0B3BA28534E536D
Malicious:	false
Preview:	2024/08/28-05:51:26.679 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/28-05:51:26.680 24fc Recovering log #3.2024/08/28-05:51:26.680 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF38d0e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.216724701630968
Encrypted:	false
SSDEEP:	6:NA2nSuRDpM+q2P923oH+TcwtpIFUt88A2nOZmw+8A2nxMVkwO923oH+Tcwta/WLJ:N9ScpM+v4YebmFUt889O/+89xMV5LYev
MD5:	442E6B6F268694386754ABE652BEEE44
SHA1:	AADC3E3CB37E34077ECA94DAB60C00A039561D2D
SHA-256:	999F232843408B6FF94C82DD4A68243A862F4E6C1E2A31A0EDD1228C1C1C2423
SHA-512:	0DABB8345E267D0AEB2C7FF354D9A12FDA883F129837E89C5C0F774FB8F71F62EDBC7CFF2D732D6C66CCD2C6B92C9C5D543511CA35CB1582E0B3BA28534E536D
Malicious:	false
Preview:	2024/08/28-05:51:26.679 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/28-05:51:26.680 24fc Recovering log #3.2024/08/28-05:51:26.680 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1222240500024472
Encrypted:	false
SSDEEP:	384:b2qOB1nxCk4SAELyKOMq+8yC8F/YfU5m+OlT:Kq+n0T9ELyKOMq+8y9/Ow
MD5:	4C36DCC8AAC52900D7F76DC266CC4FC9
SHA1:	E97CC4BE0502001BA5AD8C388775A7DF3C3DC700
SHA-256:	1A440FA56082AC803D9114A78E4C762A8980B5DB0E9DEF881BC6D49B162D3131
SHA-512:	E7963D675D1776D20FFF1DF5DB1B668432BAA513A75A300AF83D0A7570FA68648AF570CCFBB8B02F11DF16D45F48C5B7C8A5576E99E32CB28AB930FC47BF8C8D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\c2a647a4-2e7d-4fbb-a557-017deef5c595.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568329831472549
Encrypted:	false
SSDEEP:	768:qCcpWtWPsXfI38F1+UoAYDCx9Tuqh0VfUC9xbog/OVkhYK3rwFDp8tub:qCcpWtWPsXfI3u1jaJqKkFitQ
MD5:	C029CDDC3816108F724C5634DFC2685B
SHA1:	E1F1054F37E10D23AD71F2E9D32359C08FD25733
SHA-256:	A76B06F59C40122103B3023562ED033975F0BE91BE1D1A921026D64AB10F9BC1
SHA-512:	769F96ED8F01F5E76F32D4FDD3F2464B792DD349851DC65F85E511853D57B5545616631C0E8F29948652DD99A7C208B1163613758D550F340436534D52C25C97
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369312278286152","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369312278286152","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\c70d43d3-6e2e-44ae-8f5a-fea7f2ecf3f7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f705b971-5de6-4ee2-b9e6-42f24008fdbe.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.091530403899123
Encrypted:	false
SSDEEP:	192:stP/Rsg1x8CZihnk3sY8bV+FiA66WbhaFIMYoXbLMJ:stP/Rsg1x8xhXbGix6WbhaTYoQ
MD5:	15415C0B197DA4AFFDC9179057BA01EA
SHA1:	F2835C27BD91832F2B4E1B07482F596D7EB88A53
SHA-256:	8EBDCF1730E54C7342DE7F60B1E03A04D5F19731D77A2B64FFC6F99C154A5797
SHA-512:	F4DE6DFAEC12A833B247CB9E2581CF7ED4168C09FE1403B47B65AD7307B58D18F0AFC17D1F2E27B621D3B57F43E9C7B06CA3DD6653D01AAD55BA39742D4CE156
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369312278493287","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049731726990245535
Encrypted:	false
SSDEEP:	6:Gd0JAmu8jH0JAmu8rtCL9XCChslotGLNl0ml/XoQDeX:zJXsJXQpEjVl/XoQ
MD5:	C54B3D1870E84B11D259971CBC7B34F7
SHA1:	5F3D7D108711BA075CC8DFD4A079363B4F36DADB
SHA-256:	AC3A97348BF70C13B6BA0618708EE0F39FCA5644BAC0D2CD12CD9B5647D18F15
SHA-512:	4A0033E46E0309DC121922D795DC011FF830BA85FA02681A80C1FC1F145820526C328980034B21F20DFE4F83FA15F8D9D7FBB6F85024A614021E73AD24CFEFAD
Malicious:	false
Preview:	..-.....................:Db.W.v..4..}..tT...l...-.....................:Db.W.v..4..}..tT...l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.243114033569141
Encrypted:	false
SSDEEP:	6:NA2CaqM+q2P923oH+TcwtfrK+IFUt88A2hqZZmw+8A2hqMMVkwO923oH+TcwtfrF:NMM+v4Yeb23FUt88GZ/+8GMMV5LYeb3J
MD5:	E6B1994E881C2B88461B926A4FFB8113
SHA1:	7A5A0624EA12932438104B5C786FD76A0A8A2E6C
SHA-256:	6A1B7B123EEF5D7ABA474FAC23A1200D7F5BB90975DC6CD8F9279AAA997A81AF
SHA-512:	C9CF073E413B1129A1D4BB0AE2F7CB21E546FA92F0BDE1BF4451D942F2214E75FBFE665025DF5F6F7F67956C9860E5932CC67195235262F15B4DD835453E4F2F
Malicious:	false
Preview:	2024/08/28-05:51:26.742 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/28-05:51:26.743 24fc Recovering log #3.2024/08/28-05:51:26.743 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.243114033569141
Encrypted:	false
SSDEEP:	6:NA2CaqM+q2P923oH+TcwtfrK+IFUt88A2hqZZmw+8A2hqMMVkwO923oH+TcwtfrF:NMM+v4Yeb23FUt88GZ/+8GMMV5LYeb3J
MD5:	E6B1994E881C2B88461B926A4FFB8113
SHA1:	7A5A0624EA12932438104B5C786FD76A0A8A2E6C
SHA-256:	6A1B7B123EEF5D7ABA474FAC23A1200D7F5BB90975DC6CD8F9279AAA997A81AF
SHA-512:	C9CF073E413B1129A1D4BB0AE2F7CB21E546FA92F0BDE1BF4451D942F2214E75FBFE665025DF5F6F7F67956C9860E5932CC67195235262F15B4DD835453E4F2F
Malicious:	false
Preview:	2024/08/28-05:51:26.742 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/28-05:51:26.743 24fc Recovering log #3.2024/08/28-05:51:26.743 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF38d5c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.243114033569141
Encrypted:	false
SSDEEP:	6:NA2CaqM+q2P923oH+TcwtfrK+IFUt88A2hqZZmw+8A2hqMMVkwO923oH+TcwtfrF:NMM+v4Yeb23FUt88GZ/+8GMMV5LYeb3J
MD5:	E6B1994E881C2B88461B926A4FFB8113
SHA1:	7A5A0624EA12932438104B5C786FD76A0A8A2E6C
SHA-256:	6A1B7B123EEF5D7ABA474FAC23A1200D7F5BB90975DC6CD8F9279AAA997A81AF
SHA-512:	C9CF073E413B1129A1D4BB0AE2F7CB21E546FA92F0BDE1BF4451D942F2214E75FBFE665025DF5F6F7F67956C9860E5932CC67195235262F15B4DD835453E4F2F
Malicious:	false
Preview:	2024/08/28-05:51:26.742 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/28-05:51:26.743 24fc Recovering log #3.2024/08/28-05:51:26.743 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	821
Entropy (8bit):	4.072934107791413
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvB1ySxs:G0nYUtypD3RUovhC+lvBOL+t3IvB8Sxs
MD5:	4BF02D21DA57104917A69930154C8AB2
SHA1:	C6ED5CE894DD9F539FD8E830B2F40E30CCAE6820
SHA-256:	588F7B31FA9A3559FAB4F6492807FD86CB6791018BFD24CB1906B1B06648D8EB
SHA-512:	D3D687A0194CF98A5A007E2FA8B7B6C31FFF6E677549FF829FE1A048B8074B4A751130A4CB57CED484A28547080550FE0CF18D5DA2B152D087EA1C7FB7A6677A
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... ......................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.247758668262185
Encrypted:	false
SSDEEP:	6:NA2R0MM+q2P923oH+TcwtfrzAdIFUt88A2R0ZZmw+8A2EMVkwO923oH+TcwtfrzS:NXrM+v4Yeb9FUt88XI/+8aMV5LYeb2J
MD5:	7127A71FA3AE57961D6761013F49EEA3
SHA1:	9F346221153E20800412222E8EBE44302170053E
SHA-256:	A1C5D9AB007D653A922BC14AF8A7653C9812B53C83F632C12429FBBE30D237D2
SHA-512:	C9726BB1607CB0152ED140EAB534E56223031123155D1B218AF505D4FD70F390377CE54760A672E547B947413E655EC2E63AF2D7CA8B62606A61F2779E6CEB32
Malicious:	false
Preview:	2024/08/28-05:51:26.738 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/28-05:51:26.738 24fc Recovering log #3.2024/08/28-05:51:26.739 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.247758668262185
Encrypted:	false
SSDEEP:	6:NA2R0MM+q2P923oH+TcwtfrzAdIFUt88A2R0ZZmw+8A2EMVkwO923oH+TcwtfrzS:NXrM+v4Yeb9FUt88XI/+8aMV5LYeb2J
MD5:	7127A71FA3AE57961D6761013F49EEA3
SHA1:	9F346221153E20800412222E8EBE44302170053E
SHA-256:	A1C5D9AB007D653A922BC14AF8A7653C9812B53C83F632C12429FBBE30D237D2
SHA-512:	C9726BB1607CB0152ED140EAB534E56223031123155D1B218AF505D4FD70F390377CE54760A672E547B947413E655EC2E63AF2D7CA8B62606A61F2779E6CEB32
Malicious:	false
Preview:	2024/08/28-05:51:26.738 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/28-05:51:26.738 24fc Recovering log #3.2024/08/28-05:51:26.739 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF38d4d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.247758668262185
Encrypted:	false
SSDEEP:	6:NA2R0MM+q2P923oH+TcwtfrzAdIFUt88A2R0ZZmw+8A2EMVkwO923oH+TcwtfrzS:NXrM+v4Yeb9FUt88XI/+8aMV5LYeb2J
MD5:	7127A71FA3AE57961D6761013F49EEA3
SHA1:	9F346221153E20800412222E8EBE44302170053E
SHA-256:	A1C5D9AB007D653A922BC14AF8A7653C9812B53C83F632C12429FBBE30D237D2
SHA-512:	C9726BB1607CB0152ED140EAB534E56223031123155D1B218AF505D4FD70F390377CE54760A672E547B947413E655EC2E63AF2D7CA8B62606A61F2779E6CEB32
Malicious:	false
Preview:	2024/08/28-05:51:26.738 24fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/28-05:51:26.738 24fc Recovering log #3.2024/08/28-05:51:26.739 24fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36c96.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36dde.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36ea9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF38d5c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF38dab.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF38e28.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090707374991258
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMQwuF9hDO6vP6O+1tbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEG6Etbz8hu3VlXr4CRo1
MD5:	5DB04C8F5C4293B8EB8EFF6F0614F976
SHA1:	39A85E7FDAFAAD3E9CA7119B5418A31BA4E77760
SHA-256:	454E3A2D2874DF7E5C8FCFBA397C2DE46EC21A6FB0448194E87F93327F24C55F
SHA-512:	BAA1DD931EAB84F63C96D20CB3F1C9D0FFF6110B701655D83998825FEDC1DD8B9B90A2DDDA2A008DD79760AFFCBD672B5EFA99CDD57E10477A4C9D59E52D2D00
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zET:/M/xT02z8
MD5:	AC81EF9540AC3DDCC4546B82AC3801BD
SHA1:	1AC27855FABFA8AF62752DA91E2A6EADC815CBBC
SHA-256:	4A2C8BA05BE86A2182B9BCC9AEC916588CC9502F4F505CD79991AF8326EC11E4
SHA-512:	D27635D446F0AEA20E138F96BEDEDF118CCF0BC8560CB2E11AB0AACE9D320E989164E2971DAB20571A9B6D9A1B4A52CAAF78084D2141372D77516F52ABD222AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\a6146928-38f2-4dce-818b-3b08a53fd420.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44669
Entropy (8bit):	6.096078531047158
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBcFushDO6vP6OAgP6yjFLGocGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEl6gg1chu3VlXr4CRo1
MD5:	05A54D130084B99B8BCE2706EA46B04D
SHA1:	9E3CFA39E0F0624DDB494E519EE24F8278C0B7C3
SHA-256:	06B2DB42C5C8F3A132D1ABD0A0B7CC533AA2695A8A90E2122CCED54B840DD285
SHA-512:	E3A7B078652F1549626CB856E9A0583847517DA1FC7A6DD3DD613F5FF7D2491541941A06928EBECCCB58CE443FC3F6D4399EC745CC41A87FF643D14CDD1982F8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.837550031930985
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxDxl9Il8ufaiDFuAlSY3oe8JAa0SPd1rc:miY5aiDcAlSyf8di
MD5:	55D870791E7C0CC2033965CE99C44D38
SHA1:	73B9B3DBA9542B8470156579EB3EAAABE16F61B9
SHA-256:	ADEA890F8CED6203204B388CF36CF983B9AE9216AFC7BA4C089CD74AA9DC98C8
SHA-512:	55434129BEA00AB5389FC2F546D42E38726555F210E9F3914AE2700BA201582420FB3B0CF30048FDD20B1BA054F6E1FECF131C9E8B294760ED469E4BAEE16B6C
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.B.y.j.L.T.j.5.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.6.y.2.N.a.i.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.001404224495481
Encrypted:	false
SSDEEP:	96:bY5ahHpM9vW5RKsZsYlPcLe0dl7YMgwbD3dM1NbplGmjkAtxWJ:bR2lwJ0C0VdM1Hlvjkm0
MD5:	1AF7511839F965F1590728A66FAF296B
SHA1:	813CC11AC4947AE6E009A974D54209D896974526
SHA-256:	53178C683C9B31008AD9641E3F4296476DD41732B184F809C837912BBA8CB936
SHA-512:	E199923EA6E2499BA95373D0D797014A12941C2A09627706C3EB833115A75ACE52845F997E0A5B0100B957FCB3DA9EC17B86841EB84CDD9F2F65138A53DB8572
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".N.6.j.5.E.z.D.5.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.6.y.2.N.a.i.

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping7260_429672752\manifest.fingerprint

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.87107305218322
Encrypted:	false
SSDEEP:	3:SddQLtQSnUunhU1mWrO2V:S/QZHThyay
MD5:	0C9218609241DBAA26EBA66D5AAF08AB
SHA1:	31F1437C07241E5F075268212C11A566CEB514EC
SHA-256:	52493422AC4C18918DC91EF5C4D0E50C130EA3AA99915FA542B890A79EA94F2B
SHA-512:	5D25A1FB8D9E902647673975F13D7CA11E1F00F3C19449973D6B466D333198768E777B8CAE5BECEF5C66C9A0C0EF320A65116B5070C66E3B9844461BB0FFA47F
Malicious:	false
Preview:	1.8BFD50D350D47445B57BB1D61BBDE41CEDA7AC43DC81FCE95BF1AC646D97D2A0

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping7260_429672752\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	134
Entropy (8bit):	4.405914533496662
Encrypted:	false
SSDEEP:	3:3FFhAWAUNhRKpEbXKS2XAXMWxQHJCzhiFfASvAcWxQHJCr2SkhSA:3FFWeRl2QIpCU4SvrpCSSkhSA
MD5:	58D3CA1189DF439D0538A75912496BCF
SHA1:	99AF5B6A006A6929CC08744D1B54E3623FEC2F36
SHA-256:	A946DB31A6A985BDB64EA9F403294B479571CA3C22215742BDC26EA1CF123437
SHA-512:	AFD7F140E89472D4827156EC1C48DA488B0D06DAAA737351C7BEC6BC12EDFC4443460C4AC169287350934CA66FB2F883347ED8084C62CAF9F883A736243194A2
Malicious:	false
Preview:	{.. "description" : "AutoLaunch Protocols Preregistration",.. "name" : "Protocol Preregistration",.. "version" : "1.0.0.8"..}

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping7260_429672752\protocols.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3164
Entropy (8bit):	4.532278538438865
Encrypted:	false
SSDEEP:	48:O//uidcRcrcNc0cTc8cs+PcrcNc0cTc8csLcrcNc0cTc8cstcrcNc0cTc8csH:O//uWJ2UH
MD5:	6BBB18BB210B0AF189F5D76A65F7AD80
SHA1:	87B804075E78AF64293611A637504273FADFE718
SHA-256:	01594D510A1BBC016897EC89402553ECA423DFDC8B82BAFBC5653BF0C976F57C
SHA-512:	4788EDCFA3911C3BB2BE8FC447166C330E8AC389F74E8C44E13238EAD2FA45C8538AEE325BD0D1CC40D91AD47DEA1AA94A92148A62983144FDECFF2130EE120D
Malicious:	false
Preview:	{.. "allow": [.. {.. "origins": [.. "https://.get.microsoft.com",.. "https://.apps.microsoft.com".. ],.. "protocol": "ms-windows-store".. },.. {.. "origins": [.. "https://.onedrive.com",.. "https://.onedrive.live.com",.. "https://sharepoint.com".. ],.. "protocol": "ms-word".. },.. {.. "origins": [.. "https://[a-z1-9-]word-edit.officeapps.live.com",.. "https://[a-z1-9-]word-view.officeapps.live.com",.. "https://[a-z1-9-]onenote.officeapps.live.com",.. "https://[a-z1-9-]eap.officeapps.live.com",.. "https://[a-z1-9-]shared.officeapps.live.com",.. "https://[a-z1-9-]afhs.officeapps.live.com",.. "https://[a-z1-9-]vhs.officeapps.live.com",.. "https://[a-z1-9-]optin.online.office.com".. ],.. "use_regex": true,.. "protocol": "ms-word".. },.. {.. "origins": [.. "https://.onedrive.com",.. "https://.onedrive.li

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping7260_443118391\crl-set

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	22465
Entropy (8bit):	7.792434406814338
Encrypted:	false
SSDEEP:	384:Vt71+czeWhU6yVS2Ddc0fp/9yYoIJgWUeJuDzeG0LOsr2h9ltQYX9hVPz/HG1pBu:j4sBwVPDdFhVyYoPWUiuXeG0K5dQYXFr
MD5:	D246E8DC614619AD838C649E09969503
SHA1:	70B7CF937136E17D8CF325B7212F58CBA5975B53
SHA-256:	9DD9FBA7C78050B841643E8D12E58BA9CCA9084C98039F1EBFF13245655652E1
SHA-512:	736933316EE05520E7839DB46DA466EF94E5624BA61B414452B818B47D18DCD80D3404B750269DA04912DDE8F23118F6DFC9752C7BDF1AFC5E07016D9C055FDB
Malicious:	false
Preview:	..{"Version":0,"ContentType":"CRLSet","Sequence":172,"DeltaFrom":0,"NumParents":202,"BlockedSPKIs":["Jdoa1Yu/z7In2HI7GFfUwY57qnQXtPnv+TZrXoafizk=","j1kfeqTcPv6UkMOKRpLJAR7RKPHeWVVpQG13tvofa0w=","BN3pqpp59hSYaCMl+ghwJ2cH+5ypU4QSC0aJMmhJT8k=","DEPqi83p/DvKFlZkrIIVVn40idU5OgyB4aeRQZkuGVM=","eBpM8ukkUvPuAdDDgaQhTzkEFlw5CtvWH80RJE4Jstw=","/NdsyiNH5c1bOTR/Uc9DZUtpor/JBzZwpr5H2HAebg4=","wO0gU0a7veButWD1zuAqNjTiR0p+ds+PvvVjuxF90OM=","fNKVt1VEgIq9lAlGbwg3xarcAuM7YVDGZE3goJZZ8jw=","lo26afv/Fb83YgiUMa3lp+rUt+rxvnACaBC8V9HGT24=","0x7DkoW3pTGdAVfbQg7YfHQ+Mzu8d/h3H3BGT0NqYEk=","h7/Yr6OvW0KdCamqVO5hNk9a4REx5Dj8QQlTQ80WsTU=","li5LVLuYp+5dX+uWM/mR08MwDpUU2t57DU+CjHlPjoc=","6EnHF2yT32X2S2FpgjZuVmMReBK2+ivAyPqK6u5Bgcw=","oM9T9CJlHjkxeuMa9kV3vkUPo3biie2DQrf8EzxpdBk=","r1kVGOLmxg67/AkHr6pJvEBR1F5/IUq/7nUS7gD2Ye0=","LcTLWR9+8GY0QWRrz1wOnbze13ygKUUZPO/G7bF0BhQ=","TNsGDzz+TD0/XjHDAP1oqR4NHl9Gtk5IlfIOG1z4Jp8=","qbVam1Uxu/fHGh5JIO/nlsK2eWj1Wmzly2IXLtmUW8o=","NuqWEoyJg5+2IfitDh7gucIgb2Kre02ixnZYk8m3ztI=","nFmjzK

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping7260_443118391\manifest.fingerprint

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.782311074154073
Encrypted:	false
SSDEEP:	3:SRA7thSVkCh8Wh5mthARdZ:SWn1i8Waa
MD5:	33FC4BF1927352BC1845ACDDE3A6BA63
SHA1:	63AC2F004AC10198E729E9CCF55F6AC4F7F3C622
SHA-256:	4ED04E713C9D8F5D80E83645B62F1BE84EC0516D37F339B3D443D8F792DEA113
SHA-512:	7E38E264713750BAF58DD9AD779885A7AAE5A6FCB825EAA44B3CF814DD09CD0BF8F95B5AB5DB600D19A64B02EC2155B4C9A3BC2A86E9B18EECE8B3100E8C2FF1
Malicious:	false
Preview:	1.44C48B9ECD87ACDDD850F9AA5E1C9D48B7A398DEC13D376CD62D55DADBD464A5

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping7260_443118391\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.605066571713889
Encrypted:	false
SSDEEP:	3:3FFhAWAUNXxAujmZ2+mvbhifFXAuArmvD2S3zsFXMdgSFv:3FFWe9TK37ArdS34Ma+
MD5:	B6911958067E8D96526537FAED1BB9EF
SHA1:	A47B5BE4FE5BC13948F891D8F92917E3A11EBB6E
SHA-256:	341B28D49C6B736574539180DD6DE17C20831995FE29E7BC986449FBC5CAA648
SHA-512:	62802F6F6481ACB8B99A21631365C50A58EAF8FFDF7D9287D492A7B815C837D6A6377342E24350805FB8A01B7E67816C333EC98DCD16854894AEB7271EA39062
Malicious:	false
Preview:	{.. "description": "Microsoft CRLSet",.. "name": "MicrosoftCRLSet",.. "version": "6498.2023.8.1"..}..

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.393180694972177
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854Rr1:8e2Fa116uCntc5toYJf
MD5:	85CBEAF5BD831035544BDF612E19C1B6
SHA1:	317A003832D8A8233015D55FBCB323ABDB044D2C
SHA-256:	95588E1F4B5A91FE84574DF01B27A175453484F868B4358AC3ED0B997673B2CB
SHA-512:	D0FD1A228E5ED34B9C10CCE9255F195E3D9BA7C2527FFCD3C644F85B809BB8B2AA7D4EA520D3C5397364505FAA624C67EB9DC75540D31DCBF4FA2064AF04CCE4
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5114857831373305
Encrypted:	false
SSDEEP:	48:pE2a/kdO3h+RsJurjzBdLXuHfQkDpL2ATnlsudO3bRsJurjzngdLXuHfQk+21:5yi3u/QkDApPnIu/Qkz
MD5:	AF48548456B0679A3D64C791031125B0
SHA1:	9406240A27B62D828B87F0666BD6E15697D919D9
SHA-256:	EBBB5E96289D7CC0AD4D4C457FC0E69129AFE1BF9599DD58B9949F377818F00D
SHA-512:	A97F825FC9A0D739BD617D69A5B53A17A790A2525AF0BADD2F476147777462BAC0BF2CE728481EEAADF8E63510E7BCA36E3F98517F1FB4FD5CCFBE47997AD44C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......./....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW r..PROGRA~2.........O.IDW r....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW r..MICROS~1..D......(Ux..YbN..........................z.J.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YaN..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YaN....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9QYVBDTU455WMKW5E2ZU.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5114857831373305
Encrypted:	false
SSDEEP:	48:pE2a/kdO3h+RsJurjzBdLXuHfQkDpL2ATnlsudO3bRsJurjzngdLXuHfQk+21:5yi3u/QkDApPnIu/Qkz
MD5:	AF48548456B0679A3D64C791031125B0
SHA1:	9406240A27B62D828B87F0666BD6E15697D919D9
SHA-256:	EBBB5E96289D7CC0AD4D4C457FC0E69129AFE1BF9599DD58B9949F377818F00D
SHA-512:	A97F825FC9A0D739BD617D69A5B53A17A790A2525AF0BADD2F476147777462BAC0BF2CE728481EEAADF8E63510E7BCA36E3F98517F1FB4FD5CCFBE47997AD44C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......./....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW r..PROGRA~2.........O.IDW r....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW r..MICROS~1..D......(Ux..YbN..........................z.J.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YaN..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YaN....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQDQJJXGHYMA3X9DG81U.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5105128456834738
Encrypted:	false
SSDEEP:	48:pETnlsudO3bRsJurjzBdLXuHfQkDpL2ATnlsudO3bRsJurjzngdLXuHfQk+21:rP3u/QkDApPnIu/Qkz
MD5:	92866D64197EDFCF7F31B198405CD69C
SHA1:	B65E5C13D1702093C569DA30C0838EA7D772722C
SHA-256:	C3CA858E9426DC7F9EDB5D9E922F4074789105637A9989F555C578B8BA6645B0
SHA-512:	2D2214835D45FC7B219623FA21512EA56FF4471D5E2F146DAA289FD04EA5ACFBACE8FFC3B0D439AA810B92CEF4BB6C7B664B2DDAF321296F2F87DDE540A9F6FC
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......./....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y\N..PROGRA~2.........O.I.Y\N....................V....._E..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW r..MICROS~1..D......(Ux..YbN..........................z.J.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..YdN...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YaN..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YaN....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5105128456834738
Encrypted:	false
SSDEEP:	48:pETnlsudO3bRsJurjzBdLXuHfQkDpL2ATnlsudO3bRsJurjzngdLXuHfQk+21:rP3u/QkDApPnIu/Qkz
MD5:	92866D64197EDFCF7F31B198405CD69C
SHA1:	B65E5C13D1702093C569DA30C0838EA7D772722C
SHA-256:	C3CA858E9426DC7F9EDB5D9E922F4074789105637A9989F555C578B8BA6645B0
SHA-512:	2D2214835D45FC7B219623FA21512EA56FF4471D5E2F146DAA289FD04EA5ACFBACE8FFC3B0D439AA810B92CEF4BB6C7B664B2DDAF321296F2F87DDE540A9F6FC
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......./....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y\N..PROGRA~2.........O.I.Y\N....................V....._E..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW r..MICROS~1..D......(Ux..YbN..........................z.J.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..YdN...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..YaN..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..YaN....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579772092263265
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	c3ac879f55d769f91be14ebfcf568f4a
SHA1:	9232232646d0ed1b0c92034463e8835728735182
SHA256:	10acf950ae7a3d5a17e14d54cf12ed0472f6ccee7444f86529429fcfdfd34a41
SHA512:	bf577f1f03bac9f2e94266d4fbea6796e9cd621e3d11039330304381bec443142f3e77b7a88b42b07b6ef179f38f1a70c04c08d72733d2df2e16897ce49da055
SSDEEP:	12288:2qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTi:2qDEvCTbMWu7rQYlBQcBiT6rprG8asi
TLSH:	6D159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CEEB3E [Wed Aug 28 09:17:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FF37CD09453h
jmp 00007FF37CD08D5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF37CD08F3Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FF37CD08F0Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FF37CD0BAFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FF37CD0BB48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FF37CD0BB31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	21dc94330add837dbe076ae733985c64	False	0.28692708333333333	data	5.165421682901568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:50:57.145697117 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:50:57.145703077 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:50:57.239428997 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:06.784621000 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:06.845827103 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:06.889100075 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:08.484970093 CEST	443	49705	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:08.485088110 CEST	49705	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:09.092525959 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.092546940 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.092605114 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.092665911 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.092683077 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.092732906 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.092848063 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.092863083 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.092945099 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.092958927 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.264700890 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.264738083 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.264837980 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.265235901 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.265276909 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.265379906 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.265542030 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.265551090 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.265602112 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.265805960 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.265818119 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.266447067 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.266455889 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.266531944 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.266727924 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.266740084 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.266932964 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.266941071 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.267328978 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.267342091 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.325922012 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.325956106 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.326013088 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.326791048 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.326801062 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.724510908 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.725121021 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.725146055 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.726253033 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.726309061 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.728209019 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.728276968 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.728565931 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.729156017 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.729165077 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.729331970 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.729343891 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.730370045 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.730427980 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.732343912 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.732400894 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.732626915 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.732634068 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.741080999 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.741508007 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.741527081 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.741883993 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.742161036 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.742187977 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.742625952 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.742677927 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.743618965 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.743659973 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.743690968 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.743833065 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.744673967 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.744687080 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.745080948 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.745168924 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.745203972 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.745593071 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.745945930 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.745969057 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.747060061 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.747116089 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.747935057 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.747997046 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.748241901 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.748250008 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.751266956 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.751434088 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.751444101 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.752423048 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.752485991 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.753340006 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.753393888 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.753658056 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.753663063 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.781445980 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.781646013 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.781652927 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.782784939 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.782840967 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.783925056 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.783992052 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.785511017 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.785516024 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.788510084 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.839422941 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.839483976 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.839656115 CEST	49730	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.839668989 CEST	443	49730	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.841706991 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.841753006 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.841775894 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.841797113 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.841809034 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.841813087 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.841860056 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.842700958 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.842716932 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.844319105 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.844320059 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.844345093 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.844345093 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.853462934 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853482008 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853493929 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853513956 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853521109 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853523970 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853542089 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.853553057 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.853564024 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.853596926 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.853888035 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.853940964 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.854494095 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.854507923 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.883394003 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.883456945 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.883537054 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.883730888 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.883743048 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.893595934 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.893663883 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.893711090 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.893887043 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.893897057 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.916836023 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.916960955 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.917011023 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.917236090 CEST	49732	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:09.917243958 CEST	443	49732	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:09.937762022 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.937771082 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.937804937 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.937838078 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.937851906 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.937886953 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.937901974 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.939368963 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.939383984 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.939419985 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.939429998 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:09.939460039 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.939471960 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:09.986643076 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:09.986669064 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:09.986855030 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:09.988600969 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:09.988615036 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.028819084 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:10.028840065 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:10.028915882 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:10.028923988 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:10.028970003 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:10.028995991 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:10.029051065 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:10.029055119 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:10.029092073 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:10.030031919 CEST	49727	443	192.168.2.5	13.107.246.60
Aug 28, 2024 11:51:10.030040026 CEST	443	49727	13.107.246.60	192.168.2.5
Aug 28, 2024 11:51:10.663165092 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.663295031 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.688886881 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.688913107 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.689192057 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.752167940 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.796499968 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.943073034 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.943133116 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.943322897 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.945624113 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.945640087 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.945687056 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.945692062 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.991493940 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.991523981 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:10.991589069 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.991966009 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:10.991978884 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.379565954 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.379620075 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.379818916 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.380708933 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.380748034 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.380851984 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.384995937 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.385010958 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.385229111 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.385246038 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.631573915 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.631653070 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:11.641915083 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:11.641936064 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.642187119 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.657464027 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:11.700511932 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.841327906 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.841633081 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.841646910 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.842185020 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.842641115 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.842721939 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.850214958 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.850414038 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.850436926 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.850764036 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.851037979 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.851094007 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.855500937 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:11.855540037 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:11.855607033 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:11.855647087 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:11.855679035 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:11.855726004 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:11.856259108 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:11.856271982 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:11.856669903 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:11.856682062 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:11.894331932 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.907767057 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.907839060 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.907886982 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:11.915339947 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:11.915354013 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:11.915365934 CEST	49737	443	192.168.2.5	184.28.90.27
Aug 28, 2024 11:51:11.915371895 CEST	443	49737	184.28.90.27	192.168.2.5
Aug 28, 2024 11:51:12.052500010 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:12.052572012 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:12.153912067 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.153943062 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.154118061 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.154325008 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.154345036 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.327050924 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.327265978 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.327277899 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.327636003 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.327696085 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.328349113 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.328408957 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.329777002 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.329859972 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.330075026 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.330082893 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.331398010 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.331733942 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.331753969 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.332154989 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.332216024 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.332962990 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.333024979 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.333451986 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.333513975 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.333770037 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.333777905 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.377141953 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.377238035 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.610769033 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.610773087 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.610869884 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.610873938 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.610932112 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.610939026 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.612072945 CEST	49740	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.612087965 CEST	443	49740	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.614922047 CEST	49741	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.614938974 CEST	443	49741	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.652117968 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.652405977 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.652426004 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.653573990 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.653640032 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.654670000 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.654736042 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.654855967 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.696506023 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.710412979 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.710424900 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.753298998 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.755445957 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.755495071 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.755574942 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.755580902 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.755592108 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.755633116 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.755640984 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.755749941 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.755803108 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.757359028 CEST	49742	443	192.168.2.5	142.250.81.228
Aug 28, 2024 11:51:12.757370949 CEST	443	49742	142.250.81.228	192.168.2.5
Aug 28, 2024 11:51:12.925122023 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.925158024 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.925287008 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.925369024 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.925400019 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.925592899 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.925607920 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:12.925628901 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.925865889 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.925879955 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.389452934 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.389535904 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.431723118 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.436532974 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.439832926 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.439841986 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.440061092 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.440068960 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.440512896 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.440557003 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.440579891 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.440638065 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.441271067 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.441272020 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.441329956 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.441404104 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.441836119 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.441905975 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.442281961 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.442356110 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.483566999 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.483575106 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.483676910 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.483690977 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.523777008 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.530442953 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:17.160676003 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:17.160700083 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:17.160779953 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:17.161820889 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:17.161837101 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:17.846740961 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:17.846903086 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:17.848900080 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:17.848910093 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:17.849145889 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:17.892086029 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:18.436206102 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:18.480490923 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661631107 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661660910 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661669016 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661678076 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661706924 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661766052 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:18.661766052 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:18.661784887 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661797047 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.661849976 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:18.662384987 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.662486076 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:18.662535906 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:19.529803991 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:19.529840946 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:19.529853106 CEST	49745	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:19.529860973 CEST	443	49745	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:20.812350988 CEST	49705	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:20.812459946 CEST	49705	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:20.814472914 CEST	49752	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:20.814508915 CEST	443	49752	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:20.814594984 CEST	49752	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:20.817213058 CEST	443	49705	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:20.817223072 CEST	443	49705	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:20.821403980 CEST	49752	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:20.821419001 CEST	443	49752	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:21.426027060 CEST	443	49752	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:21.426157951 CEST	49752	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:21.624490976 CEST	50934	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:21.630284071 CEST	53	50934	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:21.630367994 CEST	50934	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:21.658438921 CEST	53	50934	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:22.096499920 CEST	50934	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:22.102214098 CEST	53	50934	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:22.102276087 CEST	50934	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:26.751667976 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:26.751750946 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:26.751792908 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:26.756551027 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:26.756622076 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:26.756679058 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:40.587074995 CEST	443	49752	23.1.237.91	192.168.2.5
Aug 28, 2024 11:51:40.587254047 CEST	49752	443	192.168.2.5	23.1.237.91
Aug 28, 2024 11:51:58.278225899 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:58.278280973 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:58.278348923 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:58.278912067 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:58.278925896 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:58.485702038 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:58.485703945 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:58.485724926 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:58.485729933 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:58.988138914 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:58.988358021 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:58.998569012 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:58.998594046 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:58.998830080 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.007318020 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.052496910 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.255976915 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256000996 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256015062 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256128073 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.256155968 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256215096 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.256252050 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256294966 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256304026 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.256315947 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.256359100 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.257277966 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.257324934 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.261431932 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.261451960 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:51:59.261464119 CEST	50935	443	192.168.2.5	13.85.23.86
Aug 28, 2024 11:51:59.261471033 CEST	443	50935	13.85.23.86	192.168.2.5
Aug 28, 2024 11:52:03.712460041 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:03.712516069 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:03.712600946 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:03.712806940 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:03.712841988 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:03.712893009 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:03.713083029 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:03.713095903 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:03.713196993 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:03.713208914 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.176850080 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.177268028 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.177294016 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.177653074 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.177968025 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.178033113 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.178111076 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.191329002 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.191565037 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.191580057 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.191926956 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.192276955 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.192348957 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.224503994 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.235544920 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.316709995 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.316780090 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.316828966 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.316951990 CEST	50936	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.316968918 CEST	443	50936	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.118299961 CEST	62103	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:52:06.123796940 CEST	53	62103	1.1.1.1	192.168.2.5
Aug 28, 2024 11:52:06.123883009 CEST	62103	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:52:06.128961086 CEST	53	62103	1.1.1.1	192.168.2.5
Aug 28, 2024 11:52:06.143801928 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.143840075 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.143886089 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.143917084 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.143925905 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.143991947 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.144118071 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.144133091 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.144227982 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.144243002 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.594099998 CEST	62103	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:52:06.601617098 CEST	53	62103	1.1.1.1	192.168.2.5
Aug 28, 2024 11:52:06.601670980 CEST	62103	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:52:06.603761911 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.603991032 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.604006052 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.604348898 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.604657888 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.604722977 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.618880987 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.619127989 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.619143963 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.619482040 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.619748116 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.619812012 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.657607079 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.674381971 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.709922075 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:06.709949970 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:06.710062981 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:06.710239887 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:06.710253000 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.173439026 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.173878908 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.173902988 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.174232006 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.174865007 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.174885988 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.174930096 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.219676971 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.534262896 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.534694910 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.534750938 CEST	443	62107	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.534816027 CEST	62107	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.535394907 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.535439968 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:07.535506964 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.535711050 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:07.535723925 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.025743961 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.026077986 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.026093960 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.027131081 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.027208090 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.027499914 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.027561903 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.027657986 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.027664900 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.079070091 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.310270071 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.310656071 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:08.310714006 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.352030993 CEST	62108	443	192.168.2.5	23.54.161.105
Aug 28, 2024 11:52:08.352051973 CEST	443	62108	23.54.161.105	192.168.2.5
Aug 28, 2024 11:52:11.766845942 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:11.766889095 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:11.766925097 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:11.766957045 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:19.095145941 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:19.095228910 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:19.095293999 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:21.228821039 CEST	50937	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:21.228835106 CEST	443	50937	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:21.508603096 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:21.508672953 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:21.508783102 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:21.524518967 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:21.524588108 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:21.524643898 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:43.501147985 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:52:43.501168966 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:52:43.501173019 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:52:43.501188040 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:52:54.274305105 CEST	62105	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:54.274342060 CEST	443	62105	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:54.274343014 CEST	62104	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:54.274372101 CEST	443	62104	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:54.276527882 CEST	49739	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:54.276546001 CEST	443	49739	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:54.276566982 CEST	49738	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:54.276595116 CEST	443	49738	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:54.276614904 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:52:54.276649952 CEST	49743	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:52:54.276711941 CEST	443	49744	142.251.40.206	192.168.2.5
Aug 28, 2024 11:52:54.276731014 CEST	443	49743	142.251.40.206	192.168.2.5
Aug 28, 2024 11:52:54.276763916 CEST	49744	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:52:54.276788950 CEST	49743	443	192.168.2.5	142.251.40.206

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 11:51:04.991152048 CEST	53	65394	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:06.128089905 CEST	64607	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:06.128434896 CEST	50961	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:07.300311089 CEST	53	65220	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:07.341320992 CEST	53	49901	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.255136013 CEST	52923	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.255362988 CEST	49581	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.255964041 CEST	51173	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.256150007 CEST	49495	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.256504059 CEST	63767	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.256727934 CEST	60346	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.257498026 CEST	50003	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.257738113 CEST	53696	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.261873960 CEST	53	52923	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.261898041 CEST	53	49581	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.262588024 CEST	53	51173	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.262778997 CEST	53	49495	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.263411999 CEST	53	60346	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.263422012 CEST	53	63767	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.264782906 CEST	53	50003	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.264800072 CEST	53	53696	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.318243980 CEST	58239	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.318408966 CEST	50828	53	192.168.2.5	1.1.1.1
Aug 28, 2024 11:51:09.325120926 CEST	53	58239	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:09.325486898 CEST	53	50828	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:11.064351082 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.378688097 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.514782906 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.514796019 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.514806032 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.514817953 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.514832020 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.515249014 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.521394014 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.522043943 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.522147894 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.522708893 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.523063898 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.622759104 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.622772932 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.622781038 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.622788906 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.622798920 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.623156071 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.623236895 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.623475075 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.624651909 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.624752998 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.624859095 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.718600035 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.757858038 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.757975101 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:11.854068041 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.854556084 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.854690075 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:11.855010033 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:12.056126118 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:12.056231022 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:12.151839972 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:12.152872086 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:12.152884007 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:12.153039932 CEST	443	51362	162.159.61.3	192.168.2.5
Aug 28, 2024 11:51:12.153220892 CEST	51362	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:51:12.618402958 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:12.924792051 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.085457087 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.085660934 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.086858988 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.092377901 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.092390060 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.092401981 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.092653990 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.092767954 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.093378067 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.162260056 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.162260056 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.162549973 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.162929058 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.162939072 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.170623064 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.258426905 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.259222984 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.259490013 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.259536028 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.264580965 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.264825106 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.289637089 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.289884090 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.290126085 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.292695045 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.293062925 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.293773890 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:13.333547115 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:13.386914968 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:20.832151890 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:20.951180935 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:20.973833084 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:20.974549055 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:20.977473021 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:21.017291069 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:21.096309900 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:21.623753071 CEST	53	54657	1.1.1.1	192.168.2.5
Aug 28, 2024 11:51:41.842197895 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:41.842247963 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:41.936711073 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:41.964842081 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:41.965183973 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:41.965682030 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:41.973670959 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:41.973721981 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.068197012 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.092495918 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.095649958 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.095691919 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.095958948 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.096014023 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.127151012 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.215735912 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.755584955 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.755615950 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.850078106 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.876825094 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.877906084 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.878196001 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.878464937 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:51:42.908418894 CEST	58802	443	192.168.2.5	142.251.40.206
Aug 28, 2024 11:51:42.997802019 CEST	443	58802	142.251.40.206	192.168.2.5
Aug 28, 2024 11:52:03.712215900 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.017076015 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.182112932 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.182140112 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.182152987 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.182197094 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.182681084 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.184572935 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.184678078 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.184936047 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.214796066 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.279715061 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.279810905 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.279822111 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.279830933 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.280472040 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.280533075 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.280613899 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.282849073 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.313744068 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:04.374644995 CEST	443	60715	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:04.407701015 CEST	60715	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.117866039 CEST	53	59905	1.1.1.1	192.168.2.5
Aug 28, 2024 11:52:06.143454075 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.456161976 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.596589088 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.596602917 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.596615076 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.596645117 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.597126961 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.600229979 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.602267981 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.602421045 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.602658033 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.602787971 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.701927900 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.701945066 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.701952934 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.701962948 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.701972961 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.702404976 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.702486038 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.703320026 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.704346895 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.708465099 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.709161997 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.709358931 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:06.803312063 CEST	443	61608	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:06.829567909 CEST	61608	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:12.740185022 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:12.740329027 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:12.740705013 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:12.740835905 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.096863031 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.201222897 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.201241016 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.201252937 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.201262951 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.201267004 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.256000996 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.256127119 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.256197929 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.256247044 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.350044966 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.350056887 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.455212116 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.550627947 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.551124096 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.551436901 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:13.551670074 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.552503109 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:13.552627087 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:13.855050087 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.855334044 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:13.907310009 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.038193941 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.038232088 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.038414001 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.039025068 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.039156914 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.039581060 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.039608955 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.039798975 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.039824009 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.124852896 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:14.125528097 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:14.125986099 CEST	443	59866	162.159.61.3	192.168.2.5
Aug 28, 2024 11:52:14.126188040 CEST	59866	443	192.168.2.5	162.159.61.3
Aug 28, 2024 11:52:14.126912117 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.127032042 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.130711079 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.130974054 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.140567064 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.140806913 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.141228914 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.141237974 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.141468048 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.141588926 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.166713953 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.166953087 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.169934034 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.170160055 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.170196056 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.180520058 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.180866003 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.181723118 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.219686985 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.431068897 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.431588888 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.432252884 CEST	443	54496	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:14.432452917 CEST	54496	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:14.586556911 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.587104082 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.587116957 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.587166071 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.587183952 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.587465048 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.588073015 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.588294029 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.866575956 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.866590023 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.866601944 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.866713047 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.866766930 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.866780996 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.867007971 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.867294073 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.867396116 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.892441988 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:14.892734051 CEST	58379	443	192.168.2.5	142.251.179.84
Aug 28, 2024 11:52:14.996062040 CEST	443	58379	142.251.179.84	192.168.2.5
Aug 28, 2024 11:52:44.912203074 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:44.912352085 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:45.860970020 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:45.973227978 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:45.973295927 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:45.973304033 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:45.973915100 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:45.973993063 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:45.974319935 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:45.974333048 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:46.064835072 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.065330982 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:46.067874908 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.068018913 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:46.072439909 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.072601080 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:46.072614908 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.101826906 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.102049112 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.102222919 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:46.142154932 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:46.160240889 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:46.195637941 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:47.644289017 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:47.644335032 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:47.739423037 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:47.766556025 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:47.768349886 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:47.768362045 CEST	443	64209	142.251.40.110	192.168.2.5
Aug 28, 2024 11:52:47.768682003 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:47.797804117 CEST	64209	443	192.168.2.5	142.251.40.110
Aug 28, 2024 11:52:47.888020992 CEST	443	64209	142.251.40.110	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 28, 2024 11:51:06.128089905 CEST	192.168.2.5	1.1.1.1	0x37ec	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:06.128434896 CEST	192.168.2.5	1.1.1.1	0xc1a2	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 28, 2024 11:51:09.255136013 CEST	192.168.2.5	1.1.1.1	0xd159	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.255362988 CEST	192.168.2.5	1.1.1.1	0xb20d	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 28, 2024 11:51:09.255964041 CEST	192.168.2.5	1.1.1.1	0xc272	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.256150007 CEST	192.168.2.5	1.1.1.1	0x9706	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 28, 2024 11:51:09.256504059 CEST	192.168.2.5	1.1.1.1	0xf31b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.256727934 CEST	192.168.2.5	1.1.1.1	0xc311	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 28, 2024 11:51:09.257498026 CEST	192.168.2.5	1.1.1.1	0xec1a	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.257738113 CEST	192.168.2.5	1.1.1.1	0x3cce	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 28, 2024 11:51:09.318243980 CEST	192.168.2.5	1.1.1.1	0x6d47	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.318408966 CEST	192.168.2.5	1.1.1.1	0x6e16	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 11:51:06.135545969 CEST	1.1.1.1	192.168.2.5	0xc1a2	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 11:51:06.135646105 CEST	1.1.1.1	192.168.2.5	0x37ec	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 11:51:09.091976881 CEST	1.1.1.1	192.168.2.5	0xd04f	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 28, 2024 11:51:09.091976881 CEST	1.1.1.1	192.168.2.5	0xd04f	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.261873960 CEST	1.1.1.1	192.168.2.5	0xd159	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.261873960 CEST	1.1.1.1	192.168.2.5	0xd159	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.261898041 CEST	1.1.1.1	192.168.2.5	0xb20d	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 28, 2024 11:51:09.262588024 CEST	1.1.1.1	192.168.2.5	0xc272	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.262588024 CEST	1.1.1.1	192.168.2.5	0xc272	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.262778997 CEST	1.1.1.1	192.168.2.5	0x9706	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 28, 2024 11:51:09.263411999 CEST	1.1.1.1	192.168.2.5	0xc311	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 28, 2024 11:51:09.263422012 CEST	1.1.1.1	192.168.2.5	0xf31b	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.263422012 CEST	1.1.1.1	192.168.2.5	0xf31b	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.264782906 CEST	1.1.1.1	192.168.2.5	0xec1a	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.264782906 CEST	1.1.1.1	192.168.2.5	0xec1a	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.264800072 CEST	1.1.1.1	192.168.2.5	0x3cce	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 28, 2024 11:51:09.325120926 CEST	1.1.1.1	192.168.2.5	0x6d47	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.325120926 CEST	1.1.1.1	192.168.2.5	0x6d47	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 28, 2024 11:51:09.325486898 CEST	1.1.1.1	192.168.2.5	0x6e16	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

chrome.cloudflare-dns.com

edgeassetservice.azureedge.net

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

bzib.nelreports.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49728	162.159.61.3	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-28 09:51:09 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-28 09:51:09 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ba366b64a6141ec-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:51:09 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 0b 00 04 8e fb 28 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49730	162.159.61.3	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-28 09:51:09 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-28 09:51:09 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ba366b63c544402-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:51:09 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 ff 00 04 8e fa 50 23 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomP#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49731	162.159.61.3	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-28 09:51:09 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-28 09:51:09 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ba366b67cde8c72-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:51:09 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 11 00 04 8e fb 28 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49726	13.107.246.60	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-28 09:51:09 UTC	538	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 95d786f7-901e-0026-728f-f8f3b3000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240828T095109Z-15c77d89844n6dtp5f09y9f4c80000000ms000000000319u Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-08-28 09:51:09 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49727	13.107.246.60	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-28 09:51:09 UTC	583	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 66f87118-601e-001a-2116-f94768000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240828T095109Z-15c77d89844jhl6gb132cscd340000000g50000000002mxe Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-28 09:51:09 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-28 09:51:09 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-08-28 09:51:09 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-08-28 09:51:10 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-08-28 09:51:10 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49729	162.159.61.3	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-28 09:51:09 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-28 09:51:09 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ba366b688a64243-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:51:09 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 25 00 04 8e fa 50 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom%Pc)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49732	162.159.61.3	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:09 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-28 09:51:09 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-28 09:51:09 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 28 Aug 2024 09:51:09 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ba366b6ab2641ff-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:51:09 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 d6 00 04 8e fa 50 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPc)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49736	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:10 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-28 09:51:10 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=258343 Date: Wed, 28 Aug 2024 09:51:10 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49737	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:11 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-28 09:51:11 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=258295 Date: Wed, 28 Aug 2024 09:51:11 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-28 09:51:11 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49741	142.251.40.206	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:12 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-28 09:51:12 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 28 Aug 2024 09:51:12 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49740	142.251.40.206	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:12 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-28 09:51:12 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 28 Aug 2024 09:51:12 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49742	142.250.81.228	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:12 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-28 09:51:12 UTC	704	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 28 Aug 2024 09:41:09 GMT Expires: Thu, 05 Sep 2024 09:41:09 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 603 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-28 09:51:12 UTC	686	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-28 09:51:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a eb Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-28 09:51:12 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff fc Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-28 09:51:12 UTC	1390	IN	Data Raw: f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-28 09:51:12 UTC	574	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49745	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:18 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HA11Sf1GnK9Cx1x&MD=4vAUTgo9 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-28 09:51:18 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: bf05ef08-ef46-40f4-804c-264acc624496 MS-RequestId: 17e2f85f-28c9-4670-b193-e8f63fe7d4d6 MS-CV: x2izHor9tkGhtO5M.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 28 Aug 2024 09:51:18 GMT Connection: close Content-Length: 24490
2024-08-28 09:51:18 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-28 09:51:18 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	50935	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:51:59 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HA11Sf1GnK9Cx1x&MD=4vAUTgo9 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-28 09:51:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 1909dde1-6b23-4de2-85c0-241f38ad7dcd MS-RequestId: 3b552eee-51c3-4a36-b360-bb5b9566f4cc MS-CV: Z6dJFDdnU0aJtAmj.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 28 Aug 2024 09:51:58 GMT Connection: close Content-Length: 30005
2024-08-28 09:51:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-28 09:51:59 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	50936	162.159.61.3	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:52:04 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-28 09:52:04 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM
2024-08-28 09:52:04 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 28 Aug 2024 09:52:04 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8ba3680aa98d8c7b-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 09:52:04 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 04 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0d d7 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 30 00 05 00 01 00 00 00 03 00 02 c0 43 c0 43 00 01 00 01 00 00 00 03 00 04 cc 4f c5 ef c0 43 00 01 00 01 00 00 00 03 00 04 0d 6b 15 ef 00 00 29 04 d0 00 00 00 00 01 3e 00 0c 01 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom-edge-microsoft-comdual-a-0036a-msedgenet0CCOCk)>:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	62107	23.54.161.105	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:52:07 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-28 09:52:07 UTC	359	IN	HTTP/1.1 200 OK Content-Length: 0 Access-Control-Allow-Headers: content-type Date: Wed, 28 Aug 2024 09:52:07 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.65a13617.1724838727.37cb22 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	62108	23.54.161.105	443	7608	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-28 09:52:08 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 465 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-28 09:52:08 UTC	465	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 36 30 30 31 35 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 39 37 30 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e 67 Data Ascii: [{"age":60015,"body":{"elapsed_time":970,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bing
2024-08-28 09:52:08 UTC	357	IN	HTTP/1.1 200 OK Content-Length: 21 Content-Type: text/plain; charset=utf-8 Date: Wed, 28 Aug 2024 09:52:08 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.65a13617.1724838728.37cc26 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *
2024-08-28 09:52:08 UTC	21	IN	Data Raw: 50 72 6f 63 65 73 73 65 64 20 74 68 65 20 72 65 71 75 65 73 74 Data Ascii: Processed the request

Target ID:	0
Start time:	05:51:00
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x170000
File size:	917'504 bytes
MD5 hash:	C3AC879F55D769F91BE14EBFCF568F4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:51:00
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:51:01
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1952,i,11849779078856253836,7449960238563698719,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:51:01
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:51:01
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2704 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	05:51:06
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4040 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:51:06
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6912 --field-trial-handle=2544,i,7579823385293257062,16357275342585865479,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:51:17
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:51:18
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2936 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:51:19
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2896 --field-trial-handle=2364,i,6176290936601016668,17070727847601013962,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:51:26
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:51:26
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:51:26
Start date:	28/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2080,i,8600420615512392636,11898406338169848450,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5%
Total number of Nodes:	1406
Total number of Limit Nodes:	32

Executed Functions

Function 0018F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0018F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001CF474
IsIconic.USER32(00000000), ref: 001CF47D
ShowWindow.USER32(00000000,00000009), ref: 001CF48A
SetForegroundWindow.USER32(00000000), ref: 001CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001CF4AA
GetCurrentThreadId.KERNEL32 ref: 001CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001CF4DE
SetForegroundWindow.USER32(00000000), ref: 001CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF4F6
keybd_event.USER32(00000012,00000000), ref: 001CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF50B
keybd_event.USER32(00000012,00000000), ref: 001CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF519
keybd_event.USER32(00000012,00000000), ref: 001CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001CF528
keybd_event.USER32(00000012,00000000), ref: 001CF52D
SetForegroundWindow.USER32(00000000), ref: 001CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001CF557

Strings

Shell_TrayWnd, xrefs: 001CF46F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 861a4d8ba2ae45b1a7380a1f96ab5db3e9d176a921d14ce3807029b6fcf572cb
Instruction ID: 419f40ed8d5973a696b422451baff768e24610e51e00418d3a83df1094f77578
Opcode Fuzzy Hash: 861a4d8ba2ae45b1a7380a1f96ab5db3e9d176a921d14ce3807029b6fcf572cb
Instruction Fuzzy Hash: F43153B1A40318BBEB246BB55C49FBF7E6DEB44B50F210129F600E61D2C7B19D01AA60

Function 001742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0017430D

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

GetCurrentProcess.KERNEL32(?,0020CB64,00000000,?,?), ref: 00174422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00174429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00174454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00174466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00174474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0017447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001744A0

Strings

|O, xrefs: 001B36F8
kernel32.dll, xrefs: 0017444F
GetNativeSystemInfo, xrefs: 00174460

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 58ce204a4ddec0f406fac80883bd5235147b5e9bb99d14c4340d7d33438d2a24
Instruction ID: dc421222772d450901a3d4097a2d5b51308edf961bd42b29c6e448499b468bb7
Opcode Fuzzy Hash: 58ce204a4ddec0f406fac80883bd5235147b5e9bb99d14c4340d7d33438d2a24
Instruction Fuzzy Hash: 90A1C47A90A3C0DFC715DF79BC4C1E57FA46B27740B1888D9E05593A62E7204AE8DB21

Function 001742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001750AA,?,?,00000000,00000000), ref: 001742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001750AA,?,?,00000000,00000000), ref: 001742C9
LoadResource.KERNEL32(?,00000000,?,?,001750AA,?,?,00000000,00000000,?,?,?,?,?,?,00174F20), ref: 001B35BE
SizeofResource.KERNEL32(?,00000000,?,?,001750AA,?,?,00000000,00000000,?,?,?,?,?,?,00174F20), ref: 001B35D3
LockResource.KERNEL32(001750AA,?,?,001750AA,?,?,00000000,00000000,?,?,?,?,?,?,00174F20,?), ref: 001B35E6

Strings

SCRIPT, xrefs: 001742BF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1bb5185fe63824ab60481842e235c76934a583f6664e20b72a872420a1b1b8bc
Instruction ID: d20182632d72bca3b118bc1dc1a7843c62c4468ff4c9a6e226e733b6b1462477
Opcode Fuzzy Hash: 1bb5185fe63824ab60481842e235c76934a583f6664e20b72a872420a1b1b8bc
Instruction Fuzzy Hash: 0D118EB0200700BFD7218B65EC88F677BBDEBC6B51F208269F846D6691DB71DC508A20

Function 001B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00172B6B

Part of subcall function 00173A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00241418,?,00172E7F,?,?,?,00000000), ref: 00173A78

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00232224), ref: 001B2C10
ShellExecuteW.SHELL32(00000000,?,?,00232224), ref: 001B2C17

Strings

runas, xrefs: 001B2C0B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7945b94acfe017a2eb96d1c993fa7435d2a377147d063654cfa07826f2dc5bf2
Instruction ID: 852690c877d6be9bebd0e846f1961fceb6fa458e839e5b7f3441cec1f9c352cd
Opcode Fuzzy Hash: 7945b94acfe017a2eb96d1c993fa7435d2a377147d063654cfa07826f2dc5bf2
Instruction Fuzzy Hash: FF11B4712083056AC718FF60E856DAE77B4ABB1300F54842DF05E570A3CF31955A9752

Function 001DDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,001B5222), ref: 001DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001DDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001DDBEE
FindClose.KERNEL32(00000000), ref: 001DDBFA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 25114e049da994858b1020940748494090ee93a88cfe9d360fde9ce0032c326c
Instruction ID: bbc8dd6abf985f0671b4c9b3ce29bb232ba235f263612861e22c26d862ce29f4
Opcode Fuzzy Hash: 25114e049da994858b1020940748494090ee93a88cfe9d360fde9ce0032c326c
Instruction Fuzzy Hash: B8F0A070820A205BC2206B7CBC0E8BA776C9E02334F20470BF836C22E2EBB059548695

Function 001FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001FB1D4
_wcslen.LIBCMT ref: 001FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001FB236
_wcslen.LIBCMT ref: 001FB332

Part of subcall function 001E05A7: GetStdHandle.KERNEL32(000000F6), ref: 001E05C6

_wcslen.LIBCMT ref: 001FB34B
_wcslen.LIBCMT ref: 001FB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001FB3B6
GetLastError.KERNEL32(00000000), ref: 001FB407
CloseHandle.KERNEL32(?), ref: 001FB439
CloseHandle.KERNEL32(00000000), ref: 001FB44A
CloseHandle.KERNEL32(00000000), ref: 001FB45C
CloseHandle.KERNEL32(00000000), ref: 001FB46E
CloseHandle.KERNEL32(?), ref: 001FB4E3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 73baabf47a353b51a6665cdedd479c42f0cbfff697fc18dea92355d02a741c12
Instruction ID: b6f00aeddd972f2e937ca16f5dde427f33edd1a3c10e1c249bb002f5d813812a
Opcode Fuzzy Hash: 73baabf47a353b51a6665cdedd479c42f0cbfff697fc18dea92355d02a741c12
Instruction Fuzzy Hash: 5EF1AB716083449FCB14EF24C891B6EBBE1BF85714F18855DF99A8B2A2CB31EC45CB52

Function 0017D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0017D807
timeGetTime.WINMM ref: 0017DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017DB28
TranslateMessage.USER32(?), ref: 0017DB7B
DispatchMessageW.USER32(?), ref: 0017DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017DB9F
Sleep.KERNELBASE(0000000A), ref: 0017DBB1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0b71eff82d1d5afb40d067e53744cb2680643efcb69fb66f5e8f0dcacc637c27
Instruction ID: 0d1a015d49e4996f20b2913d26e992925709f7a1016e62c9236accf1a8f91664
Opcode Fuzzy Hash: 0b71eff82d1d5afb40d067e53744cb2680643efcb69fb66f5e8f0dcacc637c27
Instruction Fuzzy Hash: 0E42F170608345EFD729CF24D888FAAB7F0BFA6304F54865DE55A87291C770E884CB92

Function 00172CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00172D07
RegisterClassExW.USER32(00000030), ref: 00172D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00172D42
InitCommonControlsEx.COMCTL32(?), ref: 00172D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00172D6F
LoadIconW.USER32(000000A9), ref: 00172D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00172D94

Strings

+, xrefs: 00172CF0
0, xrefs: 00172CE9
AutoIt v3 GUI, xrefs: 00172D23
TaskbarCreated, xrefs: 00172D37

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cdc4eabe24c26c7435a09b1a58955784a0868a33d8c5f1ae3a964e6670abe667
Instruction ID: 04e5f2f19f2ea23afb8d8216efcc16676e9afe56da3bdf74c6ddd0e9c7781de1
Opcode Fuzzy Hash: cdc4eabe24c26c7435a09b1a58955784a0868a33d8c5f1ae3a964e6670abe667
Instruction Fuzzy Hash: A721C3B5951318AFDB00DFA4E88DBDDBBB8FB09700F10821AF511A62A1D7B14594CF91

Function 001B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001B039A: CreateFileW.KERNELBASE(00000000,00000000,?,001B0704,?,?,00000000,?,001B0704,00000000,0000000C), ref: 001B03B7

GetLastError.KERNEL32 ref: 001B076F
__dosmaperr.LIBCMT ref: 001B0776
GetFileType.KERNELBASE(00000000), ref: 001B0782
GetLastError.KERNEL32 ref: 001B078C
__dosmaperr.LIBCMT ref: 001B0795
CloseHandle.KERNEL32(00000000), ref: 001B07B5
CloseHandle.KERNEL32(?), ref: 001B08FF
GetLastError.KERNEL32 ref: 001B0931
__dosmaperr.LIBCMT ref: 001B0938

Strings

H, xrefs: 001B08BD

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: afa3b9906540d4982685610424e020189204898badbaff8d120d45427f11d8d2
Instruction ID: 80ec925cfb2534e68f8a57ae33ab40efbe3bbf4c9d2da1fb0d6b1af266086bb6
Opcode Fuzzy Hash: afa3b9906540d4982685610424e020189204898badbaff8d120d45427f11d8d2
Instruction Fuzzy Hash: B7A13836A141049FDF1AEF68D895BEE7BA0AB1A320F14015DF815DB2D1CB319D16CB91

Function 0017344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00173A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00241418,?,00172E7F,?,?,?,00000000), ref: 00173A78

Part of subcall function 00173357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00173379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0017356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001B31CE
RegCloseKey.ADVAPI32(?), ref: 001B3210
_wcslen.LIBCMT ref: 001B3277
_wcslen.LIBCMT ref: 001B3286

Strings

\, xrefs: 001B328C
Software\AutoIt v3\AutoIt, xrefs: 00173560
Include, xrefs: 001B3184, 001B31C5
\Include\, xrefs: 00173527

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: bda5d103cbef0a2bf2499cb7513eeecd34d242fcbe1a51bb5abf75e1c0253bc7
Instruction ID: 303c4e4499c3c330e15d7ae51d22fd503fdb8005c6031834a9e0c02faf8b3151
Opcode Fuzzy Hash: bda5d103cbef0a2bf2499cb7513eeecd34d242fcbe1a51bb5abf75e1c0253bc7
Instruction Fuzzy Hash: 5871AF71414300DEC314EF66EC869ABBBF8FFA6740F90456EF559931A1EB309A48CB52

Function 00172B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00172B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00172B9D
LoadIconW.USER32(00000063), ref: 00172BB3
LoadIconW.USER32(000000A4), ref: 00172BC5
LoadIconW.USER32(000000A2), ref: 00172BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00172BEF
RegisterClassExW.USER32(?), ref: 00172C40

Part of subcall function 00172CD4: GetSysColorBrush.USER32(0000000F), ref: 00172D07
Part of subcall function 00172CD4: RegisterClassExW.USER32(00000030), ref: 00172D31
Part of subcall function 00172CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00172D42
Part of subcall function 00172CD4: InitCommonControlsEx.COMCTL32(?), ref: 00172D5F
Part of subcall function 00172CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00172D6F
Part of subcall function 00172CD4: LoadIconW.USER32(000000A9), ref: 00172D85
Part of subcall function 00172CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00172D94

Strings

#, xrefs: 00172C16
AutoIt v3, xrefs: 00172C2F
0, xrefs: 00172C0F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: be92b005b3bd2eb5f7375de143bf8e19b5347bbad2462a605e07e14184784721
Instruction ID: 103fa547b1b33bbd97310288d67b0dbd69346ef19eb97efc0558a5bca7afdcc6
Opcode Fuzzy Hash: be92b005b3bd2eb5f7375de143bf8e19b5347bbad2462a605e07e14184784721
Instruction Fuzzy Hash: DE214FB8E40314ABDB109F95FC8DA99BFB4FB09B50F10419AF500A66A0D3B105A0CF90

Function 0017B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0017BB4E

Strings

p#$, xrefs: 001C0263
p#$, xrefs: 0017BB6B
p%$, xrefs: 0017B8DC
p#$, xrefs: 0017BA72
p%$, xrefs: 0017BB32
x#$, xrefs: 001C0168
x#$, xrefs: 001C0207
p#$, xrefs: 001C024F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#$$p#$$p#$$p#$$p%$$p%$$x#$$x#$
API String ID: 1385522511-38278325
Opcode ID: a78720612d4737bd56b274d6c063948e02aee5247d745313e948ab8af44b8bab
Instruction ID: 4fa2d54b4be57fc21715d0a3f3b586fa80bf468ac71e4b38441c9c535f0b0049
Opcode Fuzzy Hash: a78720612d4737bd56b274d6c063948e02aee5247d745313e948ab8af44b8bab
Instruction Fuzzy Hash: 6A32CB74A08209DFCB29CF54C894FBAB7B9FF58304F158059E919AB291C774EE81CB91

Function 00173170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0017316A,?,?), ref: 001731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0017316A,?,?), ref: 00173204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00173227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0017316A,?,?), ref: 00173232
CreatePopupMenu.USER32 ref: 00173246
PostQuitMessage.USER32(00000000), ref: 00173267

Strings

TaskbarCreated, xrefs: 0017322D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: eb7625fde82749f6c540ba269b2a5cea92716b2acf6e7dacf7736dfb300bb659
Instruction ID: 5f3d6b2d170eef7d29d1e30fdbfde1b0bc295b22d22fad964c1c3fb3b03c701b
Opcode Fuzzy Hash: eb7625fde82749f6c540ba269b2a5cea92716b2acf6e7dacf7736dfb300bb659
Instruction Fuzzy Hash: 6D414D39260204B7DB196F78EC0DBB93B79E706340F648215F52A862A3C771CE94F762

Function 00172C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00172C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00172CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00171CAD,?), ref: 00172CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00171CAD,?), ref: 00172CCF

Strings

AutoIt v3, xrefs: 00172C89, 00172C8E, 00172C8F
edit, xrefs: 00172CAC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cc94ccce4310513309d6a1dc2a3cf2ff4c03d25b49d54359279893986adf826d
Instruction ID: 226ca6bd6226909e470ed6d97aec919dd427b692b3114b325ec551044753993e
Opcode Fuzzy Hash: cc94ccce4310513309d6a1dc2a3cf2ff4c03d25b49d54359279893986adf826d
Instruction Fuzzy Hash: 60F0DAB95403947AEB311B17BC4CE777EBDD7C7F50B10009AF900A25A1C66118A4DAB0

Function 001DE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001DE9A5
Sleep.KERNEL32(00000000), ref: 001DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001DE9B7
Sleep.KERNELBASE ref: 001DE9F3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 68fd3141b48a9f8e658473d283187ed07e475475827082a09b59ca2c25ab09e9
Instruction ID: ef201ad838cfbf30bfc160b79162a79d193c15077318ebe6eed1b9fe04d77190
Opcode Fuzzy Hash: 68fd3141b48a9f8e658473d283187ed07e475475827082a09b59ca2c25ab09e9
Instruction Fuzzy Hash: B1015E71C02629DBCF04AFE4E86D6EDBBB8BB08305F110656E501B6241CB30555487A1

Function 00173B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00173B0F,SwapMouseButtons,00000004,?), ref: 00173B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00173B0F,SwapMouseButtons,00000004,?), ref: 00173B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00173B0F,SwapMouseButtons,00000004,?), ref: 00173B83

Strings

Control Panel\Mouse, xrefs: 00173B3E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 138f0d445479a7193cba85915895900d14140cd3d5f2ba3f60d3c4be4278f98d
Instruction ID: bee6b08574d2818ae5e27a07925752f6cb5cb86ac0b9b0c9e2a7d17358ab894a
Opcode Fuzzy Hash: 138f0d445479a7193cba85915895900d14140cd3d5f2ba3f60d3c4be4278f98d
Instruction Fuzzy Hash: 89112AB5510208FFDB218FA5DC48AEEB7BCEF04744B10855AA819D7210D3319E40A7A0

Function 00173923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001B33A2

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00173A04

Strings

Line: , xrefs: 001B33EB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d31525b2e0dc1561e23bed4f56b4832c32cd31dfb6aa92f02247dc8fbe6ebfd6
Instruction ID: 7d6028626e6e47c2e871faa31a38b81b3520148950665e1e6cc3125f507e7d23
Opcode Fuzzy Hash: d31525b2e0dc1561e23bed4f56b4832c32cd31dfb6aa92f02247dc8fbe6ebfd6
Instruction Fuzzy Hash: 3631C371408300AAC725EB20EC49BEBB7F8AB95714F10856AF5AD83191EB709698C7C2

Function 00172DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001B2C8C

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

Part of subcall function 00172DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00172DC4

Strings

`e#, xrefs: 001B2C85
X, xrefs: 001B2C5A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e#
API String ID: 779396738-321613518
Opcode ID: 03a2d1788a17a14a1ba757845bc70eb3ae78f9e0d78d647ed0010deb22bc3a1e
Instruction ID: 755bc7a3b96db0a2dc4afb779c1c4d03fbd78b76d28d3a794565c5c223b297e3
Opcode Fuzzy Hash: 03a2d1788a17a14a1ba757845bc70eb3ae78f9e0d78d647ed0010deb22bc3a1e
Instruction Fuzzy Hash: A121D571A10258AFCB11DF94C809BEE7BFCAF59304F008059E409B7241DBB45A89CF61

Function 001710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00171BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00171BF4
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00171BFC
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00171C07
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00171C12
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00171C1A
Part of subcall function 00171BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00171C22

Part of subcall function 00171B4A: RegisterWindowMessageW.USER32(00000004,?,001712C4), ref: 00171BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0017136A
OleInitialize.OLE32 ref: 00171388
CloseHandle.KERNEL32(00000000,00000000), ref: 001B24AB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a1c42883abd397cd8c92f820e585a8fd59953974b4017df520c50a6bda036696
Instruction ID: 0570f03d2eb3fc7fd4ebf8707339b205891f05e0d7a942b65d9875b207061098
Opcode Fuzzy Hash: a1c42883abd397cd8c92f820e585a8fd59953974b4017df520c50a6bda036696
Instruction Fuzzy Hash: A8719CBC9613048FD388EF79F8496953AF4FB9A344394822AD51AC72A2EB7044F0CF40

Function 001DC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00173923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00173A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001DC259
KillTimer.USER32(?,00000001,?,?), ref: 001DC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001DC270

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 53d7cf9705d612afefba9f61e35d7fd72d24fc430af00038e5a633f4ebc7cbac
Instruction ID: eaaf69a1152a15800f70117efc7031fada92cbfa9e274a01b7e562f9a6b49c9e
Opcode Fuzzy Hash: 53d7cf9705d612afefba9f61e35d7fd72d24fc430af00038e5a633f4ebc7cbac
Instruction Fuzzy Hash: 3631D770904354AFEB328F649899BE7BBECAF16704F00089EE5DA93341C3746A84CB91

Function 001A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001A85CC,?,00238CC8,0000000C), ref: 001A8704
GetLastError.KERNEL32(?,001A85CC,?,00238CC8,0000000C), ref: 001A870E
__dosmaperr.LIBCMT ref: 001A8739

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 97017a14a0ceb8c2282415ba84cd350b6ba7f27c04fa7600b1ee2eac607fcacc
Instruction ID: 3cf2abb49e2ddbf053baa5b3aad2e5a5b19f7de67e8cc8438f6529c03c618bf9
Opcode Fuzzy Hash: 97017a14a0ceb8c2282415ba84cd350b6ba7f27c04fa7600b1ee2eac607fcacc
Instruction Fuzzy Hash: BB01263EA0962026EB646374A889B7E674A5FD3774F390259F91C8B1D3DFB0CC858190

Function 0017DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0017DB7B
DispatchMessageW.USER32(?), ref: 0017DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0017DB9F
Sleep.KERNELBASE(0000000A), ref: 0017DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 001C1CC9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 5a721c9664c5af283a2fef1be30d7abcbd036a5c3a38a5a85e4e237fb81b94de
Instruction ID: 51da56973b559d26fceca1ee475123dfcf9dedaca73dd9e875057204e159b29d
Opcode Fuzzy Hash: 5a721c9664c5af283a2fef1be30d7abcbd036a5c3a38a5a85e4e237fb81b94de
Instruction Fuzzy Hash: F2F0FE716443449BE734DBA0AC49FAA73BCEF56310F504619F65A930D1DB70A488CB15

Function 00181310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001817F6

Strings

CALL, xrefs: 001817C6

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3107bd492a81987845d6d3042e9194257b0917049908882d7332a3ad5805cff3
Instruction ID: 1121d6a208d2e73a011985e43222a9e6c6efa57208bcad63932ccac4daf73a10
Opcode Fuzzy Hash: 3107bd492a81987845d6d3042e9194257b0917049908882d7332a3ad5805cff3
Instruction Fuzzy Hash: A7228A71608241AFC714EF14C484B2ABBF5BF96314F24896DF49A8B3A1D771EA46CF42

Function 00173837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00173908

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6cb4202a7df90e0d76a55a79c0f9dca47ed3ede95c84de3d92bed5a1dd8e06cb
Instruction ID: 4efb5a65ad7474d3d253c933b2399734698d3061c14579f42104d7ef2617d8d0
Opcode Fuzzy Hash: 6cb4202a7df90e0d76a55a79c0f9dca47ed3ede95c84de3d92bed5a1dd8e06cb
Instruction Fuzzy Hash: D83191B45043019FD720DF24E888797BBF8FB49708F00096EF6A983250E771AA54DB52

Function 0018F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0018F661

Part of subcall function 0017D730: GetInputState.USER32 ref: 0017D807

Sleep.KERNEL32(00000000), ref: 001CF2DE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: ed7f6c75f8bcab6b42db61509bbc4d56d2a22982754e57640f3ae3c140caf3c5
Instruction ID: 9c40fff935b43aa861d9c90397fd03795dbf8955070944ed8cee546f118e5765
Opcode Fuzzy Hash: ed7f6c75f8bcab6b42db61509bbc4d56d2a22982754e57640f3ae3c140caf3c5
Instruction Fuzzy Hash: AEF08C712442059FD314EF69E489B6AB7F8EF55761F00412DE85DC72A1DB70A800CB91

Function 00202598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 00202649

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 3f0f35cc80b3d4e92c71ce1fd94fd73b917f873d5092dfc71f4c522dd6d38259
Instruction ID: 37b919fa9b513ff9869ed464bb18ce4cc26898976c55d77af274d9dfbfc0c2c9
Opcode Fuzzy Hash: 3f0f35cc80b3d4e92c71ce1fd94fd73b917f873d5092dfc71f4c522dd6d38259
Instruction Fuzzy Hash: F921C174200316AFD724DF28C8D4936B7A9EB45368B54805EE8568B392CB71ED55CB90

Function 002013B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00201420

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: eefbcb7bc993546b75ca036528d1a700ff4e0ec79deb1be4872052cbc8691b63
Instruction ID: d72d8d5526bd086473f16d2c12695f49fe5379979e1e57212ec2ebbbca949347
Opcode Fuzzy Hash: eefbcb7bc993546b75ca036528d1a700ff4e0ec79deb1be4872052cbc8691b63
Instruction Fuzzy Hash: 6531AD70614202AFD714EF29C495B69B7A2FF45328F048269E81A4F3A2DB71EC61CFD0

Function 00174ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00174E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E9C
Part of subcall function 00174E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00174EAE
Part of subcall function 00174E90: FreeLibrary.KERNEL32(00000000,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174EFD

Part of subcall function 00174E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E62
Part of subcall function 00174E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00174E74
Part of subcall function 00174E59: FreeLibrary.KERNEL32(00000000,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E87

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 21d26bd06d5ec07a960bbf392dd758e5905edb00d2cc0e180a02a1eccd947968
Instruction ID: 110fb176811284d2f9e57831adb8812dc1e1efa39fcbefebb9a75544e16f9c63
Opcode Fuzzy Hash: 21d26bd06d5ec07a960bbf392dd758e5905edb00d2cc0e180a02a1eccd947968
Instruction Fuzzy Hash: A111E332610305ABDF14FB64DC06FAD77B5AF60710F20C42EF54AA61C2EFB4AA559790

Function 001A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001A8440

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 74bd8a23746ed8dfeed2e42a02481455dc6b7e4ea6272b47d01a64e9ecf5562f
Instruction ID: 331d8fcbe32e720a86895ce58feaa019932448693f498b347dbfa76d8d2e46c0
Opcode Fuzzy Hash: 74bd8a23746ed8dfeed2e42a02481455dc6b7e4ea6272b47d01a64e9ecf5562f
Instruction Fuzzy Hash: E311187590420AAFCB05DF58E945A9A7BF9EF49314F114059F808AB312DB31EA11CBA5

Function 001A5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001A4C7D: RtlAllocateHeap.NTDLL(00000008,00171129,00000000,?,001A2E29,00000001,00000364,?,?,?,0019F2DE,001A3863,00241444,?,0018FDF5,?), ref: 001A4CBE

_free.LIBCMT ref: 001A506C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: b82fcf285ce417afe6acf8981a4c05bac934690928b1945d593a7131a725dbfd
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 6F0126762047046BE3218E699881A5AFBE9FB8A370F25051DF19483280EB70A805C6B4

Function 002029BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,002014B5,?), ref: 00202A01

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c5a5a9baf894ffaa92d1af3304835252629f34bc4a30ba8872d7dd55524105ba
Instruction ID: 283be08fd16d26e2feed702f6a7bb55a777263e5ac28ac84dbcd9b90f46e2619
Opcode Fuzzy Hash: c5a5a9baf894ffaa92d1af3304835252629f34bc4a30ba8872d7dd55524105ba
Instruction Fuzzy Hash: 5401B536760742DFD324CE2CC498B267792EB85314F79856AD0478B293DB32EC5AC790

Function 0019E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 702d0052419437bd937ca92d62c45816321bebc8491b732ae69805e6521d3c53
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 8BF0F436510E10AADF317A69DC05B5A33D89FB3334F100719F824972D2DB70D8028AA5

Function 0020149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 002014EB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: d17318c824e8eb45bbf97f273a6cffd266af3ad01ed08027aea67119bbc7081b
Instruction ID: 1f68f43cf2368b827d7635e16bddf46bf6240f169eb0fdde4eb5a75a1a28a058
Opcode Fuzzy Hash: d17318c824e8eb45bbf97f273a6cffd266af3ad01ed08027aea67119bbc7081b
Instruction Fuzzy Hash: 2001F7353047419FD320CF69D440826BBA5FF95324754805EE84A8B7A3D772DDA2CBC0

Function 001A4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00171129,00000000,?,001A2E29,00000001,00000364,?,?,?,0019F2DE,001A3863,00241444,?,0018FDF5,?), ref: 001A4CBE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 49b766364cdb5c21d4a145c1a1999c5e01ae892e917cca6e4c24ffbd675640ab
Instruction ID: 39643b9e5375cbc14afef4283c78459e665f1788f49ef9a174922d94acce5e26
Opcode Fuzzy Hash: 49b766364cdb5c21d4a145c1a1999c5e01ae892e917cca6e4c24ffbd675640ab
Instruction Fuzzy Hash: ADF0E93960622467DF215F629C09F6A3788BFD37B0B154225B81DE7189CBF0D80256E0

Function 001A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 09e565c0982f75da8cbb3514a691ec8189c09f1adc060dfe24fad27d8ef20352
Instruction ID: 60a928235fc0e7965480236c6c107bff76e9b722d7a0c93314cdaf3153c5f333
Opcode Fuzzy Hash: 09e565c0982f75da8cbb3514a691ec8189c09f1adc060dfe24fad27d8ef20352
Instruction Fuzzy Hash: B5E02B3950122467DB312B779C04F9B3B48AF437B0F150334BC34924D1DB18DD0282E0

Function 00174F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174F6D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 68bd4f6001d9bc022142023d686f40f797806a78fd3c52f963a7e6e8f9e43a95
Instruction ID: 88f3081698036c033e929a8fa2626397d1e66511e2f18d392b227613b99518f5
Opcode Fuzzy Hash: 68bd4f6001d9bc022142023d686f40f797806a78fd3c52f963a7e6e8f9e43a95
Instruction Fuzzy Hash: 51F01571105752CFDB389F68E494822FBF4AF15329320CA6EE1EE82621C7329844DB50

Function 00202A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00202A66

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: af454a07d0d5c4e2d4b2ef391e8277d9b9bfe0b3b6195dd540ba90017d0ab6ed
Instruction ID: 2b333b948a1d1d023ea9e994cd58923d938be2ba5565f2538269a02ececb686b
Opcode Fuzzy Hash: af454a07d0d5c4e2d4b2ef391e8277d9b9bfe0b3b6195dd540ba90017d0ab6ed
Instruction Fuzzy Hash: 2FE04F76360216EAC724EB30EC848FE735CEB60395B104537BC2BD2241DF3099A986A0

Function 00172DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00172DC4

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: bfa22cee1cf8d75f3865936ac51ffadfeb22bd95d7f5518b92d162a1e94ada5e
Instruction ID: b3a4c019cea6ecbee1584ef073f8dc12afca24574632bebd43f1e3128e79d5da
Opcode Fuzzy Hash: bfa22cee1cf8d75f3865936ac51ffadfeb22bd95d7f5518b92d162a1e94ada5e
Instruction Fuzzy Hash: B9E0CD726002245BC71093589C05FEA77EDDFC8790F154175FD09D7249DB60AD84C550

Function 00172B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00173837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00173908

Part of subcall function 0017D730: GetInputState.USER32 ref: 0017D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00172B6B

Part of subcall function 001730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0017314E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: d78d15bdf72cc8cc0fa3766149d900428155aa3837ae27ab6a91a331e9f66b9f
Instruction ID: 4a49bd8a48f849c3d1427fd125ee02b8f1acfd44294e775a62584a215a34eb60
Opcode Fuzzy Hash: d78d15bdf72cc8cc0fa3766149d900428155aa3837ae27ab6a91a331e9f66b9f
Instruction Fuzzy Hash: 56E0862130424806C708BB75B85656DB7799BF2355F40953EF15A471A3CF64459A4252

Function 001D3D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001D3D18

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 21426a3549d2ecb95308f7f4b13be799d5cbbc3c943ab11b691866465928762e
Instruction ID: 808c0524103d849423f2be73600305171bbaed3c3fe24ecb213e0292995f2e8a
Opcode Fuzzy Hash: 21426a3549d2ecb95308f7f4b13be799d5cbbc3c943ab11b691866465928762e
Instruction Fuzzy Hash: DFD08CF06A03087EFB0087719C0BEBB339CC356E81F104BA47E02D64C2D9A1DE080130

Function 001B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001B0704,?,?,00000000,?,001B0704,00000000,0000000C), ref: 001B03B7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 413e2bb0f0a859c205b927571ad540893d4b2546e6a27699aac1c01fcf42b0a3
Instruction ID: e0be338f7c66944a2d3b4d451647c68d0f3571f28244f15afe0adbe717cbdd43
Opcode Fuzzy Hash: 413e2bb0f0a859c205b927571ad540893d4b2546e6a27699aac1c01fcf42b0a3
Instruction Fuzzy Hash: 5BD06C3204020DBBDF028F84ED06EDA3BAAFB48714F114100BE1856021C732E821AB90

Function 00171CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00171CBC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: a757823319cd6f9eb0c193daab968315c348eab6f799324a45261f6cfb6e7318
Instruction ID: 9cb94bad57737d2fd0ef88793c8235d720e34cd35206cd711c301e693656f733
Opcode Fuzzy Hash: a757823319cd6f9eb0c193daab968315c348eab6f799324a45261f6cfb6e7318
Instruction Fuzzy Hash: 50C0923E280304EFF3188B80BC4EF107BA4E349F00F948001F609B95E3C3A22860EA50

Non-executed Functions

Function 00209576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0020961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0020965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0020969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002096C9
SendMessageW.USER32 ref: 002096F2
GetKeyState.USER32(00000011), ref: 0020978B
GetKeyState.USER32(00000009), ref: 00209798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002097AE
GetKeyState.USER32(00000010), ref: 002097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002097E9
SendMessageW.USER32 ref: 00209810
SendMessageW.USER32(?,00001030,?,00207E95), ref: 00209918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0020992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00209941
SetCapture.USER32(?), ref: 0020994A
ClientToScreen.USER32(?,?), ref: 002099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002099D6
ReleaseCapture.USER32 ref: 002099E1
GetCursorPos.USER32(?), ref: 00209A19
ScreenToClient.USER32(?,?), ref: 00209A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00209A80
SendMessageW.USER32 ref: 00209AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00209AEB
SendMessageW.USER32 ref: 00209B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00209B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00209B4A
GetCursorPos.USER32(?), ref: 00209B68
ScreenToClient.USER32(?,?), ref: 00209B75
GetParent.USER32(?), ref: 00209B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00209BFA
SendMessageW.USER32 ref: 00209C2B
ClientToScreen.USER32(?,?), ref: 00209C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00209CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00209CDE
SendMessageW.USER32 ref: 00209D01
ClientToScreen.USER32(?,?), ref: 00209D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00209D82

Part of subcall function 00189944: GetWindowLongW.USER32(?,000000EB), ref: 00189952

GetWindowLongW.USER32(?,000000F0), ref: 00209E05

Strings

F, xrefs: 00209D07
p#$, xrefs: 00209990
@GUI_DRAGID, xrefs: 0020997D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#$
API String ID: 3429851547-3607781724
Opcode ID: 1ffb44cd79d0a266fdca5b1fd415becf6ad0930b64df3f6545d11ad51b8b20cf
Instruction ID: 0529b5e668eb4740124277b69d7ff2a0c8e700d9d974f9675f860ca4ea6383c7
Opcode Fuzzy Hash: 1ffb44cd79d0a266fdca5b1fd415becf6ad0930b64df3f6545d11ad51b8b20cf
Instruction Fuzzy Hash: 80428075518301AFD724CF24DC48AAABBE9FF89310F144619F656872E3D77298A0CF51

Function 00204873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00204908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00204927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0020494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0020495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0020497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00204A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00204A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00204A7E
IsMenu.USER32(?), ref: 00204A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00204AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00204B20
GetWindowLongW.USER32(?,000000F0), ref: 00204B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00204BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00204C82
wsprintfW.USER32 ref: 00204CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00204CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00204CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00204D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00204D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00204D5A

Strings

%d/%02d/%02d, xrefs: 00204CA8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5ecce947f7d12383adbec4ee1631993a6e7c9b826bc64b0e024c61b887de601a
Instruction ID: 9c909f3bca514e0d6d7e2b6731f21919717b9c83c30c7d453abe95f01cf0b080
Opcode Fuzzy Hash: 5ecce947f7d12383adbec4ee1631993a6e7c9b826bc64b0e024c61b887de601a
Instruction Fuzzy Hash: 6D1214B1610305ABEB24AF24DC49FAE7BF8EF85710F108229F615DB2E2DB749951CB50

Function 001D1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D170D
Part of subcall function 001D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D173A
Part of subcall function 001D16C3: GetLastError.KERNEL32 ref: 001D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001D12A8
CloseHandle.KERNEL32(?), ref: 001D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001D12D1
GetProcessWindowStation.USER32 ref: 001D12EA
SetProcessWindowStation.USER32(00000000), ref: 001D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001D1310

Part of subcall function 001D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D11FC), ref: 001D10D4
Part of subcall function 001D10BF: CloseHandle.KERNEL32(?,?,001D11FC), ref: 001D10E9

Strings

default, xrefs: 001D130B
Z#, xrefs: 001D1392
, xrefs: 001D125A
winsta0, xrefs: 001D12CC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z#
API String ID: 22674027-1370318574
Opcode ID: a90f68ff9df24b699328b941ef75ea2a597eb16b05d38dcaacff8db730b67273
Instruction ID: ae657e4d14fa90dbe357078e4cc44fdf3bfdd38f7a8de8e94857a122204e08b8
Opcode Fuzzy Hash: a90f68ff9df24b699328b941ef75ea2a597eb16b05d38dcaacff8db730b67273
Instruction Fuzzy Hash: 42818CB1900309BFDF219FA4DC49FEE7BB9EF08704F14422AF910A62A1D7758A55CB61

Function 001D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D1114
Part of subcall function 001D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1120
Part of subcall function 001D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D112F
Part of subcall function 001D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1136
Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D0C00
GetLengthSid.ADVAPI32(?), ref: 001D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D0C6D
GetLengthSid.ADVAPI32(?), ref: 001D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001D0C8C
HeapAlloc.KERNEL32(00000000), ref: 001D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D0CB4
CopySid.ADVAPI32(00000000), ref: 001D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0D45
HeapFree.KERNEL32(00000000), ref: 001D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0D55
HeapFree.KERNEL32(00000000), ref: 001D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0D65
HeapFree.KERNEL32(00000000), ref: 001D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001D0D78
HeapFree.KERNEL32(00000000), ref: 001D0D7F

Part of subcall function 001D1193: GetProcessHeap.KERNEL32(00000008,001D0BB1,?,00000000,?,001D0BB1,?), ref: 001D11A1
Part of subcall function 001D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001D0BB1,?), ref: 001D11A8
Part of subcall function 001D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001D0BB1,?), ref: 001D11B7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 15feddc8cce8dcb217f8623e2e01ee2bee5280442436eb7fe396f1a957a7ef16
Instruction ID: 1247d94bc3a7492e19d64d240f51e06fbf8f63ab521e1d2d635a7fd74af8159a
Opcode Fuzzy Hash: 15feddc8cce8dcb217f8623e2e01ee2bee5280442436eb7fe396f1a957a7ef16
Instruction Fuzzy Hash: C8716EB190020AAFDF11DFE4DC48FAEBBB9BF09310F144666F914A7291D775AA05CB60

Function 001EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0020CC08), ref: 001EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001EEB37
GetClipboardData.USER32(0000000D), ref: 001EEB43
CloseClipboard.USER32 ref: 001EEB4F
GlobalLock.KERNEL32(00000000), ref: 001EEB87
CloseClipboard.USER32 ref: 001EEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 001EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001EEBC9
GetClipboardData.USER32(00000001), ref: 001EEBD1
GlobalLock.KERNEL32(00000000), ref: 001EEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 001EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001EEC38
GetClipboardData.USER32(0000000F), ref: 001EEC44
GlobalLock.KERNEL32(00000000), ref: 001EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001EECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 001EECF3
CountClipboardFormats.USER32 ref: 001EED14
CloseClipboard.USER32 ref: 001EED59

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 578bb9e47d25ad39bc55aac2197c52db43fcb04d2a389e4ffbad53466673d734
Instruction ID: cd82408e9e02c91bc9534c686cdda850ce858ca08da3780b756ed6cac57b449d
Opcode Fuzzy Hash: 578bb9e47d25ad39bc55aac2197c52db43fcb04d2a389e4ffbad53466673d734
Instruction Fuzzy Hash: 6461DF742047419FD310EF61E889F2EB7E8BF94714F248619F85A972A2DB31DD09CB62

Function 001E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001E69BE
FindClose.KERNEL32(00000000), ref: 001E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001E6A75

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001E6ADF

Strings

%02d, xrefs: 001E6C00, 001E6C0A, 001E6C5A, 001E6CAA, 001E6CFA, 001E6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 001E6B6A
%03d, xrefs: 001E6DA2
%4d, xrefs: 001E6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001E6B32

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ff8d8229133c4f9d02aaf3bdb24f698202f3c76da23b4ddefaf5b20c67e5f78a
Instruction ID: a1f2cf111393342559e3662473fdaa0bf1b772a339f2689ecb2813c6afc00ebf
Opcode Fuzzy Hash: ff8d8229133c4f9d02aaf3bdb24f698202f3c76da23b4ddefaf5b20c67e5f78a
Instruction Fuzzy Hash: 6FD16FB1508340AEC710EBA4D885EAFB7FCAFA9704F44491DF589C7191EB34DA08CB62

Function 001E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001E9663
GetFileAttributesW.KERNEL32(?), ref: 001E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001E96D3
FindClose.KERNEL32(00000000), ref: 001E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001E974A
SetCurrentDirectoryW.KERNEL32(00236B7C), ref: 001E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001E9772
FindClose.KERNEL32(00000000), ref: 001E977F
FindClose.KERNEL32(00000000), ref: 001E978F

Strings

*.*, xrefs: 001E96F5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 13eadbf9d0ae685bcb06023878b5553bef064c069a53bf35ea5f083c36f90eba
Instruction ID: 720e9b53d8f9279766b2e23f60d257c885a96eae468c3d8fe123c44aa20562eb
Opcode Fuzzy Hash: 13eadbf9d0ae685bcb06023878b5553bef064c069a53bf35ea5f083c36f90eba
Instruction Fuzzy Hash: C331D372900A597EDF24AFB5EC4DADE77ACAF09360F204166F905E2092DB30DD448F50

Function 001E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001E9819
FindClose.KERNEL32(00000000), ref: 001E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001E9890
SetCurrentDirectoryW.KERNEL32(00236B7C), ref: 001E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001E98B8
FindClose.KERNEL32(00000000), ref: 001E98C5
FindClose.KERNEL32(00000000), ref: 001E98D5

Part of subcall function 001DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001DDB00

Strings

*.*, xrefs: 001E983B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 80e63f2f89b471ddf9fb1789ec0fe2d0e522e70ab6270a3e8e14e6278649905b
Instruction ID: ff11bb33f651f8549fe7c0e0c007506850fb0ffdae739c3686eca23a224c7653
Opcode Fuzzy Hash: 80e63f2f89b471ddf9fb1789ec0fe2d0e522e70ab6270a3e8e14e6278649905b
Instruction Fuzzy Hash: A131C371500A5D6EDF24AFB5EC48EDE77AC9F06324F248155E810A21E2DB30DD458F20

Function 001FBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001FBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001FBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001FC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001FC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001FC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001FC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001FC382
RegCloseKey.ADVAPI32(00000000), ref: 001FC38F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: a77de4fed26f707e1fa4b0c9c95380c050030b22e8bed78246a8692ae594360e
Instruction ID: cfb2a1804f8d13b80b04ba979368aee26e95cd947249bb563fcc3db590421e93
Opcode Fuzzy Hash: a77de4fed26f707e1fa4b0c9c95380c050030b22e8bed78246a8692ae594360e
Instruction Fuzzy Hash: D1024A716042049FD714DF28C995E2ABBE5FF89308F18C49DF94A8B2A2DB31ED45CB91

Function 001E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8395

Strings

*.*, xrefs: 001E839B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4b9c59e7eabc69dbe6572342a4e185749ec5ca70b89e2bb850bc06d5dd1b713f
Instruction ID: 512ddbf79e59836a176e19c812639d74168c327744d4e53390daff422a73041b
Opcode Fuzzy Hash: 4b9c59e7eabc69dbe6572342a4e185749ec5ca70b89e2bb850bc06d5dd1b713f
Instruction Fuzzy Hash: FF61A9B25087459FCB10EF60D8809AFB3E8FF99314F04891EF98997251EB31E945CB92

Function 001DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

Part of subcall function 001DE199: GetFileAttributesW.KERNEL32(?,001DCF95), ref: 001DE19A

FindFirstFileW.KERNEL32(?,?), ref: 001DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001DD1DD
MoveFileW.KERNEL32(?,?), ref: 001DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001DD237

Part of subcall function 001DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001DD21C,?,?), ref: 001DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001DD253
FindClose.KERNEL32(00000000), ref: 001DD264

Strings

\*.*, xrefs: 001DD0CD, 001DD0D6, 001DD0EB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 81019e371a55803c528b5d6e53898d36458554a20b48997106ee745fde92c5d1
Instruction ID: 7f8ec2f1214c8bbb35a118f6ce48ec338ea6d129211c4e99668ee91f20d82c97
Opcode Fuzzy Hash: 81019e371a55803c528b5d6e53898d36458554a20b48997106ee745fde92c5d1
Instruction Fuzzy Hash: CB614C7180110DAECF05EBE0E992DEDB7B5AF65300F648166E40677292EB306F09DB61

Function 001EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001EED91
EmptyClipboard.USER32 ref: 001EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001EEDAC
CloseClipboard.USER32 ref: 001EEEA3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: ac679c3827b35481849fc86b0a848c8e13f13a34dd28a1eaef4d6d0032b27dd6
Instruction ID: f6af1035dfb13e9262d9f40c7b394386080f58e79c15a20ffc96d1ba6c6a01ae
Opcode Fuzzy Hash: ac679c3827b35481849fc86b0a848c8e13f13a34dd28a1eaef4d6d0032b27dd6
Instruction Fuzzy Hash: 5C41BE75604A51AFE720DF16E888F19BBE5FF44318F24C199E4198B6A2C736ED41CB90

Function 001DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D170D
Part of subcall function 001D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D173A
Part of subcall function 001D16C3: GetLastError.KERNEL32 ref: 001D174A

ExitWindowsEx.USER32(?,00000000), ref: 001DE932

Strings

SeShutdownPrivilege, xrefs: 001DE902
, xrefs: 001DE920
@, xrefs: 001DE925
, xrefs: 001DE95C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: f50a098f38157a47e69db595211c8b11d3d697e269e4a517557c53d576270834
Instruction ID: fbc75e014461852924a37c7924883bafb89e4be7b69c19000ad53d4c3f3be352
Opcode Fuzzy Hash: f50a098f38157a47e69db595211c8b11d3d697e269e4a517557c53d576270834
Instruction Fuzzy Hash: 900126B2611311BBEB1C37B4AC9ABBF72ECA71474AF250923FC02E62D2D7A05C44C590

Function 001F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001F1276
WSAGetLastError.WSOCK32 ref: 001F1283
bind.WSOCK32(00000000,?,00000010), ref: 001F12BA
WSAGetLastError.WSOCK32 ref: 001F12C5
closesocket.WSOCK32(00000000), ref: 001F12F4
listen.WSOCK32(00000000,00000005), ref: 001F1303
WSAGetLastError.WSOCK32 ref: 001F130D
closesocket.WSOCK32(00000000), ref: 001F133C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 36e7df2d7aea1a9503b2912b6418bd43a3d4b3083d3a19bea162487274be6412
Instruction ID: 1619fe5d1ec2e05b78ba4a1b59acf50dbaf7c5e57b5284a4129c79a66695b5d2
Opcode Fuzzy Hash: 36e7df2d7aea1a9503b2912b6418bd43a3d4b3083d3a19bea162487274be6412
Instruction Fuzzy Hash: 87417D71600204EFD714DF68D488B29BBE5BF86318F288188E9568F296C771ED81CBA1

Function 001AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001AB9D4
_free.LIBCMT ref: 001AB9F8
_free.LIBCMT ref: 001ABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00213700), ref: 001ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0024121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00241270,000000FF,?,0000003F,00000000,?), ref: 001ABC36
_free.LIBCMT ref: 001ABD4B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: d3b8b2bfa05a6b41b283ef98056a9e4211c5a51af02a4090c03e32a6a6df2c17
Instruction ID: 1393672674bb33bf532542bc30edf443e92d72b5dddc75f5f84bf20fc9e47771
Opcode Fuzzy Hash: d3b8b2bfa05a6b41b283ef98056a9e4211c5a51af02a4090c03e32a6a6df2c17
Instruction Fuzzy Hash: 3BC1277D908294AFCB24DF789C85BAABBB8EF53320F14419AE895D7257E7308E41C750

Function 001DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

Part of subcall function 001DE199: GetFileAttributesW.KERNEL32(?,001DCF95), ref: 001DE19A

FindFirstFileW.KERNEL32(?,?), ref: 001DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001DD481
FindClose.KERNEL32(00000000), ref: 001DD498
FindClose.KERNEL32(00000000), ref: 001DD4A1

Strings

\*.*, xrefs: 001DD3F2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6a9c8fb54b639b036aa94a0ec625391c3654a835ed1b8187ca7ec5989a7802d3
Instruction ID: d796f98ce6aad748ba65ac09a880eb8da1bb9baedb8e1c0b47469213265cf483
Opcode Fuzzy Hash: 6a9c8fb54b639b036aa94a0ec625391c3654a835ed1b8187ca7ec5989a7802d3
Instruction Fuzzy Hash: D03163710183459FC304EF64E8568AF77F8BEA5314F548A1EF4D593292EB30AA09D763

Function 001AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001AE645

Strings

1#IND, xrefs: 001AF83D
1#QNAN, xrefs: 001AF84B
1#SNAN, xrefs: 001AF844
1#INF, xrefs: 001AF852

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0b9e2454891ed258bbf2f7c42da16e14b3cfbc73f4c4c21cbf89a2cf31d1ee2d
Instruction ID: d1409da03c85ddc52201667503c1025c07950277258ea7c97f63aea12b78517c
Opcode Fuzzy Hash: 0b9e2454891ed258bbf2f7c42da16e14b3cfbc73f4c4c21cbf89a2cf31d1ee2d
Instruction Fuzzy Hash: E5C24A75E046288FDB29CE68DD447EAB7F5EB4A304F1541EAD44DE7240E778AE828F40

Function 001E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E64DC
CoInitialize.OLE32(00000000), ref: 001E6639
CoCreateInstance.OLE32(0020FCF8,00000000,00000001,0020FB68,?), ref: 001E6650
CoUninitialize.OLE32 ref: 001E68D4

Strings

.lnk, xrefs: 001E64BA, 001E6524, 001E65E0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bc8c6bb4f36b2c486059a63e634eff895001e1fb5557cc4c00327b6b440bb60a
Instruction ID: 660445d7c4946be467787c12282406b36f126a389c619d5585d72e712d68fbe1
Opcode Fuzzy Hash: bc8c6bb4f36b2c486059a63e634eff895001e1fb5557cc4c00327b6b440bb60a
Instruction Fuzzy Hash: E4D14871608741AFC314DF24C881D6BB7E8FFA9744F50896DF5998B2A1DB30E909CB92

Function 001F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001F22E8

Part of subcall function 001EE4EC: GetWindowRect.USER32(?,?), ref: 001EE504

GetDesktopWindow.USER32 ref: 001F2312
GetWindowRect.USER32(00000000), ref: 001F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001F2355
GetCursorPos.USER32(?), ref: 001F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001F23DF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: cb89579a6b86d3694a1dc92f3858678e6608600c2b5bce27d2da8782d14e9a37
Instruction ID: e0847510ed302f5e545d6ebefdf795bc389aada9764a851874f6663a82a449c0
Opcode Fuzzy Hash: cb89579a6b86d3694a1dc92f3858678e6608600c2b5bce27d2da8782d14e9a37
Instruction Fuzzy Hash: 0A31D2B25053199FC720DF54D849F6BBBE9FF88314F100A19F58597191D734E908CB91

Function 001E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001E9C8B

Part of subcall function 001E3874: GetInputState.USER32 ref: 001E38CB
Part of subcall function 001E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001E9C75

Strings

*.*, xrefs: 001E9B5D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 312d74f95a5b7746b0f32050f76884fbeef2bdaab01a6bf94daf7a142f994286
Instruction ID: 38463c1709dea22105306e892f7b8e077d7bef2d7408dc6fda68e6854b27f3b0
Opcode Fuzzy Hash: 312d74f95a5b7746b0f32050f76884fbeef2bdaab01a6bf94daf7a142f994286
Instruction Fuzzy Hash: 82419571900649AFCF15EF65D849AEEBBF8FF15310F248155E815A7191EB30AE84CF60

Function 0018997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00189A4E
GetSysColor.USER32(0000000F), ref: 00189B23
SetBkColor.GDI32(?,00000000), ref: 00189B36

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 295468a83ce460d0c7f39f2d52c230557d9e614a5f082ec43a00857b14c5be35
Instruction ID: ab97940599870e5fbb9c76c5ad9abda46e63a69231312b013ec5eb3075bd1d78
Opcode Fuzzy Hash: 295468a83ce460d0c7f39f2d52c230557d9e614a5f082ec43a00857b14c5be35
Instruction Fuzzy Hash: B1A1F670218614AEE72DBA289C8DE7B3A9DEB52340B19020DF502D7AD2CB65DF51CF71

Function 001F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F307A
Part of subcall function 001F304E: _wcslen.LIBCMT ref: 001F309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001F185D
WSAGetLastError.WSOCK32 ref: 001F1884
bind.WSOCK32(00000000,?,00000010), ref: 001F18DB
WSAGetLastError.WSOCK32 ref: 001F18E6
closesocket.WSOCK32(00000000), ref: 001F1915

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 44850098071a4d94b536491539df2979e708420ac572eae2f4c6b67c24da36a9
Instruction ID: c58e023eebfea8741906c0c6ada8462565c5ae92a40a9e35657366b8a538b342
Opcode Fuzzy Hash: 44850098071a4d94b536491539df2979e708420ac572eae2f4c6b67c24da36a9
Instruction Fuzzy Hash: 3E51A071A00204AFDB10AF24D88AF2A77A5AB58718F18C05CFA0A5F3D3D771AD418BA1

Function 00201C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00201CC0
IsWindowEnabled.USER32 ref: 00201CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00201CDB
IsIconic.USER32 ref: 00201CE9
IsZoomed.USER32 ref: 00201CF7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c9e4cfd673836da87d20ee9c41bbac706a0af73a9dc060c9854a0fc742ca2535
Instruction ID: f7b2d2611489036fc84b898a360d1368f23c5da56e47d55ab59d39654907f823
Opcode Fuzzy Hash: c9e4cfd673836da87d20ee9c41bbac706a0af73a9dc060c9854a0fc742ca2535
Instruction Fuzzy Hash: 0E2194717503115FE7208F2AD888B5A7BA5EF95314F198059E8468B293CB71DC62CB91

Function 00178060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001783FA
VUUU, xrefs: 0017843C
ERCP, xrefs: 0017813C
VUUU, xrefs: 001783E8
VUUU, xrefs: 001B5DF0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a740145dd90ee148036621ad9604bdb54a2d22fbbd0138c426b0d341d711418e
Instruction ID: b6a6a0654d0c6fd892d5d176e7826458d849212d5c990e485251e7670327447b
Opcode Fuzzy Hash: a740145dd90ee148036621ad9604bdb54a2d22fbbd0138c426b0d341d711418e
Instruction Fuzzy Hash: E2A29070E4061ACBDF28CF58C9847EDB7B2BF54314F2581AAE819A7285DB749D81CF90

Function 001D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001D82AA

Strings

(, xrefs: 001D82F0
tb#, xrefs: 001D84F4
|, xrefs: 001D82DA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb#$|
API String ID: 1659193697-4063146538
Opcode ID: 7534de56717070a526ed6e53d30858fc218d7b6c4b1bbfff10386e92849036b6
Instruction ID: d333abec9ab771a237e1ac40acf217cb2e5a09c2bcfe0650ae697ec593117a4a
Opcode Fuzzy Hash: 7534de56717070a526ed6e53d30858fc218d7b6c4b1bbfff10386e92849036b6
Instruction Fuzzy Hash: E1323575A007059FCB28DF59C481A6AB7F0FF48720B15C56EE49ADB3A1EB70E981CB50

Function 001FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001FA6BA

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Process32NextW.KERNEL32(00000000,?), ref: 001FA79C
CloseHandle.KERNEL32(00000000), ref: 001FA7AB

Part of subcall function 0018CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001B3303,?), ref: 0018CE8A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a58d1266377ea3da4f747745bd5e83491dbdb99d50f51f5e40fc31aff8424b26
Instruction ID: 9310a3b57ab3577ac5f5f8787bed4b31263602a184ea51dcf4233fb42fd2b8ac
Opcode Fuzzy Hash: a58d1266377ea3da4f747745bd5e83491dbdb99d50f51f5e40fc31aff8424b26
Instruction Fuzzy Hash: 005139B1508304AFD710EF24D886A6BBBF8FF99754F50891DF58997252EB30D904CB92

Function 001DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001DAAAC
SetKeyboardState.USER32(00000080), ref: 001DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001DAB88

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a051d33736c31cf4f982e8eb3460c16d595dbe73958b521d3c6028df9eee8530
Instruction ID: 2710ed8b7fc1a7c3c4e9738a01b347e95f00f0d10a771e578383c5a56fd0b12a
Opcode Fuzzy Hash: a051d33736c31cf4f982e8eb3460c16d595dbe73958b521d3c6028df9eee8530
Instruction Fuzzy Hash: 3F313B70A40218AEFF35CB64CC05BFA7BAAAF45310F94431BF581563D1D3759982C762

Function 001ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001ECE89
GetLastError.KERNEL32(?,00000000), ref: 001ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001ECEFE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0801bc3f579924fbed82d93803638af4822898165d40880eb77e6036b0cc3e75
Instruction ID: a7cccc574d2007d7a95de71ce91aaf656ff2dab315c595ccaef301bc4c60fb0c
Opcode Fuzzy Hash: 0801bc3f579924fbed82d93803638af4822898165d40880eb77e6036b0cc3e75
Instruction Fuzzy Hash: BD21BDB1500B05AFEB30DFA6DD49BAABBFCEB50314F20441EE54692151E770EE068BA0

Function 001E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001E5D17
FindClose.KERNEL32(?), ref: 001E5D5F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 86c5dcde0bbf3a314056ffd45e875bc78df2dfcf198b8d0af8f2921e5a544476
Instruction ID: 5df64cf7f052ead0014ebb10d8fb5b3f065482e54210d63fb8c8cdb1f76e7c42
Opcode Fuzzy Hash: 86c5dcde0bbf3a314056ffd45e875bc78df2dfcf198b8d0af8f2921e5a544476
Instruction Fuzzy Hash: 0951BC74600A419FC704CF68C894A9AB7F5FF0A318F14855DE95A8B3A2CB30ED04CF91

Function 001A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 001A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 001A2731

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 69c125f5f395041df63452995e59e721fb71e075ad048e1b709fb3bdc288e95c
Instruction ID: 3bba920d33f9b2e2e9d1d2ea36499cd8fbf38574cd2209620231a5232c6f72ed
Opcode Fuzzy Hash: 69c125f5f395041df63452995e59e721fb71e075ad048e1b709fb3bdc288e95c
Instruction Fuzzy Hash: 6831B474911328ABCB21DF68DD89799B7B8AF18710F5042EAE81CA7261E7349F818F45

Function 001E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001E5238
SetErrorMode.KERNEL32(00000000), ref: 001E52A1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1b103bfc7fba6c5cbeb1cb4daa538e11a5453e6dd06ff9c88301d61ba516d1b3
Instruction ID: d90ba0f188d5145c5677732c03540c97866061e5ea8dbb03861a3f1a92b8263c
Opcode Fuzzy Hash: 1b103bfc7fba6c5cbeb1cb4daa538e11a5453e6dd06ff9c88301d61ba516d1b3
Instruction Fuzzy Hash: 76318175A00608DFDB00DF54D888EADBBB5FF09318F188099E9099B392CB31E845CBA0

Function 001D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0018FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00190668
Part of subcall function 0018FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00190685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001D173A
GetLastError.KERNEL32 ref: 001D174A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ca4f3d19a88dd3194a7b939e62ac20dd65596854ecca508c62b24aa05dd89098
Instruction ID: e0ba8e99ca6f10c298b1ceb24d6a65f9e1378d2f3dca5d7e3a403a591be76dcd
Opcode Fuzzy Hash: ca4f3d19a88dd3194a7b939e62ac20dd65596854ecca508c62b24aa05dd89098
Instruction Fuzzy Hash: A51191B2414304BFD718AF54ECC6D6AB7BDEB44714B20862EE45657251EB70FC418B20

Function 001DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001DD650

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1828a23776ee02760e6e183bed350395faef182c6aee41ed94964d727400e0a3
Instruction ID: 3f239377940b34ac48b0bc013a591c21e6fb846b2cc81e227bcce2eb761ceb56
Opcode Fuzzy Hash: 1828a23776ee02760e6e183bed350395faef182c6aee41ed94964d727400e0a3
Instruction Fuzzy Hash: 97113CB5E05228BFDB108F95AC49FAFBBBCEB45B50F108156F904E7290D6704A058BA1

Function 001D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001D16A1
FreeSid.ADVAPI32(?), ref: 001D16B1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d83e9eb5e14a4b9336a6e2f090e132a8925b98900fca68b92f77662e07da80cf
Instruction ID: 2572980ef7513f109be5a612d477265e422996799bf23811a392edfa149ea013
Opcode Fuzzy Hash: d83e9eb5e14a4b9336a6e2f090e132a8925b98900fca68b92f77662e07da80cf
Instruction Fuzzy Hash: A0F0F4B1950309FBEB00DFE49D89AAEBBBDFB08604F504565E501E2181E774AA448A50

Function 00194CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001A28E9,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002,00000000,?,001A28E9), ref: 00194D09
TerminateProcess.KERNEL32(00000000,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002,00000000,?,001A28E9), ref: 00194D10
ExitProcess.KERNEL32 ref: 00194D22

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 629dab41b21833747f82e61b38ad892c7019e8fdb96bc87fa1bc5e297917fbdc
Instruction ID: bbaaa1e6d8825f04b2e9f7d258f34cd24b6049ee703d7a6dc3fc36c60023d26b
Opcode Fuzzy Hash: 629dab41b21833747f82e61b38ad892c7019e8fdb96bc87fa1bc5e297917fbdc
Instruction Fuzzy Hash: 6CE0B675010248ABCF15AF94ED0DE587BA9FB66791B208154FC198A123CB35DE42CA80

Function 001AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 001AC36C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 687771014ef406a73f699121f5eaea58fc9a92a81b947691c2935d5b50eeabb0
Instruction ID: f6d6be266dd1749029f74777c6b67c26dfdb4424f7c4e982a7bb534c1cb6508e
Opcode Fuzzy Hash: 687771014ef406a73f699121f5eaea58fc9a92a81b947691c2935d5b50eeabb0
Instruction Fuzzy Hash: F141287A5002196FCB249FB9DC49EBB77B8EB85314F1042A9F915D7180E7709D41CB90

Function 001CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001CD28C

Strings

X64, xrefs: 001CD2A8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: abc0bb06931ac67b1b04d354aaecaa538e37786e3b3847aad24a1a4b3569684e
Instruction ID: 91d0ab567b6d1da4930b1e7bdc6f3043f6627845a65a8edf36229a02da9a310c
Opcode Fuzzy Hash: abc0bb06931ac67b1b04d354aaecaa538e37786e3b3847aad24a1a4b3569684e
Instruction Fuzzy Hash: D1D0C9B480121DEACB98DB90EC88DDAB37CBB14305F100265F106A2040DB3096498F10

Function 0019CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 504e5e857a9639de00b2a428de091a7d1a1f70e9e20d8f18ab2c0fbe2a3da1db
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: B6021C71E002199FDF14CFA9C8906AEFBF1EF98314F25816AD859E7384D731AA418BD4

Function 0017CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#$, xrefs: 0017CF7F
Variable is not of type 'Object'., xrefs: 001C0C40

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#$
API String ID: 0-1842369532
Opcode ID: ba67d346eb0f5a179e367a318e969fd224e797c71bc8a560541da87b1c3bc7dc
Instruction ID: 19ef3ae684d6df33e11bbc31a7bff92fa8ef5308413bbfee2a578ecbdc015b45
Opcode Fuzzy Hash: ba67d346eb0f5a179e367a318e969fd224e797c71bc8a560541da87b1c3bc7dc
Instruction Fuzzy Hash: 23328C74900218DBDF15DF94C885BEDB7B5BF29304F24806DE80AAB292DB35EE45CB91

Function 001E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001E6918
FindClose.KERNEL32(00000000), ref: 001E6961

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 69497b0d31fe80b7fd72799957a43e4796a64a3410421d08fb6ca096e7b7eda6
Instruction ID: f9fb0d79f00548a73d42cfe4f5af663a14f6a746dd4d50b43733a5a6806bbd2c
Opcode Fuzzy Hash: 69497b0d31fe80b7fd72799957a43e4796a64a3410421d08fb6ca096e7b7eda6
Instruction Fuzzy Hash: 7D1190716046409FC710DF2AD488A1ABBE5FF95328F54C69DE8698F6A3C730EC05CB91

Function 001E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001F4891,?,?,00000035,?), ref: 001E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001F4891,?,?,00000035,?), ref: 001E37F4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8b960f46332759bd1dfb0358f8f2a56c7d1f4db9fbfbe541764e9e7bdf191675
Instruction ID: d915b7e251b0f6008f60383a866df51333feb0724fee6323c005318e9828bcf2
Opcode Fuzzy Hash: 8b960f46332759bd1dfb0358f8f2a56c7d1f4db9fbfbe541764e9e7bdf191675
Instruction Fuzzy Hash: 64F0E5B0A053282AEB2017679C4DFEB3AAEEFC4761F000269F509D3281DB609908C6B0

Function 001D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001D11FC), ref: 001D10D4
CloseHandle.KERNEL32(?,?,001D11FC), ref: 001D10E9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 46dc674ad7ba3556ea8db46f5ba81bbc4fe0c865dc146654629ac1075d42349b
Instruction ID: d235b015f7548c6a0613636effb57f3bef03d37fd80077f95728819d525cd6eb
Opcode Fuzzy Hash: 46dc674ad7ba3556ea8db46f5ba81bbc4fe0c865dc146654629ac1075d42349b
Instruction Fuzzy Hash: D0E0BF72018710FEE7253B51FC09E7777A9EB04311B24892EF5A5805B1DB626CA1DB50

Function 0017BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#$, xrefs: 001C07CE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#$
API String ID: 3964851224-689578738
Opcode ID: 69e3d9a08814806f7e5fc063455b5a47aacfb9391ab60a0e4c83dfb50eb24121
Instruction ID: fb42236583d402b9ea8d96f474ac03b8657a48d760a5665d17bfbd25b3463911
Opcode Fuzzy Hash: 69e3d9a08814806f7e5fc063455b5a47aacfb9391ab60a0e4c83dfb50eb24121
Instruction Fuzzy Hash: A8A24570608341CFDB25DF28C480B2ABBF1BF99304F15896DE99A9B352D731E945CB92

Function 001A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001A6766,?,?,00000008,?,?,001AFEFE,00000000), ref: 001A6998

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 67f434ec1017b4203846a71b34737b9c45b49135f91755c562de744b8687cf65
Instruction ID: cd22ce66d7c1738302452e49c98c2d17c19162fda0726a9be5fdcd04a2767c09
Opcode Fuzzy Hash: 67f434ec1017b4203846a71b34737b9c45b49135f91755c562de744b8687cf65
Instruction Fuzzy Hash: 36B14D79610608DFD719CF28C48AB657BE0FF46364F298658E899CF2A2C339D991CB40

Function 0018B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001C851F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: cd6892bdddadb131a157e33898db15726e5b5cc8314181a9a94772f38d30c969
Instruction ID: c93ac1ed1c1772f9eaa63ff847f33f18966c5b47518e6687de6a1e304062c1b9
Opcode Fuzzy Hash: cd6892bdddadb131a157e33898db15726e5b5cc8314181a9a94772f38d30c969
Instruction Fuzzy Hash: A3125D719042299BCB24DF58C881BEEB7B5FF58710F1581AAE849EB255DB30DE81CF90

Function 001EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001EEABD

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 22a524ebd6c7cb24b15f41576d62a381bb79426de76c1b22e4dfe90e70891c00
Instruction ID: 5126d2ff89e08b1eda9ae01bcbc698441c22e268078fcbeeac963c4e05bf0c9c
Opcode Fuzzy Hash: 22a524ebd6c7cb24b15f41576d62a381bb79426de76c1b22e4dfe90e70891c00
Instruction Fuzzy Hash: 87E01A712002049FC710EF6AE844E9AB7E9AFA8760F00842AFC4AC7291DB70E8408B90

Function 001909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001903EE), ref: 001909DA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b4f5202c4b3f0eaedc0ae4b7ee8d8f38c54a5718521a4e82c338ab570edca3cf
Instruction ID: e1e8d3a05afc8a210a1eb4169723e3b220964581ca3d346ffe9b0ce9b6d12a81
Opcode Fuzzy Hash: b4f5202c4b3f0eaedc0ae4b7ee8d8f38c54a5718521a4e82c338ab570edca3cf
Instruction Fuzzy Hash:

Function 0019781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0019798B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: a3576c8e46caf9d6dff2a73960fd42a5c29c161c3fa10de2f75d4320474fe6da
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7251877163C7059BDF3C8578885EBBE6389DF22358F180909E886DB2C2CB15EE02D356

Function 001E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&$, xrefs: 001E2053

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: 0&$
API String ID: 0-620190583
Opcode ID: 016b2d10b011cb042c19fcac43a8d4ba062bb825db67858cd9381b814fc23446
Instruction ID: 69dee0a3a59bc5453db7d8d53dd94d0ae280ee04de09b4034c22fb92dbf305fb
Opcode Fuzzy Hash: 016b2d10b011cb042c19fcac43a8d4ba062bb825db67858cd9381b814fc23446
Instruction Fuzzy Hash: EF21BB326205158BD728CF7AD82367E73E9A754310F55862EF4A7C37D0DE75A904C780

Function 001A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc193aee10c55fc2ec7c12379c2cd69a54df9348c6ac58f367ac715a4e13c1a
Instruction ID: b2cca244a9f7c1ef70e00d05c2245787dd6e98be4167363512aabcb38d218aed
Opcode Fuzzy Hash: 4bc193aee10c55fc2ec7c12379c2cd69a54df9348c6ac58f367ac715a4e13c1a
Instruction Fuzzy Hash: F5324526D29F018DD7239634EC26336A689AFB73C5F15C737F81AB59A6EF29C5834100

Function 0018CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8675c4bf2d9779eca38c5640a96c55e099c76940b66f2f14b5f726cef2f8b1
Instruction ID: 5d8289f3812547257e892a1dba07cef46aa6ff05c65dba4d4b52b9fb9c6bcc30
Opcode Fuzzy Hash: be8675c4bf2d9779eca38c5640a96c55e099c76940b66f2f14b5f726cef2f8b1
Instruction Fuzzy Hash: D4320331A002558BCF28DE68C494FBDBBA1EB65314F29856ED44E8B691E330DE81DBD1

Function 00177920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ada4c5358751fd306f15fa41b07b11e8e3ac6c04f2c6430f68dfe450eeabf76
Instruction ID: f163b8ba4477f0d9b3f9172ec9a60908abaf9f983ea2896f3ed61dfc4fb5d20b
Opcode Fuzzy Hash: 3ada4c5358751fd306f15fa41b07b11e8e3ac6c04f2c6430f68dfe450eeabf76
Instruction Fuzzy Hash: E822AF70A04609DFDF14DF64D881AEEB3F6FF58300F148529E81AA7291EB369E15CB50

Function 001791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502a28b05e43c7ca4ce61f18ec2f05b2bb5258c21b7be24b4497df2e58f7a051
Instruction ID: 79590f15d7c0c342640f598f9b7ee0b3b640d2e7e1092079d49839b9cc7c916e
Opcode Fuzzy Hash: 502a28b05e43c7ca4ce61f18ec2f05b2bb5258c21b7be24b4497df2e58f7a051
Instruction Fuzzy Hash: 490295B1A00205EBDF04DF64D981AEDBBF5FF54300F118169E81ADB291EB31AE55CB91

Function 001A9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d532323694a7f0aea764ab0259f4891de9b5cdb09a90ca5343a4fbf9d6752af9
Instruction ID: 234fb3270cc58684328df4f31172bf6a38e1b5599e086504191dd981ac68cb42
Opcode Fuzzy Hash: d532323694a7f0aea764ab0259f4891de9b5cdb09a90ca5343a4fbf9d6752af9
Instruction Fuzzy Hash: 05B1F120D2AF404DC22396399835336FA5DAFBB6D5F91D31BFC2674D22EF2286834180

Function 00191C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: bc755886803c95924f0cfe1d9bfa76a469cd3ce37eaac98d7ec73a5d73191ab0
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 739186736090A35ADF2E467E857807EFFE15A923A131A079ED4F2CA1C5FF20D994D620

Function 00191F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: e3a93c00f215c26d9ca876c28cd947d122bc141a751ed6719f25f3238e388cc4
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 569156736090A359DF6D4239857443EFFE15A923A131E07ADE4F2CB1C5EF3495A8E620

Function 001919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a3e8f38f07f0a51d752eb15114a4ba03bde9787a01b4b1f206728bc66915cf93
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1C912F722090E35ADF2D467A857407EFFF15A923A231A079ED4F3CB1C5FF2499A49620

Function 00197A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f033a01c463947df0822e1a6a25571d2c0f55464bc0117b405b44a14bfc97e
Instruction ID: ffb72166f5ad4a79b563ce95f58acbf8b7486041652331f6b0ac515f07dbe29d
Opcode Fuzzy Hash: d1f033a01c463947df0822e1a6a25571d2c0f55464bc0117b405b44a14bfc97e
Instruction Fuzzy Hash: 37616B7173870A96DE3CAA2C8C95BBE2395EF52704F18091AE843DB2D1D715DE42C355

Function 00197CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7405ddb0fbe48fb6215ebf42dac2ebe6946c5185380d3071dad639c9b81105b4
Instruction ID: 89aed0d91b2abd27c64aaf14b52782eb1d1d9de1218c4d12f8c9dc67621f05d0
Opcode Fuzzy Hash: 7405ddb0fbe48fb6215ebf42dac2ebe6946c5185380d3071dad639c9b81105b4
Instruction Fuzzy Hash: 80618971738709A7DE3D5AA89892BBF23C8EF52744F140959E843DB2C1DB12ED428355

Function 00191706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: df36bde7c389126d06470f3f6d0fec8bf5a40a40b950c49301686a2aa7be3d17
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1E8195736080A31EEF6E427A853407EFFE15A923A531A079ED4F2CB1C1EF24D594E620

Function 001F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001F2B30
DeleteObject.GDI32(00000000), ref: 001F2B43
DestroyWindow.USER32 ref: 001F2B52
GetDesktopWindow.USER32 ref: 001F2B6D
GetWindowRect.USER32(00000000), ref: 001F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2CF8
GetClientRect.USER32(00000000,?), ref: 001F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2DA8
GlobalFree.KERNEL32(00000000), ref: 001F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0020FC38,00000000), ref: 001F2DDB
GlobalFree.KERNEL32(00000000), ref: 001F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001F303F

Strings

AutoIt v3, xrefs: 001F2CF2
DISPLAY, xrefs: 001F2EA2
static, xrefs: 001F2D3A, 001F2E91
, xrefs: 001F2FC5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 981608a1cb5158d365c908026022c5288c290bc54eb90c4fe8399dffa857d67b
Instruction ID: bfa16105802b24fb77ed215feace4a3af154d7ee09845ef465780952171e9c79
Opcode Fuzzy Hash: 981608a1cb5158d365c908026022c5288c290bc54eb90c4fe8399dffa857d67b
Instruction Fuzzy Hash: DA027EB5500208EFDB14DF64DC8DEAE7BB9EF49714F148258F919AB2A1CB70AD01CB60

Function 002070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0020712F
GetSysColorBrush.USER32(0000000F), ref: 00207160
GetSysColor.USER32(0000000F), ref: 0020716C
SetBkColor.GDI32(?,000000FF), ref: 00207186
SelectObject.GDI32(?,?), ref: 00207195
InflateRect.USER32(?,000000FF,000000FF), ref: 002071C0
GetSysColor.USER32(00000010), ref: 002071C8
CreateSolidBrush.GDI32(00000000), ref: 002071CF
FrameRect.USER32(?,?,00000000), ref: 002071DE
DeleteObject.GDI32(00000000), ref: 002071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00207230
FillRect.USER32(?,?,?), ref: 00207262
GetWindowLongW.USER32(?,000000F0), ref: 00207284

Part of subcall function 002073E8: GetSysColor.USER32(00000012), ref: 00207421
Part of subcall function 002073E8: SetTextColor.GDI32(?,?), ref: 00207425
Part of subcall function 002073E8: GetSysColorBrush.USER32(0000000F), ref: 0020743B
Part of subcall function 002073E8: GetSysColor.USER32(0000000F), ref: 00207446
Part of subcall function 002073E8: GetSysColor.USER32(00000011), ref: 00207463
Part of subcall function 002073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00207471
Part of subcall function 002073E8: SelectObject.GDI32(?,00000000), ref: 00207482
Part of subcall function 002073E8: SetBkColor.GDI32(?,00000000), ref: 0020748B
Part of subcall function 002073E8: SelectObject.GDI32(?,?), ref: 00207498
Part of subcall function 002073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002074B7
Part of subcall function 002073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002074CE
Part of subcall function 002073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002074DB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 508a71368fd785ff5414285e883b38ce249596948ce0c1f5314e39d97e9e5b9b
Instruction ID: 89962cd8c361a2d54825566dfb44482dfb502820aac482d698cab49b82a025c6
Opcode Fuzzy Hash: 508a71368fd785ff5414285e883b38ce249596948ce0c1f5314e39d97e9e5b9b
Instruction Fuzzy Hash: 20A192B2418301AFD7119F60EC4CA5BBBA9FF49320F200B19F966A61E2D771E954CF51

Function 00188D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00188E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001C6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001C6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001C6F43

Part of subcall function 00188F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00188BE8,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 00188FC5

SendMessageW.USER32(?,00001053), ref: 001C6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001C6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001C6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001C6FB7

Strings

0, xrefs: 001C6DCF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5350cc1339a6daf9504d490862f577175be884363f7cf325624f217ffecec019
Instruction ID: 3aa4e3a46d3ea729ba2d42d0d7294eb93e6b447c55ad4e6cf69f802c75345da7
Opcode Fuzzy Hash: 5350cc1339a6daf9504d490862f577175be884363f7cf325624f217ffecec019
Instruction Fuzzy Hash: 0C128B34204601DFDB25DF24D898FAABBE5FB69300F54456DE4858B262CB31EDA1CF91

Function 001F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001F2900
GetClientRect.USER32(00000000,?), ref: 001F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001F2964
GetStockObject.GDI32(00000011), ref: 001F2974
SelectObject.GDI32(00000000,00000000), ref: 001F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001F2991
DeleteDC.GDI32(00000000), ref: 001F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001F2A77
GetStockObject.GDI32(00000011), ref: 001F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001F2A97

Strings

AutoIt v3, xrefs: 001F28F8
msctls_progress32, xrefs: 001F2A13
DISPLAY, xrefs: 001F295A
static, xrefs: 001F294F, 001F2A71

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6646c668cfd53743b31e8aa1579a413623eb2cb75c57a9c9c7dbc6cff3cc868a
Instruction ID: 1191ff4987bf9128317488f8d61846c70d365abbe79cc569a337cf2b4a5da06d
Opcode Fuzzy Hash: 6646c668cfd53743b31e8aa1579a413623eb2cb75c57a9c9c7dbc6cff3cc868a
Instruction Fuzzy Hash: 3EB15EB5A40209AFDB14DFA4DC89FAE7BB9EB45710F108254FA15E72D1D770AD40CB50

Function 001E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E4AED
GetDriveTypeW.KERNEL32(?,0020CB68,?,\\.\,0020CC08), ref: 001E4BCA
SetErrorMode.KERNEL32(00000000,0020CB68,?,\\.\,0020CC08), ref: 001E4D36

Strings

SSD, xrefs: 001E4C4A
iSCSI, xrefs: 001E4CC2
PhysicalDrive, xrefs: 001E4B76
MMC, xrefs: 001E4CDE
Fixed, xrefs: 001E4C09
SATA, xrefs: 001E4CD0
1394, xrefs: 001E4C9F
SAS, xrefs: 001E4CC9
Unknown, xrefs: 001E4BED, 001E4C83
SSA, xrefs: 001E4CA6
SCSI, xrefs: 001E4C8A
RAMDisk, xrefs: 001E4BF4
Virtual, xrefs: 001E4CE5
Network, xrefs: 001E4C02
Removable, xrefs: 001E4C10, 001E4C15
Fibre, xrefs: 001E4CAD
FileBackedVirtual, xrefs: 001E4CEC
CDROM, xrefs: 001E4BFB
ATAPI, xrefs: 001E4C91
ATA, xrefs: 001E4C98
RAID, xrefs: 001E4CBB
\\.\, xrefs: 001E4B3F
USB, xrefs: 001E4CB4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 84ab3321391b969135d0312701f1e593b4c707dc1db7b19145d60e51b3a57d74
Instruction ID: 053d004aa07cfdaae71e93ac95d50e80e08e47a508467852743dec989a48961c
Opcode Fuzzy Hash: 84ab3321391b969135d0312701f1e593b4c707dc1db7b19145d60e51b3a57d74
Instruction Fuzzy Hash: 00611470711A49ABCB08DF26CA86D6C77F4BB15700F34C416F80AAB692DB31ED81DB51

Function 002073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00207421
SetTextColor.GDI32(?,?), ref: 00207425
GetSysColorBrush.USER32(0000000F), ref: 0020743B
GetSysColor.USER32(0000000F), ref: 00207446
CreateSolidBrush.GDI32(?), ref: 0020744B
GetSysColor.USER32(00000011), ref: 00207463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00207471
SelectObject.GDI32(?,00000000), ref: 00207482
SetBkColor.GDI32(?,00000000), ref: 0020748B
SelectObject.GDI32(?,?), ref: 00207498
InflateRect.USER32(?,000000FF,000000FF), ref: 002074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0020752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00207554
InflateRect.USER32(?,000000FD,000000FD), ref: 00207572
DrawFocusRect.USER32(?,?), ref: 0020757D
GetSysColor.USER32(00000011), ref: 0020758E
SetTextColor.GDI32(?,00000000), ref: 00207596
DrawTextW.USER32(?,002070F5,000000FF,?,00000000), ref: 002075A8
SelectObject.GDI32(?,?), ref: 002075BF
DeleteObject.GDI32(?), ref: 002075CA
SelectObject.GDI32(?,?), ref: 002075D0
DeleteObject.GDI32(?), ref: 002075D5
SetTextColor.GDI32(?,?), ref: 002075DB
SetBkColor.GDI32(?,?), ref: 002075E5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: c4f62951408971280ff49978fac0881c0ac6783a5e55058bf54c23679857db75
Instruction ID: 3304611d6cf1739b05d7a967c56050834376c3323289f10eb518665b3fa4b53d
Opcode Fuzzy Hash: c4f62951408971280ff49978fac0881c0ac6783a5e55058bf54c23679857db75
Instruction Fuzzy Hash: 01616075D00219AFDB019FA4DC49ADEBF79EB09320F214215F915B72E2D771A950CF90

Function 00200FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00201128
GetDesktopWindow.USER32 ref: 0020113D
GetWindowRect.USER32(00000000), ref: 00201144
GetWindowLongW.USER32(?,000000F0), ref: 00201199
DestroyWindow.USER32(?), ref: 002011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0020120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0020121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00201232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00201245
IsWindowVisible.USER32(00000000), ref: 002012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002012D0
GetWindowRect.USER32(00000000,?), ref: 002012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0020130E
GetMonitorInfoW.USER32(00000000,?), ref: 00201328
CopyRect.USER32(?,?), ref: 0020133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002013AA

Strings

(, xrefs: 0020131B
0, xrefs: 002010D3
tooltips_class32, xrefs: 002011E6

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 2d86074b692c96d7041669fa710f1ca11d4de49cfd3dfde7bb684bf8102aab00
Instruction ID: a82ae5bbcd564136a77367d371cd3a3827071465e91dca79dfd92da98c6cddc2
Opcode Fuzzy Hash: 2d86074b692c96d7041669fa710f1ca11d4de49cfd3dfde7bb684bf8102aab00
Instruction Fuzzy Hash: 79B1AC71618341AFD714DF64D888B6EBBE4FF84714F00891CF9999B2A2C771E864CB91

Function 00200241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002002E5
_wcslen.LIBCMT ref: 0020031F
_wcslen.LIBCMT ref: 00200389
_wcslen.LIBCMT ref: 002003F1
_wcslen.LIBCMT ref: 00200475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00200504

Part of subcall function 0018F9F2: _wcslen.LIBCMT ref: 0018F9FD

Part of subcall function 001D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D2258
Part of subcall function 001D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D228A

Strings

SELECTCLEAR, xrefs: 0020052D
DESELECT, xrefs: 0020059C
SELECT, xrefs: 00200548
ISSELECTED, xrefs: 002004DD
GETSELECTEDCOUNT, xrefs: 00200470, 0020048B
GETSELECTED, xrefs: 002005E1
SELECTALL, xrefs: 00200515
SELECTINVERT, xrefs: 0020057E
FINDITEM, xrefs: 00200627
GETSUBITEMCOUNT, xrefs: 00200384, 0020039F
GETITEMCOUNT, xrefs: 00200316, 00200337
GETTEXT, xrefs: 002003EC, 00200407
VIEWCHANGE, xrefs: 00200675

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 5f1acd1afb6ff00998ba17efb672539306724df3eeb183d5cec0b2b49f3249a8
Instruction ID: 49aa8416e1138e761c8a48e6d1fc4281f00b08956d9c211b944e27aa88a66701
Opcode Fuzzy Hash: 5f1acd1afb6ff00998ba17efb672539306724df3eeb183d5cec0b2b49f3249a8
Instruction Fuzzy Hash: 0BE1B2712283018FDB24DF24C490A2AB7E6BF98714F14895DF8969B3E2DB30ED55CB41

Function 00188891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00188968
GetSystemMetrics.USER32(00000007), ref: 00188970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0018899B
GetSystemMetrics.USER32(00000008), ref: 001889A3
GetSystemMetrics.USER32(00000004), ref: 001889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00188A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00188A3C
GetClientRect.USER32(00000000,000000FF), ref: 00188A5A
GetStockObject.GDI32(00000011), ref: 00188A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00188A81

Part of subcall function 0018912D: GetCursorPos.USER32(?), ref: 00189141
Part of subcall function 0018912D: ScreenToClient.USER32(00000000,?), ref: 0018915E
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000001), ref: 00189183
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000002), ref: 0018919D

SetTimer.USER32(00000000,00000000,00000028,001890FC), ref: 00188AA8

Strings

AutoIt v3 GUI, xrefs: 00188A20

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 2f7af2d523242e1f0debd342eff4c42078ed6acbd781e99101ba49a1b653c278
Instruction ID: f86a3e6ee8d72b3f53f3e683bc17e6a46974fdc0624d05b7a828015bd468a82b
Opcode Fuzzy Hash: 2f7af2d523242e1f0debd342eff4c42078ed6acbd781e99101ba49a1b653c278
Instruction Fuzzy Hash: 81B17A75A00209AFDB14EFA8DC89FAE3BB5FB48314F114229FA15A7290DB34E951CF51

Function 001D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D1114
Part of subcall function 001D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1120
Part of subcall function 001D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D112F
Part of subcall function 001D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1136
Part of subcall function 001D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001D0E29
GetLengthSid.ADVAPI32(?), ref: 001D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001D0E96
GetLengthSid.ADVAPI32(?), ref: 001D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001D0EB5
HeapAlloc.KERNEL32(00000000), ref: 001D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001D0EDD
CopySid.ADVAPI32(00000000), ref: 001D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0F6E
HeapFree.KERNEL32(00000000), ref: 001D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0F7E
HeapFree.KERNEL32(00000000), ref: 001D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D0F8E
HeapFree.KERNEL32(00000000), ref: 001D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001D0FA1
HeapFree.KERNEL32(00000000), ref: 001D0FA8

Part of subcall function 001D1193: GetProcessHeap.KERNEL32(00000008,001D0BB1,?,00000000,?,001D0BB1,?), ref: 001D11A1
Part of subcall function 001D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001D0BB1,?), ref: 001D11A8
Part of subcall function 001D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001D0BB1,?), ref: 001D11B7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cf9a55061ce3da276b32d888fd3a98a3a54eb37088eca799d2e1c93b2a1a0749
Instruction ID: d98b5e0f1c84ca67b15477de16c76ff31dd68b6601140a58eca0b923ca98edc6
Opcode Fuzzy Hash: cf9a55061ce3da276b32d888fd3a98a3a54eb37088eca799d2e1c93b2a1a0749
Instruction Fuzzy Hash: 417152B2900309ABDF119FA5DC48FEEBBB9BF08310F244216F959E6291D7719905CB60

Function 001FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0020CC08,00000000,?,00000000,?,?), ref: 001FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001FC5A4
_wcslen.LIBCMT ref: 001FC5F4
_wcslen.LIBCMT ref: 001FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001FC84D
RegCloseKey.ADVAPI32(?), ref: 001FC881
RegCloseKey.ADVAPI32(00000000), ref: 001FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001FC960

Strings

REG_DWORD, xrefs: 001FC804
REG_QWORD, xrefs: 001FC8C3
REG_EXPAND_SZ, xrefs: 001FC5CD
REG_SZ, xrefs: 001FC644
REG_BINARY, xrefs: 001FC913
REG_MULTI_SZ, xrefs: 001FC6F5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 23224d1f6f7b4d76ce18b708ae164725d796b7acc6eb0b5f229faf6257c4ca7b
Instruction ID: 07c11a74c4354f5511c3fd94fe4f06f5e33c68999ed519855e07149efafcf572
Opcode Fuzzy Hash: 23224d1f6f7b4d76ce18b708ae164725d796b7acc6eb0b5f229faf6257c4ca7b
Instruction Fuzzy Hash: 651266756042059FDB14DF24C981A2AB7F5FF88724F14889CF98A9B3A2DB31ED41DB81

Function 0020091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002009C6
_wcslen.LIBCMT ref: 00200A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00200A54
_wcslen.LIBCMT ref: 00200A8A
_wcslen.LIBCMT ref: 00200B06
_wcslen.LIBCMT ref: 00200B81

Part of subcall function 0018F9F2: _wcslen.LIBCMT ref: 0018F9FD

Part of subcall function 001D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D2BFA

Strings

UNCHECK, xrefs: 00200D3E
GETSELECTED, xrefs: 00200C4E
EXPAND, xrefs: 00200BF8
GETTOTALCOUNT, xrefs: 002009F2, 00200A17
CHECK, xrefs: 00200A85, 00200AA0
EXISTS, xrefs: 00200B7C, 00200B97
SELECT, xrefs: 00200D11
GETITEMCOUNT, xrefs: 00200C1E
ISCHECKED, xrefs: 00200CE1
GETTEXT, xrefs: 00200C97
COLLAPSE, xrefs: 00200B01, 00200B1C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: fbfa3ea3fcf24dbd32d571e522ca0181f4275529a47d43aa4798934e6a38a4a8
Instruction ID: 6dc2aef6f94898f15f3a515451bb48e6344229bb56d5fa3c7d63f7fb39ed8eb3
Opcode Fuzzy Hash: fbfa3ea3fcf24dbd32d571e522ca0181f4275529a47d43aa4798934e6a38a4a8
Instruction Fuzzy Hash: BEE1A0712283029FDB14DF24C490A2AB7E1FFA9318F14895DF8995B3A2D730ED55CB91

Function 001FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
_wcslen.LIBCMT ref: 001FC9F1
_wcslen.LIBCMT ref: 001FCA68
_wcslen.LIBCMT ref: 001FCA9E
_wcslen.LIBCMT ref: 001FCAF9
_wcslen.LIBCMT ref: 001FCB2F
_wcslen.LIBCMT ref: 001FCB7F

Strings

HKCC, xrefs: 001FCBAC
HKLM, xrefs: 001FCA98, 001FCA9D
HKEY_CURRENT_USER, xrefs: 001FCBBD
HKCR, xrefs: 001FCB29, 001FCB2E
HKEY_LOCAL_MACHINE, xrefs: 001FCA62, 001FCA67
HKEY_USERS, xrefs: 001FCBDF
HKU, xrefs: 001FCBF0
HKEY_CLASSES_ROOT, xrefs: 001FCAF3, 001FCAF8
HKEY_CURRENT_CONFIG, xrefs: 001FCB79, 001FCB7E
HKCU, xrefs: 001FCBCE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1617f3806bac2b084dd986646bf7f8779653fb7034221d2bd15e25a1981ff67a
Instruction ID: e6be702c51fe5bb879c417fce4145109dc76143c0a849f9ba706896b8e34a6f6
Opcode Fuzzy Hash: 1617f3806bac2b084dd986646bf7f8779653fb7034221d2bd15e25a1981ff67a
Instruction Fuzzy Hash: E9710372A1012E8BCF20DE7CCA515BA33A1AFB0794F250528FA5697284FB31DD55E7E0

Function 0020833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0020835A
_wcslen.LIBCMT ref: 0020836E
_wcslen.LIBCMT ref: 00208391
_wcslen.LIBCMT ref: 002083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00205BF2), ref: 0020844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00208487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00208501
FreeLibrary.KERNEL32(?), ref: 0020850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0020851D
DestroyIcon.USER32(?,?,?,?,?,00205BF2), ref: 0020852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00208549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00208555

Strings

.dll, xrefs: 002083AB
.icl, xrefs: 00208368
.exe, xrefs: 00208388

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 218d1eda0e3ced2bb82a8fd67c9ef3dc255d6fa9e7e42b5ca4c375ba63bb94e2
Instruction ID: 53c9b1aff8b7edf152bcff56e47276be3f140cf22a67325d48592bd47126e3e1
Opcode Fuzzy Hash: 218d1eda0e3ced2bb82a8fd67c9ef3dc255d6fa9e7e42b5ca4c375ba63bb94e2
Instruction Fuzzy Hash: BD61E3B1510316BBEB14CF64DC85FBF7BA8BB08721F104609F855D61D2DB749960C7A0

Function 00177778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 001B5169
#include-once, xrefs: 0017782F
#comments-end, xrefs: 001778D9
#OnAutoItStartRegister, xrefs: 00177817
#pragma compile, xrefs: 001777D3
#ce, xrefs: 001778ED
Bad directive syntax error, xrefs: 001B519A
#include, xrefs: 00177847
#cs, xrefs: 00177873, 001778C5
#comments-start, xrefs: 0017785F, 001778B1
Unterminated group of comments, xrefs: 001B528C
#requireadmin, xrefs: 001777FF
#notrayicon, xrefs: 001777E7
", xrefs: 001B5153
Cannot parse #include, xrefs: 001B5279

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 91be403475cbe0a8eaeba43934a3578664d861fef3df6b8f9488ae9364b7d2df
Instruction ID: b124a54e450d9a21daec3d92a1a3d9cc86c3d38b79fa9c9ab99acd8b9f11adf0
Opcode Fuzzy Hash: 91be403475cbe0a8eaeba43934a3578664d861fef3df6b8f9488ae9364b7d2df
Instruction Fuzzy Hash: 6A810771644205BBDB25BF64DC86FEE37B9AF25300F058025F908AB1D6EB70DA21C7A1

Function 001E3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001E3EF8
_wcslen.LIBCMT ref: 001E3F03
_wcslen.LIBCMT ref: 001E3F5A
_wcslen.LIBCMT ref: 001E3F98
GetDriveTypeW.KERNEL32(?), ref: 001E3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001E4087

Strings

close, xrefs: 001E3EFE, 001E3F18
close cd wait, xrefs: 001E4072
closed, xrefs: 001E3F08, 001E3F2D, 001E3F46, 001E3F7E, 001E3F97
type cdaudio alias cd wait, xrefs: 001E4001
open, xrefs: 001E3F54, 001E3F59
open , xrefs: 001E3FE5
wait, xrefs: 001E4044
set cd door , xrefs: 001E4028

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 3e401d9974bdb9328493852d5c1f3e3745a71832cff1ba5c67206b9cd84fc7bb
Instruction ID: 01c1f988354c64650cf2d996817f1eb0cddba9fe0deccd27afa9e5e590a47f80
Opcode Fuzzy Hash: 3e401d9974bdb9328493852d5c1f3e3745a71832cff1ba5c67206b9cd84fc7bb
Instruction Fuzzy Hash: E871D2716047019FC710EF25C8858AEB7F4EFA5758F10892DF8A997291EB30DE45CB92

Function 001D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001D5A40
SetWindowTextW.USER32(?,?), ref: 001D5A57
GetDlgItem.USER32(?,000003EA), ref: 001D5A6C
SetWindowTextW.USER32(00000000,?), ref: 001D5A72
GetDlgItem.USER32(?,000003E9), ref: 001D5A82
SetWindowTextW.USER32(00000000,?), ref: 001D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001D5AC3
GetWindowRect.USER32(?,?), ref: 001D5ACC
_wcslen.LIBCMT ref: 001D5B33
SetWindowTextW.USER32(?,?), ref: 001D5B6F
GetDesktopWindow.USER32 ref: 001D5B75
GetWindowRect.USER32(00000000), ref: 001D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001D5BD3
GetClientRect.USER32(?,?), ref: 001D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001D5C2F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8306dc8023631e4b62db64558a4ceab0a972e2ef5eaec2fde1e360ca9462d483
Instruction ID: 2530e3b8ff7257908e4e44957c06e9212e76861fce559f83fca0ebe3f99a3320
Opcode Fuzzy Hash: 8306dc8023631e4b62db64558a4ceab0a972e2ef5eaec2fde1e360ca9462d483
Instruction Fuzzy Hash: 07717071900B05AFDB20DFA8CD89A6EBBF6FF48704F10461AE542A36A0D775E944CF50

Function 001EFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001EFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001EFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001EFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001EFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001EFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001EFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001EFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001EFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001EFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001EFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001EFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001EFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001EFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001EFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001EFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001EFECC
GetCursorInfo.USER32(?), ref: 001EFEDC
GetLastError.KERNEL32 ref: 001EFF1E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 4430469c3a54c2d73bfa1f3ee4c02a7abddf80a9a4111cf13594650d550ca0c5
Instruction ID: d3dfa9bdfaa6c0d2bc9cb9edfc06047c52a6ee11ce948a359d333536fb33d68c
Opcode Fuzzy Hash: 4430469c3a54c2d73bfa1f3ee4c02a7abddf80a9a4111cf13594650d550ca0c5
Instruction Fuzzy Hash: 964163B0D043596ADB10DFBA8C8985EBFE8FF04354B50852AF51DE7281DB78A901CF91

Function 001D30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D318D
_wcslen.LIBCMT ref: 001D31F8

Strings

[#, xrefs: 001D339A
CLASS, xrefs: 001D3188, 001D31A5
TEXT, xrefs: 001D347C
REGEXPCLASS, xrefs: 001D3255, 001D3266
NAME, xrefs: 001D3335, 001D3346
CLASSNN, xrefs: 001D31F3, 001D3204
INSTANCE, xrefs: 001D3453

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[#
API String ID: 176396367-1113138700
Opcode ID: c34313f7100e51334c088d307ebb0a1cf41db58df3beaa4d5645da5a673ce918
Instruction ID: 14594ad171634bac0a2ad408659d5154bf6d0fb994fbf17ef5ba409f180d0903
Opcode Fuzzy Hash: c34313f7100e51334c088d307ebb0a1cf41db58df3beaa4d5645da5a673ce918
Instruction Fuzzy Hash: 89E1E532A00526ABCF189F68C451AEEFBB1BF54754F54811BE46AB7340DB30AF85C7A1

Function 001900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001900C6

Part of subcall function 001900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0024070C,00000FA0,BEE3BC50,?,?,?,?,001B23B3,000000FF), ref: 0019011C
Part of subcall function 001900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001B23B3,000000FF), ref: 00190127
Part of subcall function 001900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001B23B3,000000FF), ref: 00190138
Part of subcall function 001900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0019014E
Part of subcall function 001900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0019015C
Part of subcall function 001900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0019016A
Part of subcall function 001900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00190195
Part of subcall function 001900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001901A0

___scrt_fastfail.LIBCMT ref: 001900E7

Part of subcall function 001900A3: __onexit.LIBCMT ref: 001900A9

Strings

kernel32.dll, xrefs: 00190133
WakeAllConditionVariable, xrefs: 00190162
SleepConditionVariableCS, xrefs: 00190154
InitializeConditionVariable, xrefs: 00190148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00190122

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 0733623a119dadf0513f1e9eb5296fd16f16b4d0fca94859c3bc51d67999b0d7
Instruction ID: 60d9fbf97eccc6969093a6ddd2a5b53722f56feed8766592f251a618a71494cb
Opcode Fuzzy Hash: 0733623a119dadf0513f1e9eb5296fd16f16b4d0fca94859c3bc51d67999b0d7
Instruction Fuzzy Hash: BF213E72A54710AFDB226BA4BC4DB6973D4DB0DF51F100239F901E76D2DB709C408A51

Function 001E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0020CC08), ref: 001E4527
_wcslen.LIBCMT ref: 001E453B
_wcslen.LIBCMT ref: 001E4599
_wcslen.LIBCMT ref: 001E45F4
_wcslen.LIBCMT ref: 001E463F
_wcslen.LIBCMT ref: 001E46A7

Part of subcall function 0018F9F2: _wcslen.LIBCMT ref: 0018F9FD

GetDriveTypeW.KERNEL32(?,00236BF0,00000061), ref: 001E4743

Strings

cdrom, xrefs: 001E458F, 001E4594
network, xrefs: 001E469D, 001E46A2
all, xrefs: 001E4531, 001E4536
unknown, xrefs: 001E4708
ramdisk, xrefs: 001E46F1
removable, xrefs: 001E45EA, 001E45EF
fixed, xrefs: 001E4635, 001E463A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: f3ff3ef752b3528163977f9b571835597ba936c65f3f373d7ef523258af1de0e
Instruction ID: ae529b0940987a3cf4f7ce39e7a20e1bf324749d358ef32d83b9e2f71a4435ef
Opcode Fuzzy Hash: f3ff3ef752b3528163977f9b571835597ba936c65f3f373d7ef523258af1de0e
Instruction Fuzzy Hash: 9AB134716087429FC714DF2AC890A6EB7F5BFA9724F50891DF09AC7291D730D845CB92

Function 0020911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

DragQueryPoint.SHELL32(?,?), ref: 00209147

Part of subcall function 00207674: ClientToScreen.USER32(?,?), ref: 0020769A
Part of subcall function 00207674: GetWindowRect.USER32(?,?), ref: 00207710
Part of subcall function 00207674: PtInRect.USER32(?,?,00208B89), ref: 00207720

SendMessageW.USER32(?,000000B0,?,?), ref: 002091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00209225
SendMessageW.USER32(?,000000B0,?,?), ref: 0020923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00209255
SendMessageW.USER32(?,000000B1,?,?), ref: 00209277
DragFinish.SHELL32(?), ref: 0020927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00209371

Strings

p#$, xrefs: 002092BB
@GUI_DRAGFILE, xrefs: 00209320
@GUI_DROPID, xrefs: 0020929E
@GUI_DRAGID, xrefs: 002092E9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#$
API String ID: 221274066-1279969420
Opcode ID: 766dcad47a0711eae71d88bfc7aa16c3fe295f0a58e9c6021aa26701289b7db7
Instruction ID: 6bd1daa5d5ba01d40178f1c87199e91668063b067bc2425998f5b857e4c121c6
Opcode Fuzzy Hash: 766dcad47a0711eae71d88bfc7aa16c3fe295f0a58e9c6021aa26701289b7db7
Instruction Fuzzy Hash: 00617771108301AFC705DF64DC89DAFBBF8EF99350F104A1EF596921A2DB309A59CB52

Function 0017326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00241990), ref: 001B2F8D
GetMenuItemCount.USER32(00241990), ref: 001B303D
GetCursorPos.USER32(?), ref: 001B3081
SetForegroundWindow.USER32(00000000), ref: 001B308A
TrackPopupMenuEx.USER32(00241990,00000000,?,00000000,00000000,00000000), ref: 001B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001B30A9

Strings

0, xrefs: 0017327D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 1d712302edf2dd04f3501b45fe5eca9ab3a47c57e96692bf48a4a976a6391497
Instruction ID: 6b87840e28e4c98299a7e2a06b4234d82ff2fb6a069c38b6becd0758ac99fc63
Opcode Fuzzy Hash: 1d712302edf2dd04f3501b45fe5eca9ab3a47c57e96692bf48a4a976a6391497
Instruction Fuzzy Hash: FD7148B0644205BEEB259F64DC89FEABF78FF05324F204206F5296A1E1C7B1AD14DB90

Function 00206CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00206DEB

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00206E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00206E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00206E94
DestroyWindow.USER32(?), ref: 00206EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00170000,00000000), ref: 00206EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00206EFD
GetDesktopWindow.USER32 ref: 00206F16
GetWindowRect.USER32(00000000), ref: 00206F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00206F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00206F4D

Part of subcall function 00189944: GetWindowLongW.USER32(?,000000EB), ref: 00189952

Strings

0, xrefs: 00206D98
tooltips_class32, xrefs: 00206E58, 00206EDD

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 1122e8255a66741ac9ea9cef50b0aaab9c35edf4a35d2f80059e64fc7e88ac6d
Instruction ID: 37804c0d61131fc0bb4588dfe095b41f96d3211b976205446eae17ee0c843520
Opcode Fuzzy Hash: 1122e8255a66741ac9ea9cef50b0aaab9c35edf4a35d2f80059e64fc7e88ac6d
Instruction Fuzzy Hash: 05717BB4114346AFDB25CF18EC4CE6ABBF9FB89304F14051DF989872A2C771A966CB11

Function 001EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001EC5F0
InternetCloseHandle.WININET(00000000), ref: 001EC5FB

Strings

, xrefs: 001EC575

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 99edcf8d58d8a9b71e50cd0aeacd4f03923f1188b146adeabf18aa9f90fd8821
Instruction ID: 520daa482982edcc5e59c421c3795bf62dd259c21615a83079326436f9c61567
Opcode Fuzzy Hash: 99edcf8d58d8a9b71e50cd0aeacd4f03923f1188b146adeabf18aa9f90fd8821
Instruction Fuzzy Hash: 0C517FB0600B45BFDB219F61DD88AAF7BFCFF48344F10451AF94696251D730E9459BA0

Function 0020856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00208592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0020FC38,?), ref: 00208611
GlobalFree.KERNEL32(00000000), ref: 00208621
GetObjectW.GDI32(?,00000018,?), ref: 00208641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00208671
DeleteObject.GDI32(?), ref: 00208699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002086AF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f25a1352de8e49c07eb30d5cef5daa48c01169dfe795402152b9040b42d3f61b
Instruction ID: 8d330a260736433ad7ef4d59e5dc3a0f18161e2198ec16a41352af9199a5f428
Opcode Fuzzy Hash: f25a1352de8e49c07eb30d5cef5daa48c01169dfe795402152b9040b42d3f61b
Instruction Fuzzy Hash: 22413CB1600305AFDB119F65DC8CEAB7BBCEF89711F118158F905E7292DB719901CB20

Function 001E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001E1502
VariantCopy.OLEAUT32(?,?), ref: 001E150B
VariantClear.OLEAUT32(?), ref: 001E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001E1657
VariantInit.OLEAUT32(?), ref: 001E1708
SysFreeString.OLEAUT32(?), ref: 001E178C
VariantClear.OLEAUT32(?), ref: 001E17D8
VariantClear.OLEAUT32(?), ref: 001E17E7
VariantInit.OLEAUT32(00000000), ref: 001E1823

Strings

Default, xrefs: 001E16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001E1625

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 9be087f0c67872b6233121b3421cfa1b67f92c98ddc1a7c9369f5d8d664e2375
Instruction ID: 23efb0bdb34255384f5ce9ae95e62313c5eca87919c916ebad1283519ef14f8f
Opcode Fuzzy Hash: 9be087f0c67872b6233121b3421cfa1b67f92c98ddc1a7c9369f5d8d664e2375
Instruction Fuzzy Hash: 26D14671A00A45FBDB04EF66E888BBDB7B5BF46700F21815AF806AB185DB30DD41DB61

Function 001FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001FB80A
RegCloseKey.ADVAPI32(?), ref: 001FB87E
RegCloseKey.ADVAPI32(?), ref: 001FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001FB922
FreeLibrary.KERNEL32(00000000), ref: 001FB983
RegCloseKey.ADVAPI32(00000000), ref: 001FB994

Strings

advapi32.dll, xrefs: 001FB8ED
RegDeleteKeyExW, xrefs: 001FB8FE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 2da50dff0b7ab9aacea2b366649190a5403e13d3bbb6c9b978e3da027d09e9ed
Instruction ID: d6009258be8aa9537e2f1131dc369fc6b13fe8c5f81ae2a0de2d9130a6e702fb
Opcode Fuzzy Hash: 2da50dff0b7ab9aacea2b366649190a5403e13d3bbb6c9b978e3da027d09e9ed
Instruction Fuzzy Hash: CEC18A70208205EFD714DF24C4D5F2ABBE5BF94318F24859CE69A8B2A2CB71ED45CB91

Function 001F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001F25E8
CreateCompatibleDC.GDI32(?), ref: 001F25F4
SelectObject.GDI32(00000000,?), ref: 001F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001F26D0
SelectObject.GDI32(?,?), ref: 001F26D8
DeleteObject.GDI32(?), ref: 001F26E1
DeleteDC.GDI32(?), ref: 001F26E8
ReleaseDC.USER32(00000000,?), ref: 001F26F3

Strings

(, xrefs: 001F268D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c0e2b0f34ad3dbfba31f651f52d031bbe8ca4303525d8704e71f3d69e5c16ba8
Instruction ID: 3077275edcc6f2d816bf1790d37ebe94de3d4d588d850b685773e9b1129f0c85
Opcode Fuzzy Hash: c0e2b0f34ad3dbfba31f651f52d031bbe8ca4303525d8704e71f3d69e5c16ba8
Instruction Fuzzy Hash: 1D61F2B5D00219EFCF04CFA4D888AAEBBF6FF58310F208529EA59A7251D774A951CF50

Function 001ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 001ADAA1

Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD659
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD66B
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD67D
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD68F
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6A1
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6B3
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6C5
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6D7
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6E9
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD6FB
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD70D
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD71F
Part of subcall function 001AD63C: _free.LIBCMT ref: 001AD731

_free.LIBCMT ref: 001ADA96

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001ADAB8
_free.LIBCMT ref: 001ADACD
_free.LIBCMT ref: 001ADAD8
_free.LIBCMT ref: 001ADAFA
_free.LIBCMT ref: 001ADB0D
_free.LIBCMT ref: 001ADB1B
_free.LIBCMT ref: 001ADB26
_free.LIBCMT ref: 001ADB5E
_free.LIBCMT ref: 001ADB65
_free.LIBCMT ref: 001ADB82
_free.LIBCMT ref: 001ADB9A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fa17c048496914e46a4575432aec4c7dddc6f3d648fc821bf7dc22354578b0a3
Instruction ID: eb38881f6a0c756b0127b0ee45300db4a60bbaf7e211e5e6a0d3ece67f85d651
Opcode Fuzzy Hash: fa17c048496914e46a4575432aec4c7dddc6f3d648fc821bf7dc22354578b0a3
Instruction Fuzzy Hash: 26316B39604B049FEB62AA38E845B6B77E8FF23714F114419E48AD7591DF30AC408721

Function 001D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001D369C
_wcslen.LIBCMT ref: 001D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001D3797
GetClassNameW.USER32(?,?,00000400), ref: 001D380C
GetDlgCtrlID.USER32(?), ref: 001D385D
GetWindowRect.USER32(?,?), ref: 001D3882
GetParent.USER32(?), ref: 001D38A0
ScreenToClient.USER32(00000000), ref: 001D38A7
GetClassNameW.USER32(?,?,00000100), ref: 001D3921
GetWindowTextW.USER32(?,?,00000400), ref: 001D395D

Strings

%s%u, xrefs: 001D3734

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 410d268e2dca5e48b145c7fbe0cb50f2f9a78d4b4e77a239a43be852e8b8bdea
Instruction ID: 13d102a691d7c65ef50f3d318437d545e4895e509b44b26c2123e2b009d09a9f
Opcode Fuzzy Hash: 410d268e2dca5e48b145c7fbe0cb50f2f9a78d4b4e77a239a43be852e8b8bdea
Instruction Fuzzy Hash: FE91EA71204706AFD719DF24C895FEAF7A8FF44354F00462AF9A9D2291DB30EA45CB92

Function 001D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001D4994
GetWindowTextW.USER32(?,?,00000400), ref: 001D49DA
_wcslen.LIBCMT ref: 001D49EB
CharUpperBuffW.USER32(?,00000000), ref: 001D49F7
_wcsstr.LIBVCRUNTIME ref: 001D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001D4B20
GetWindowRect.USER32(?,?), ref: 001D4B8B

Strings

ThumbnailClass, xrefs: 001D4A6F, 001D4AF1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: ed1b196a8a7830d9230ed64bcd80e7648eb0094f86b744fd1be6cdb4f0aa6139
Instruction ID: a9c6f5d7ae90a33bd562008c5dae2cad59a755cdc861bb4540f5fc5f144c48e3
Opcode Fuzzy Hash: ed1b196a8a7830d9230ed64bcd80e7648eb0094f86b744fd1be6cdb4f0aa6139
Instruction Fuzzy Hash: 2E91BC710083059FDB14CF14C985BAA77E8FF94354F04856BFD8A9A296DB30ED45CBA1

Function 00208D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00208D5A
GetFocus.USER32 ref: 00208D6A
GetDlgCtrlID.USER32(00000000), ref: 00208D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00208E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00208ECF
GetMenuItemCount.USER32(?), ref: 00208EEC
GetMenuItemID.USER32(?,00000000), ref: 00208EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00208F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00208F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00208FA1

Strings

0, xrefs: 00208E9F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a189a4310aafa27b293c1ffa86316d1ff975bceb3492f53d40c2a067c0355bef
Instruction ID: d69c2b07962cd7f278fff0cb76e2da2d9969ca280ccfd5f296d5e5e018b859d8
Opcode Fuzzy Hash: a189a4310aafa27b293c1ffa86316d1ff975bceb3492f53d40c2a067c0355bef
Instruction Fuzzy Hash: FE81A1715143029FDB10DF24D888A6B7BE9FB88354F140A1DF9C5972D2DB70D960CB62

Function 001DBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00241990,000000FF,00000000,00000030), ref: 001DBFAC
SetMenuItemInfoW.USER32(00241990,00000004,00000000,00000030), ref: 001DBFE1
Sleep.KERNEL32(000001F4), ref: 001DBFF3
GetMenuItemCount.USER32(?), ref: 001DC039
GetMenuItemID.USER32(?,00000000), ref: 001DC056
GetMenuItemID.USER32(?,-00000001), ref: 001DC082
GetMenuItemID.USER32(?,?), ref: 001DC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001DC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DC145

Strings

0, xrefs: 001DBF3D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 1bf324e688aa11697e4920b4e10b7a3ba9749bdb871ca63c8eba580736f3d3da
Instruction ID: bce0ddb9c4376533bb3d51f4be688c7525b3b6f3a17f642f7e334990cf6f4779
Opcode Fuzzy Hash: 1bf324e688aa11697e4920b4e10b7a3ba9749bdb871ca63c8eba580736f3d3da
Instruction Fuzzy Hash: ED6190B4900256EFDF25CF64DC88AEEBBB8EB05344F544656F811A3392C731AD44CBA0

Function 001DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001DDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001DDC46
_wcslen.LIBCMT ref: 001DDC50
_wcsstr.LIBVCRUNTIME ref: 001DDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001DDCBC

Strings

04090000, xrefs: 001DDCF2
StringFileInfo\, xrefs: 001DDC8F
%u.%u.%u.%u, xrefs: 001DDD9A
DefaultLangCodepage, xrefs: 001DDD1F
\VarFileInfo\Translation, xrefs: 001DDCB4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b9cc7efc74b8bfbcb48ad1e4f1a3e2fa368881aec4916049e22b2e3c8cfad0ad
Instruction ID: 497e8ade240e9aa32e83bbee0ea6eec14fb441067ef48d0e44d6e4355a0a60db
Opcode Fuzzy Hash: b9cc7efc74b8bfbcb48ad1e4f1a3e2fa368881aec4916049e22b2e3c8cfad0ad
Instruction Fuzzy Hash: FB4104729402007AEF14B774AC07EBF776CEF66710F14416AF900A62D3EB749A158BA5

Function 001FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001FCD48

Part of subcall function 001FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001FCCAA
Part of subcall function 001FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001FCCBD
Part of subcall function 001FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001FCCCF
Part of subcall function 001FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001FCD05
Part of subcall function 001FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001FCCF3

Strings

advapi32.dll, xrefs: 001FCCB8
RegDeleteKeyExW, xrefs: 001FCCC9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b8cae3fbf26e30e6ff680b5c21d8774b660802de16223e384a35af39dc405aa6
Instruction ID: d91520abcb2186fd24f06c0ab6a17f3cb353cd8a5e49a50c81f85280eb226512
Opcode Fuzzy Hash: b8cae3fbf26e30e6ff680b5c21d8774b660802de16223e384a35af39dc405aa6
Instruction Fuzzy Hash: A23160B190122DBBDB208B94DD8CEFFBB7CEF55750F100165AA05E2241D7349A45EAE0

Function 001E3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001E3D40
_wcslen.LIBCMT ref: 001E3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001E3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001E3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001E3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001E3E55
CloseHandle.KERNEL32(00000000), ref: 001E3E60
CloseHandle.KERNEL32(00000000), ref: 001E3E6B

Strings

\??\%s, xrefs: 001E3D5B
:, xrefs: 001E3D82
\, xrefs: 001E3D77

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b22e1c039617f4dbb89ba058f1d4ceb88b53da5fb0affbc0395693da75626195
Instruction ID: d0b5e4093ca2bd039acea3df7623eeb371274db452c27245ef250d8c9b0e69d8
Opcode Fuzzy Hash: b22e1c039617f4dbb89ba058f1d4ceb88b53da5fb0affbc0395693da75626195
Instruction Fuzzy Hash: EA31AFB2900249ABDB219BA1DC4DFEF37BDFF88700F6041A5F919D6061EB7097448B24

Function 001DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001DE6B4

Part of subcall function 0018E551: timeGetTime.WINMM(?,?,001DE6D4), ref: 0018E555

Sleep.KERNEL32(0000000A), ref: 001DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001DE727
SetActiveWindow.USER32 ref: 001DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001DE773
Sleep.KERNEL32(000000FA), ref: 001DE77E
IsWindow.USER32 ref: 001DE78A
EndDialog.USER32(00000000), ref: 001DE79B

Strings

BUTTON, xrefs: 001DE719

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 80c8ef1d614f30f96ce6e8133cf7a0c1107e2360c5eaadf1acb95f3b65dcfd11
Instruction ID: ba5b764d96233d4d546e7a44f00bfb543d181afcab806a40cc3795182ef0abbc
Opcode Fuzzy Hash: 80c8ef1d614f30f96ce6e8133cf7a0c1107e2360c5eaadf1acb95f3b65dcfd11
Instruction Fuzzy Hash: 0321A7F4200310EFEB116F61FC8DA363BADF755349F510526F415852A2DB719C048A54

Function 001DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001DEAA7

Strings

alias PlayMe, xrefs: 001DEA36
play PlayMe, xrefs: 001DEAA2
close PlayMe, xrefs: 001DEA6E, 001DEA9B
status PlayMe mode, xrefs: 001DEA58
open , xrefs: 001DEA0C
play PlayMe wait, xrefs: 001DEA91

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 1bca198d40ac3459b9ec9f6caffe9cf03919ae8f3861c98218c801bb0fe097cd
Instruction ID: ed3990d9110d407aa5995a0937f12887757ce361df001fe12975717d5a39e0d0
Opcode Fuzzy Hash: 1bca198d40ac3459b9ec9f6caffe9cf03919ae8f3861c98218c801bb0fe097cd
Instruction Fuzzy Hash: 59117371AA025979D720F7A1DC4EEFF7ABCEBE2B00F40442A7415A60D1EF700915C5B0

Function 001D5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001D5CE2
GetWindowRect.USER32(00000000,?), ref: 001D5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001D5D59
GetDlgItem.USER32(?,00000002), ref: 001D5D69
GetWindowRect.USER32(00000000,?), ref: 001D5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001D5DCF
GetDlgItem.USER32(?,000003E9), ref: 001D5DDD
GetWindowRect.USER32(00000000,?), ref: 001D5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001D5E31
GetDlgItem.USER32(?,000003EA), ref: 001D5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001D5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001D5E67

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d56a31af3158de9f58066403d1dd0cf85cc43cdc16c1bdfa08959a12a476f6e3
Instruction ID: ab8c97b66d4b0552161c2457cd437f5799b65262cf87f768c9eda9b5f7d2f0ca
Opcode Fuzzy Hash: d56a31af3158de9f58066403d1dd0cf85cc43cdc16c1bdfa08959a12a476f6e3
Instruction Fuzzy Hash: DA5104B1A00705AFDB14DF68DD89AAEBBBAFB48310F248229F515E7291D7709D00CB60

Function 00188BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00188F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00188BE8,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 00188FC5

DestroyWindow.USER32(?), ref: 00188C81
KillTimer.USER32(00000000,?,?,?,?,00188BBA,00000000,?), ref: 00188D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 001C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00188BBA,00000000,?), ref: 001C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00188BBA,00000000), ref: 001C69D4
DeleteObject.GDI32(00000000), ref: 001C69E6

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8060bd8b8922c2f014f4bc5e581e319524aa3e827b2de687ca005f02fe404b65
Instruction ID: dfbc54025a2b62643c6515f9479049cf9622b0565a9693ecad713538f2552d60
Opcode Fuzzy Hash: 8060bd8b8922c2f014f4bc5e581e319524aa3e827b2de687ca005f02fe404b65
Instruction Fuzzy Hash: 1A617A74502710DFDB26AF14E94CB65B7F1FB51316F54461CE0429B9A4CB71EAA0CFA0

Function 00189838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00189944: GetWindowLongW.USER32(?,000000EB), ref: 00189952

GetSysColor.USER32(0000000F), ref: 00189862

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8b2766a83c0814ee4a1657fedc9ab71d03204ad0087e96a5e5def11858e731ba
Instruction ID: 48b4e57bc80494565be62e1c1f5e61ade2f80b25a42d042bd3fb7f3169d021f3
Opcode Fuzzy Hash: 8b2766a83c0814ee4a1657fedc9ab71d03204ad0087e96a5e5def11858e731ba
Instruction Fuzzy Hash: CE41A371104744AFDB206F38AC88BB93B65AB17334F284619F9A6872E2C7719E42DF10

Function 001D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001D9717
LoadStringW.USER32(00000000,?,001BF7F8,00000001), ref: 001D9720

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001D9742
LoadStringW.USER32(00000000,?,001BF7F8,00000001), ref: 001D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001D9866

Strings

^ ERROR, xrefs: 001D97FB
Line %d:, xrefs: 001D97A0
Line %d (File "%s"):, xrefs: 001D978F
Error: , xrefs: 001D981D
%s (%d) : ==> %s: %s %s, xrefs: 001D984A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b503097d81d50bb26ce17f85186755120d1f587964657b562b94d27b1546bf05
Instruction ID: 8033612dfa7bf55a980ad696ad351c4c423a2bea707dd39c475ff3a0c5351d47
Opcode Fuzzy Hash: b503097d81d50bb26ce17f85186755120d1f587964657b562b94d27b1546bf05
Instruction Fuzzy Hash: BA416D72800209AACF14FBE0DD86DEEB77CAF25340F608165F60972192EB356F48DB61

Function 001D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001D083C

Strings

\CLSID, xrefs: 001D0724
SOFTWARE\Classes\, xrefs: 001D070E
\IPC$, xrefs: 001D0784

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 836545b4dfcb4fc0693f75d7113eb2bb00d304383720b7bb5cf52c8f0b06ef96
Instruction ID: 2c8531d0af753ea143cd3b816e2a69caa49ae72df07ae6337436111e412f0144
Opcode Fuzzy Hash: 836545b4dfcb4fc0693f75d7113eb2bb00d304383720b7bb5cf52c8f0b06ef96
Instruction Fuzzy Hash: F8410A72C10229ABDF15EBA4DC85DEDB778FF58350F548129E915A72A1EB305E04CB90

Function 001F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F3C5C
CoInitialize.OLE32(00000000), ref: 001F3C8A
CoUninitialize.OLE32 ref: 001F3C94
_wcslen.LIBCMT ref: 001F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001F3F0E
CoGetObject.OLE32(?,00000000,0020FB98,?), ref: 001F3F2D
SetErrorMode.KERNEL32(00000000), ref: 001F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001F3FC4
VariantClear.OLEAUT32(?), ref: 001F3FD8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: b03ac51bae7a9ce5de316c77f242da63f8d77bfb473bc32fadcdecfe76339ec8
Instruction ID: 0286e0f55f3451eadff408536309036710c3c2faea74b6c3e3cc76e900d89be5
Opcode Fuzzy Hash: b03ac51bae7a9ce5de316c77f242da63f8d77bfb473bc32fadcdecfe76339ec8
Instruction Fuzzy Hash: A3C136B16083099FD700DF68C88492BB7E9FF89748F14491DFA9A9B251D731EE06CB52

Function 001E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001E7BA3
CoCreateInstance.OLE32(0020FD08,00000000,00000001,00236E6C,?), ref: 001E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001E7C74
CoTaskMemFree.OLE32(?,?), ref: 001E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001E7D7A
CoTaskMemFree.OLE32(00000000), ref: 001E7D81
CoTaskMemFree.OLE32(00000000), ref: 001E7DD6
CoUninitialize.OLE32 ref: 001E7DDC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 470335ed484af70e7109beb10edd52cda012ef28a94b4d9013091622ed4b9bdf
Instruction ID: adadb7f534b05f5f072db425230e3ad3c61d41309a7fde6781b725798ec170f0
Opcode Fuzzy Hash: 470335ed484af70e7109beb10edd52cda012ef28a94b4d9013091622ed4b9bdf
Instruction Fuzzy Hash: F9C15C74A04609AFDB14DFA4C888DAEBBF9FF48304B148198E409DB261D730EE41CB90

Function 0020541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00205504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00205515
CharNextW.USER32(00000158), ref: 00205544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00205585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0020559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002055AC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 6c60dd76169fffe6ac9535bbb23b3adb2d8535d2dcba19fcffaf808c10e49a61
Instruction ID: a2afdd8277381db9472a56fdec94594c78697e755c8e0ebe668a4e5b75a20446
Opcode Fuzzy Hash: 6c60dd76169fffe6ac9535bbb23b3adb2d8535d2dcba19fcffaf808c10e49a61
Instruction Fuzzy Hash: 88618D74920729ABDF108F54DC88DFF7BB9EB05320F104145F925A62D2D7749AA1DF60

Function 001CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001CFB08
VariantInit.OLEAUT32(?), ref: 001CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001CFB3A
VariantCopy.OLEAUT32(?,?), ref: 001CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001CFBA1
VariantClear.OLEAUT32(?), ref: 001CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001CFBCC
VariantClear.OLEAUT32(?), ref: 001CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001CFBE9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a17585d072a6ca4e207ea034204370c415176264e6fb4d38a2fe1a68a26b59fd
Instruction ID: ebdef8c02715f14caf98b6bc57282c704a7bd627aef455c4fd6c24e263a7f4b8
Opcode Fuzzy Hash: a17585d072a6ca4e207ea034204370c415176264e6fb4d38a2fe1a68a26b59fd
Instruction Fuzzy Hash: DD413075A002199FCB04DF64D858EEDBBB9FF58344F10816DE945A7262C730EE46CB90

Function 001D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001D9D22
GetKeyState.USER32(000000A0), ref: 001D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001D9D57
GetKeyState.USER32(000000A1), ref: 001D9D6C
GetAsyncKeyState.USER32(00000011), ref: 001D9D84
GetKeyState.USER32(00000011), ref: 001D9D96
GetAsyncKeyState.USER32(00000012), ref: 001D9DAE
GetKeyState.USER32(00000012), ref: 001D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001D9DD8
GetKeyState.USER32(0000005B), ref: 001D9DEA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e8b076a89b4bb845d73318502874f9a285038337716e55d50b781bfbfe782fd5
Instruction ID: 734d5d6058ff2815acd52e52b9bb6a23e1b9cf59240056421e863a3950193aaf
Opcode Fuzzy Hash: e8b076a89b4bb845d73318502874f9a285038337716e55d50b781bfbfe782fd5
Instruction Fuzzy Hash: 66410A74504BC96DFF3097A4C8043B6BEE1AF11344F44805BDAC65B7C2EBA5A9C8C7A2

Function 001F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001F05BC
inet_addr.WSOCK32(?), ref: 001F061C
gethostbyname.WSOCK32(?), ref: 001F0628
IcmpCreateFile.IPHLPAPI ref: 001F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001F07B9
WSACleanup.WSOCK32 ref: 001F07BF

Strings

Ping, xrefs: 001F0676

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ed8770a8f48d8e361f53da58b118e9c478201cf8efc40ad74a209d1781e69d89
Instruction ID: 521589b5a1ffa2693282537d5a5a8c720f60926ace0cc219a6a45de1d23fd1c8
Opcode Fuzzy Hash: ed8770a8f48d8e361f53da58b118e9c478201cf8efc40ad74a209d1781e69d89
Instruction Fuzzy Hash: 7591AF746083019FD721DF15D888F2ABBE0AF48318F1586A9F5A98B6A3C770ED41CF91

Function 001F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001F8CF3

Part of subcall function 001D8E54: _wcslen.LIBCMT ref: 001D8E77

_wcslen.LIBCMT ref: 001F8D4E
_wcslen.LIBCMT ref: 001F8D9C
_wcslen.LIBCMT ref: 001F8DDC
_wcslen.LIBCMT ref: 001F8E6E

Strings

stdcall, xrefs: 001F8DD6, 001F8DDB
cdecl, xrefs: 001F8D48, 001F8D4D
winapi, xrefs: 001F8D96, 001F8D9B
none, xrefs: 001F8E65, 001F8E6A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 959334245fc98c62c6f80c0cc1410274732103c0ffec7c190bcdd5b2abf85067
Instruction ID: bd942c06a7236f151d0b5059f8fe48ac2c17bbb6c8fab36f8bba444262279d3d
Opcode Fuzzy Hash: 959334245fc98c62c6f80c0cc1410274732103c0ffec7c190bcdd5b2abf85067
Instruction Fuzzy Hash: 0051B272A0051A9BCF24DFACC9518BEB7A5BF74324B214229E626E72C5DF30DD41C790

Function 001F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001F3774
CoUninitialize.OLE32 ref: 001F377F
CoCreateInstance.OLE32(?,00000000,00000017,0020FB78,?), ref: 001F37D9
IIDFromString.OLE32(?,?), ref: 001F384C
VariantInit.OLEAUT32(?), ref: 001F38E4
VariantClear.OLEAUT32(?), ref: 001F3936

Strings

Failed to create object, xrefs: 001F37E4, 001F389A
Invalid parameter, xrefs: 001F3865
NULL Pointer assignment, xrefs: 001F381E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 37169320f417df2f6ef5bb3567c7bc85172628f3405cb8a7ea88dd6881e1658b
Instruction ID: ede2d0a71b05800e4e7de2b24ae6002061c72db33adae86cd7002238683550bb
Opcode Fuzzy Hash: 37169320f417df2f6ef5bb3567c7bc85172628f3405cb8a7ea88dd6881e1658b
Instruction Fuzzy Hash: 4161E0B0208305AFD311EF54D888F6AB7E8EF49740F104A09FA959B291C770EE48CB92

Function 00208B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

Part of subcall function 0018912D: GetCursorPos.USER32(?), ref: 00189141
Part of subcall function 0018912D: ScreenToClient.USER32(00000000,?), ref: 0018915E
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000001), ref: 00189183
Part of subcall function 0018912D: GetAsyncKeyState.USER32(00000002), ref: 0018919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00208B6B
ImageList_EndDrag.COMCTL32 ref: 00208B71
ReleaseCapture.USER32 ref: 00208B77
SetWindowTextW.USER32(?,00000000), ref: 00208C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00208C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00208CFF

Strings

p#$, xrefs: 00208C71
@GUI_DRAGFILE, xrefs: 00208C9A
@GUI_DROPID, xrefs: 00208C51

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#$
API String ID: 1924731296-1082444028
Opcode ID: b5bb6ef61858e4a94a78ee994a6e1342f8389860e57a38c19a420d7c1bee5f14
Instruction ID: 8d519ca5aadf6e868cc0e895e0f021cebab6705c54a64af4814716afcc712a3e
Opcode Fuzzy Hash: b5bb6ef61858e4a94a78ee994a6e1342f8389860e57a38c19a420d7c1bee5f14
Instruction Fuzzy Hash: F0519C71114304AFE704EF24DC5AFAA77E4FB88714F40062DF996572E2CB709964CB62

Function 001E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001E33CF

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001E33F0

Strings

Incorrect parameters to object property !, xrefs: 001E34AB
^ ERROR , xrefs: 001E349E
Line %d (File "%s"):, xrefs: 001E3443, 001E345C
Error: , xrefs: 001E34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 001E3504
"%s" (%d) : ==> %s:, xrefs: 001E3522

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 27b6377370590c5e02405eebfd90e1665947b81b9c6b006ffb20216e8089fa72
Instruction ID: 0cb38abac47d58780b91f60d3cae96962e8d93d26321b52a4ef79f5d62d74152
Opcode Fuzzy Hash: 27b6377370590c5e02405eebfd90e1665947b81b9c6b006ffb20216e8089fa72
Instruction Fuzzy Hash: EA51D171D00609BADF15EBA0DD4AEEEB778AF25300F208065F11973192EB312F68DB61

Function 001DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001DB5FC
_wcslen.LIBCMT ref: 001DB608
_wcslen.LIBCMT ref: 001DB64D
_wcslen.LIBCMT ref: 001DB68C
_wcslen.LIBCMT ref: 001DB6C7

Strings

REMOVE, xrefs: 001DB602, 001DB607
KEYS, xrefs: 001DB647, 001DB64C
APPEND, xrefs: 001DB6C1, 001DB6C6
EXISTS, xrefs: 001DB686, 001DB68B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 98d248d4419c73e899da0b121f904593877680546cee7fc0c62794db37b83e73
Instruction ID: 48bab2a46f151258f65831de77aaa3a1702d4b1bcc7f00be1ce62c66ae7d65e0
Opcode Fuzzy Hash: 98d248d4419c73e899da0b121f904593877680546cee7fc0c62794db37b83e73
Instruction Fuzzy Hash: 6241E832A08026DBCB105F7D88D05BEB7A5EFA4754B66422BE422D7384E735CD81C790

Function 001E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001E5416
GetLastError.KERNEL32 ref: 001E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001E54A7

Strings

INVALID, xrefs: 001E5459
UNKNOWN, xrefs: 001E5444
NOTREADY, xrefs: 001E544B
READONLY, xrefs: 001E5452
READY, xrefs: 001E5460, 001E5468

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 839c60b152e060d53598135fd0b38269bf3351059fe1542047f89174d2b3a932
Instruction ID: a69a87a2c1bfff965ae17eea8666c92ebfea085a2b3d3ce4c5546a9e7c982317
Opcode Fuzzy Hash: 839c60b152e060d53598135fd0b38269bf3351059fe1542047f89174d2b3a932
Instruction Fuzzy Hash: 0531D075A00A44DFC710DF69D488AAEBBF9EF14309F148065E405CB292E770ED86CBA0

Function 00203C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00203C79
SetMenu.USER32(?,00000000), ref: 00203C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00203D10
IsMenu.USER32(?), ref: 00203D24
CreatePopupMenu.USER32 ref: 00203D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00203D5B
DrawMenuBar.USER32 ref: 00203D63

Strings

F, xrefs: 00203D4E
0, xrefs: 00203C54

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 9abaa385cdacba33ec179fd1edd5c1ee9480271aac23a93702f9c04238c51b59
Instruction ID: b4af2a5fc10dc9167d2d2bd650163e042169407dba6618381f5106b50a823e0c
Opcode Fuzzy Hash: 9abaa385cdacba33ec179fd1edd5c1ee9480271aac23a93702f9c04238c51b59
Instruction Fuzzy Hash: 09417FB9611306EFDB14CF54E848A9A7BB9FF49350F140129F946A73A1D770AA20DF50

Function 001D1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001D1F64
GetDlgCtrlID.USER32 ref: 001D1F6F
GetParent.USER32 ref: 001D1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001D1F8E
GetDlgCtrlID.USER32(?), ref: 001D1F97
GetParent.USER32(?), ref: 001D1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001D1FAE

Strings

ListBox, xrefs: 001D1F21
ComboBox, xrefs: 001D1EEC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4fc5f14fd64eb2ad02cd9db49a197b68d75d5b3c1c1356cad74e5859a24f1264
Instruction ID: 31922dacdc429ee6e737a58adb19ff3d7393570fbbce2e8d2cfaf29df03b0132
Opcode Fuzzy Hash: 4fc5f14fd64eb2ad02cd9db49a197b68d75d5b3c1c1356cad74e5859a24f1264
Instruction Fuzzy Hash: 0921D4B0A00214BBCF19AFA0DC85DEEBBB8EF55310F104216F965A7292CB355919DB60

Function 00203A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00203A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00203AA0
GetWindowLongW.USER32(?,000000F0), ref: 00203AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00203AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00203B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00203BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00203BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00203BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00203BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00203C13

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 54c97949d3f0a6a03ae2d43f9fd1a7f96d4cfdae748de6c670889e2963308ed8
Instruction ID: 13416c1678561bbd96e95726bf9a16f890bd800fafb59013df24ff2b8f84c218
Opcode Fuzzy Hash: 54c97949d3f0a6a03ae2d43f9fd1a7f96d4cfdae748de6c670889e2963308ed8
Instruction Fuzzy Hash: 18618C75900208AFDB10DF68CC81EEE77B8EB49704F10019AFA15E72E2D770AE91DB50

Function 001DB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001DB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB165
GetWindowThreadProcessId.USER32(00000000), ref: 001DB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001DB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001DA1E1,?,00000001), ref: 001DB21D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 6d92dfc34cd626990efba23a7562694a0b124f80d6cad36a13b97b6905840fb9
Instruction ID: 7c8cbc7886f500e39492fc6385b474672f704bed595381e9a67fc512af99c96e
Opcode Fuzzy Hash: 6d92dfc34cd626990efba23a7562694a0b124f80d6cad36a13b97b6905840fb9
Instruction Fuzzy Hash: 8F3180BA504204EFDB20DF24FCCCB6D7BB9AB52355F214216FA06D6291D7B4A9408F60

Function 001A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001A2C94

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001A2CA0
_free.LIBCMT ref: 001A2CAB
_free.LIBCMT ref: 001A2CB6
_free.LIBCMT ref: 001A2CC1
_free.LIBCMT ref: 001A2CCC
_free.LIBCMT ref: 001A2CD7
_free.LIBCMT ref: 001A2CE2
_free.LIBCMT ref: 001A2CED
_free.LIBCMT ref: 001A2CFB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 072b2ba1a88231a8fbe2310b8eae45f1b617764bf5ac32e30e4aba13f37a7277
Instruction ID: db9bb5ae162f5d728e6c4af8ab7083b21a499ef4a223cff2f5c94c29c8488a57
Opcode Fuzzy Hash: 072b2ba1a88231a8fbe2310b8eae45f1b617764bf5ac32e30e4aba13f37a7277
Instruction Fuzzy Hash: 4611B97A100118BFCB42EF58D842CEE3BA5FF16754F4144A5FA489F222D731EE509B91

Function 00171410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00171459
OleUninitialize.OLE32(?,00000000), ref: 001714F8
UnregisterHotKey.USER32(?), ref: 001716DD
DestroyWindow.USER32(?), ref: 001B24B9
FreeLibrary.KERNEL32(?), ref: 001B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001B254B

Strings

close all, xrefs: 00171454

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c3b017255a17f9886028136a2036d85af89cf85e0e5f0a0b4b549b0831994f91
Instruction ID: 35eb3396b6b4ad36bed689419b8d3effd9453c3b803c93770f94026a58a1bef2
Opcode Fuzzy Hash: c3b017255a17f9886028136a2036d85af89cf85e0e5f0a0b4b549b0831994f91
Instruction Fuzzy Hash: C8D1AF31701212DFCB29EF18C499AA9F7B0BF15700F25829DE84A6B252DB30ED16CF50

Function 001E7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001E7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001E7FC1
GetFileAttributesW.KERNEL32(?), ref: 001E7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001E8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001E8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001E80B0

Strings

*.*, xrefs: 001E8066

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e8eefaed0ba66fa3c1a84e25af557bb9ec1ae823966be974e3a6fc9950937536
Instruction ID: 34a8da9e99840ca0708b102b2480cfbb29cfe523e7976d221e2b874e8a51c622
Opcode Fuzzy Hash: e8eefaed0ba66fa3c1a84e25af557bb9ec1ae823966be974e3a6fc9950937536
Instruction Fuzzy Hash: BA81C0725087819BDB24EF16C8449AEB3E8BF99310F144C5EF889D7291EB34DD49CB92

Function 00175BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00175C7A

Part of subcall function 00175D0A: GetClientRect.USER32(?,?), ref: 00175D30
Part of subcall function 00175D0A: GetWindowRect.USER32(?,?), ref: 00175D71
Part of subcall function 00175D0A: ScreenToClient.USER32(?,?), ref: 00175D99

GetDC.USER32 ref: 001B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001B4708
SelectObject.GDI32(00000000,00000000), ref: 001B4716
SelectObject.GDI32(00000000,00000000), ref: 001B472B
ReleaseDC.USER32(?,00000000), ref: 001B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001B47C4

Strings

U, xrefs: 001B4693

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 539d512b2c7d3f87b026cb93878aa29653bfa0285c997fa833e06852a646c71d
Instruction ID: 846395b535677321b179f0cf5cb89797f7bb0604b08a83eb4c8c114cc39c2165
Opcode Fuzzy Hash: 539d512b2c7d3f87b026cb93878aa29653bfa0285c997fa833e06852a646c71d
Instruction Fuzzy Hash: EC71F234400205DFCF25CF64C985AFA7BB6FF4A360F248269ED559A1A7C7319851DF50

Function 001E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001E35E4

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

LoadStringW.USER32(00242390,?,00000FFF,?), ref: 001E360A

Strings

^ ERROR, xrefs: 001E36C9
Line %d (File "%s"):, xrefs: 001E366B
Error: , xrefs: 001E36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 001E3724
"%s" (%d) : ==> %s:, xrefs: 001E3742

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: e006dcb2cd8d57c8c34e25ddf74af9245da221de036a7b7c475e1de716f2f166
Instruction ID: 579864fc795312c2d2a5b2ecb982bef8eb35505d42e7a76087aa53582f3ff491
Opcode Fuzzy Hash: e006dcb2cd8d57c8c34e25ddf74af9245da221de036a7b7c475e1de716f2f166
Instruction Fuzzy Hash: 13519F71C00649BBCF15EBA1DC46EEEBB78AF25300F148165F119721A2EB311B99DF61

Function 001EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001EC2CA
GetLastError.KERNEL32 ref: 001EC322
SetEvent.KERNEL32(?), ref: 001EC336
InternetCloseHandle.WININET(00000000), ref: 001EC341

Strings

, xrefs: 001EC2BB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 15a8c2e57d89e19d8104729fcf47d22b091c409bde69f4fc60eac748089b79a8
Instruction ID: 57eb97711102ef58fe120813f48d413273eb9ba286fbe56ce71f5701fd975938
Opcode Fuzzy Hash: 15a8c2e57d89e19d8104729fcf47d22b091c409bde69f4fc60eac748089b79a8
Instruction Fuzzy Hash: 99319FB1500B44AFD7219F669C88AAFBBFCFB59740B14851EF44692211DB30DD068BA0

Function 001D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001B3AAF,?,?,Bad directive syntax error,0020CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001D98BC
LoadStringW.USER32(00000000,?,001B3AAF,?), ref: 001D98C3

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001D9987

Strings

Error: , xrefs: 001D9955
Line %d:, xrefs: 001D9912
Line %d (File "%s"):, xrefs: 001D992D
., xrefs: 001D996D
%s (%d) : ==> %s.: %s %s, xrefs: 001D98F1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 98a5dfd23617c36a6d72aca0321ec06ed40d4a62e5dcfe97655159a3f0659d0d
Instruction ID: 375ebe092a876e387e606181833b52c13a528e3e7b29b44886c63105d7aa4d32
Opcode Fuzzy Hash: 98a5dfd23617c36a6d72aca0321ec06ed40d4a62e5dcfe97655159a3f0659d0d
Instruction Fuzzy Hash: 43219171C1021EBBCF25AF90CC1AEEE7739FF28704F04845AF519660A2EB319628DB11

Function 001D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001D214D

Strings

SHELLDLL_DefView, xrefs: 001D20CC
largeicons, xrefs: 001D20E1
smallicons, xrefs: 001D2115
list, xrefs: 001D212F
details, xrefs: 001D20FB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d967b7a5d984b6ae594b5e7d9b3e0519321f954700e9e2a456a8b3662f65c1b7
Instruction ID: 9b85c6f50f48585821d5aafc3ca9604f17f5b2822d8578879630aad6399c119d
Opcode Fuzzy Hash: d967b7a5d984b6ae594b5e7d9b3e0519321f954700e9e2a456a8b3662f65c1b7
Instruction Fuzzy Hash: FB1159B6288316BAFA152320EC0BCA6739CCF25328F204217FB09A51D2FF71A8135614

Function 001A8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8710b689cff5a9479aadfbb8b91e3c05ee50043f0914071766016be2aac33c33
Instruction ID: e4dd31befff801b02cad726c7c7bf35e039f80babdf64e4d1602a4b8d077f7f1
Opcode Fuzzy Hash: 8710b689cff5a9479aadfbb8b91e3c05ee50043f0914071766016be2aac33c33
Instruction Fuzzy Hash: 8AC1E27CD04249AFDF11DFA8D985BADBBB4AF1B310F144199F918A7392CB309981CB61

Function 001ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 001ACEB7
_free.LIBCMT ref: 001ACF22
_free.LIBCMT ref: 001ACF48
_free.LIBCMT ref: 001ACF71
_free.LIBCMT ref: 001ACFA9
_free.LIBCMT ref: 001ACFDA
_free.LIBCMT ref: 001AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 001AD09C
_free.LIBCMT ref: 001AD0B5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c332a659cf95c4b1188fa14af8c591faa247df0b1ef421939d9d027badc749eb
Instruction ID: 3712c5b2d07b24a88c53b5ae060f80895b0a34f78a38d20b289f35553ed99c62
Opcode Fuzzy Hash: c332a659cf95c4b1188fa14af8c591faa247df0b1ef421939d9d027badc749eb
Instruction Fuzzy Hash: D06165BAD04310AFDF25AFB8A885A7A7BA5EF13720F04416DFA55A7282D7319D0187D0

Function 00188B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00188874,00000000,00000000,00000000,000000FF,00000000), ref: 001C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00188874,00000000,00000000,00000000,000000FF,00000000), ref: 001C692D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0ac4499206e34a00d8f62cd9a5c43f0a291818b0f8d256717be76857e4345274
Instruction ID: 923286f28d3f95e7f71d0200b2edd0254c89ed2fe6653bde7f72bd91917ef965
Opcode Fuzzy Hash: 0ac4499206e34a00d8f62cd9a5c43f0a291818b0f8d256717be76857e4345274
Instruction Fuzzy Hash: 865169B4600309AFDB24EF24DC95FAA7BB5FB98750F104618F916972A0DB70EA90DF50

Function 001EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001EC182
GetLastError.KERNEL32 ref: 001EC195
SetEvent.KERNEL32(?), ref: 001EC1A9

Part of subcall function 001EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001EC272
Part of subcall function 001EC253: GetLastError.KERNEL32 ref: 001EC322
Part of subcall function 001EC253: SetEvent.KERNEL32(?), ref: 001EC336
Part of subcall function 001EC253: InternetCloseHandle.WININET(00000000), ref: 001EC341

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: c7bf1f451f0fbca9a28c4f824b3b43ae4d132d5facd5ecb6131d396173049d28
Instruction ID: 74cbf73b471e0379dbf4e851e7b55152351ad239ecea4bbb536f8971e4fdfa72
Opcode Fuzzy Hash: c7bf1f451f0fbca9a28c4f824b3b43ae4d132d5facd5ecb6131d396173049d28
Instruction Fuzzy Hash: B53192B1100B82EFDB259FA6EC48A6BBBF9FF58300B14451DFA5682611D730E815DBA0

Function 001D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D3A57
Part of subcall function 001D3A3D: GetCurrentThreadId.KERNEL32 ref: 001D3A5E
Part of subcall function 001D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D25B3), ref: 001D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001D2627

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 400941fc0bcb131190f1b242a8c09a9b1d8160999ae6584e502ae52b4bc2dafe
Instruction ID: 3f8cdf075cae21225adc2724c3df126201a183c99f68324caae4a5d76cd1b532
Opcode Fuzzy Hash: 400941fc0bcb131190f1b242a8c09a9b1d8160999ae6584e502ae52b4bc2dafe
Instruction Fuzzy Hash: AE01D871390310BBFB206768AC8EF597F5DDB5EB11F200112F328AF1D2C9F254448AAA

Function 001D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001D1449,?,?,00000000), ref: 001D180C
HeapAlloc.KERNEL32(00000000,?,001D1449,?,?,00000000), ref: 001D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D1449,?,?,00000000), ref: 001D1828
GetCurrentProcess.KERNEL32(?,00000000,?,001D1449,?,?,00000000), ref: 001D1830
DuplicateHandle.KERNEL32(00000000,?,001D1449,?,?,00000000), ref: 001D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001D1449,?,?,00000000), ref: 001D1843
GetCurrentProcess.KERNEL32(001D1449,00000000,?,001D1449,?,?,00000000), ref: 001D184B
DuplicateHandle.KERNEL32(00000000,?,001D1449,?,?,00000000), ref: 001D184E
CreateThread.KERNEL32(00000000,00000000,001D1874,00000000,00000000,00000000), ref: 001D1868

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 91cee7b87dbb0192dcc84f15ec56f0ac6dd3646a51488d5fc36e4a5ea9a542f6
Instruction ID: 38b5fa05fa50313692e502d0c9998596d37c1b133d8786d8b7e715fc91b7dd43
Opcode Fuzzy Hash: 91cee7b87dbb0192dcc84f15ec56f0ac6dd3646a51488d5fc36e4a5ea9a542f6
Instruction Fuzzy Hash: B401BFB5240304BFE710AB65EC4DF577B6CEB89B11F104511FA05DB192C6709800CB20

Function 001FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001DD501
Part of subcall function 001DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001DD50F
Part of subcall function 001DD4DC: CloseHandle.KERNEL32(00000000), ref: 001DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FA16D
GetLastError.KERNEL32 ref: 001FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001FA268
GetLastError.KERNEL32(00000000), ref: 001FA273
CloseHandle.KERNEL32(00000000), ref: 001FA2C4

Strings

SeDebugPrivilege, xrefs: 001FA18F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7fcb947b4b05d716446b70adcdaed457710322fcf256ac5970596310495003a0
Instruction ID: 9f4c3ca2ce3f8bfc494ce4297bfbdbd330f3ee7b544e13d0dce0470e12100c48
Opcode Fuzzy Hash: 7fcb947b4b05d716446b70adcdaed457710322fcf256ac5970596310495003a0
Instruction Fuzzy Hash: AE61B0B0208242AFD710DF18C494F29BBE1AF54318F59C48CE56A4B7A3C776ED45CB92

Function 00203886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00203925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0020393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00203954
_wcslen.LIBCMT ref: 00203999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002039F4

Strings

SysListView32, xrefs: 002038F7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 8fc33ed5cd36620aa9eeb03a919ef7f403c0395a461fee3ab9cf17980772fdd3
Instruction ID: 5549e3558b11b54f898d3abbe4751049918eb998d99f94049b5b3edb0043914d
Opcode Fuzzy Hash: 8fc33ed5cd36620aa9eeb03a919ef7f403c0395a461fee3ab9cf17980772fdd3
Instruction Fuzzy Hash: 9D419371A10319ABEF21DF64CC49BEA77ADEF48350F100566F958E72C2D77199A0CB90

Function 001DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001DBCFD
IsMenu.USER32(00000000), ref: 001DBD1D
CreatePopupMenu.USER32 ref: 001DBD53
GetMenuItemCount.USER32(00CB5EE0), ref: 001DBDA4
InsertMenuItemW.USER32(00CB5EE0,?,00000001,00000030), ref: 001DBDCC

Strings

2, xrefs: 001DBD37
0, xrefs: 001DBCA8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f3fd318f8f3f1ae61387295bb89f0597458f6b6878eca6320640a01628a0e731
Instruction ID: 8d5bdadbb2119adadae628265c2b7f0f8b64afa3557224c927fcfb874b61bf89
Opcode Fuzzy Hash: f3fd318f8f3f1ae61387295bb89f0597458f6b6878eca6320640a01628a0e731
Instruction Fuzzy Hash: 49519E70608A05DBDF14CFE8D8C8BAEBBF6BF59318F25425AE442A7391D7709940CB61

Function 001DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001DC913

Strings

warning, xrefs: 001DC8FC
stop, xrefs: 001DC8E4
blank, xrefs: 001DC895
question, xrefs: 001DC8CC
info, xrefs: 001DC8B4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 30d5c5faecb02c39474717dfc530c9ea5b80ac500a86944934438a96fd99572d
Instruction ID: 2e35b3d5ce44e91a88809e78861bf84496a7cb3ac17c660e94df2d81ad20e3d8
Opcode Fuzzy Hash: 30d5c5faecb02c39474717dfc530c9ea5b80ac500a86944934438a96fd99572d
Instruction Fuzzy Hash: D1113D32689307BBEB095B54DC93CAA679CDF16328B60452FF501A6382D7705D0092E4

Function 001DDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001DDE42
gethostname.WSOCK32(?,00000100), ref: 001DDE5C
gethostbyname.WSOCK32(?), ref: 001DDE69
inet_ntoa.WSOCK32(?), ref: 001DDEAB
_strcat.LIBCMT ref: 001DDEB9
WSACleanup.WSOCK32 ref: 001DDEDE

Strings

0.0.0.0, xrefs: 001DDE87

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 91086013588fdde9cc7158b901e469c06acdd7b1303052fa5a4058171ed95014
Instruction ID: 8c8eb39cd613516427ba20487270903377f3a2be934ef401ec489800f46b0ce4
Opcode Fuzzy Hash: 91086013588fdde9cc7158b901e469c06acdd7b1303052fa5a4058171ed95014
Instruction Fuzzy Hash: 2D110A71504204AFDB246B64EC0AEDE77BCDF25711F1101AAF40596292EF718A818B51

Function 001DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001DED2A
_wcslen.LIBCMT ref: 001DED3B
_wcslen.LIBCMT ref: 001DED79
_wcslen.LIBCMT ref: 001DEDAF
_wcslen.LIBCMT ref: 001DEDDF
_wcslen.LIBCMT ref: 001DEDEF
_wcslen.LIBCMT ref: 001DEE2B
_wcslen.LIBCMT ref: 001DEE5A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: c35aa9a892ddea8c95522bb86f4974fb1b8bc61352d9190a522f777c0b486a8e
Instruction ID: 722078e8704b7993958697dd7ddf7e8c70424de324e2ac9f2660a1f701e224b3
Opcode Fuzzy Hash: c35aa9a892ddea8c95522bb86f4974fb1b8bc61352d9190a522f777c0b486a8e
Instruction Fuzzy Hash: 75418065C1021876CF11FBF48C8A9DFB7A8AF55710F508562E518E3222FB34E255C3A6

Function 0018F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 0018F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 001CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 001CF454

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 88c86abce5570cc16f84f3a4e0df994ee19e98b7e96d0d1afa39250b4b0c167f
Instruction ID: a2d523dc94064c191dfc8f72436a656d624a173a442e30c030d1c2506bb03acd
Opcode Fuzzy Hash: 88c86abce5570cc16f84f3a4e0df994ee19e98b7e96d0d1afa39250b4b0c167f
Instruction Fuzzy Hash: D9413D30A14780FAC73DAB29D88CB2A7B96BB66318F15413CF04752561C735DA83CF11

Function 00202D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00202D1B
GetDC.USER32(00000000), ref: 00202D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00202D2E
ReleaseDC.USER32(00000000,00000000), ref: 00202D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00202D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00202D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00205A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00202DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00202DE1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7ba4196578d69a5660e48475c3de4e37783e1dc98bc77c1e27b0bc114c5e8c5d
Instruction ID: 5719ed246c5534a850d5213df7745304750072da0a5e1002ff4135314544e25f
Opcode Fuzzy Hash: 7ba4196578d69a5660e48475c3de4e37783e1dc98bc77c1e27b0bc114c5e8c5d
Instruction Fuzzy Hash: FD3189B2211214BBEB258F50DC8AFEB3BADEB49711F144156FE089A2D2C6759C51CBA0

Function 001D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001D5637
_memcmp.LIBVCRUNTIME ref: 001D5659
_memcmp.LIBVCRUNTIME ref: 001D5671
_memcmp.LIBVCRUNTIME ref: 001D5684
_memcmp.LIBVCRUNTIME ref: 001D569E
_memcmp.LIBVCRUNTIME ref: 001D56B1
_memcmp.LIBVCRUNTIME ref: 001D56C9
_memcmp.LIBVCRUNTIME ref: 001D56E4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 82a67efa36f831834a9e48b05a36ef357dac99ed6d639cc023ead76cadfb74cb
Instruction ID: efe8a73c0ea42aeda3e57901c5192e32576b3d36dba8e4b209dd7fa60c43282d
Opcode Fuzzy Hash: 82a67efa36f831834a9e48b05a36ef357dac99ed6d639cc023ead76cadfb74cb
Instruction Fuzzy Hash: 3221AA71A84B09B7E71995108E82FFA336FBF21394F540023FD045AB82F720EE6085A5

Function 001F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001F5007
NULL Pointer assignment, xrefs: 001F502E, 001F5383

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6305f6867202cce376fa763ab8e2822a8658bed096a1009794d7c45cc75aadf9
Instruction ID: de6476db250fd5928f2bcc4351ec84afc2278a571bf802e8b570fef7c4f746e1
Opcode Fuzzy Hash: 6305f6867202cce376fa763ab8e2822a8658bed096a1009794d7c45cc75aadf9
Instruction Fuzzy Hash: D5D1A175A0060EAFDF14CF98C881BBEB7B6BF48344F158169EA15AB281D770ED41CB90

Function 001B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001B15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001B17FB,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B16FB

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001B1777
__freea.LIBCMT ref: 001B17A2
__freea.LIBCMT ref: 001B17AE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d06a9e0ecd319b6d101817921c082a599d84dc71135e8e8239894eda8393a16a
Instruction ID: 7ee038fe738027bae469ffa3369ee4665b3eb5881b766da3a3ac1427e5266098
Opcode Fuzzy Hash: d06a9e0ecd319b6d101817921c082a599d84dc71135e8e8239894eda8393a16a
Instruction Fuzzy Hash: 1591D872E10216BEDF248FB4C861AEEBBB5AF4A310F9A0659F805E7141DB35DD40CB60

Function 001F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F4648
VariantInit.OLEAUT32(?), ref: 001F4749
VariantClear.OLEAUT32(?), ref: 001F4753
VariantClear.OLEAUT32(?), ref: 001F47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 001F45D8, 001F4706, 001F47BE
Incorrect Object type in FOR..IN loop, xrefs: 001F472C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b363455cb88382ef1c945d430b5d3fd80c377de72415bb9a9903498110ba0d7d
Instruction ID: 6e7cf2cb86629e8334e39ccf990d8ab0b461573f54b5428bfb99be1efbad7fa3
Opcode Fuzzy Hash: b363455cb88382ef1c945d430b5d3fd80c377de72415bb9a9903498110ba0d7d
Instruction Fuzzy Hash: FF918171A00219ABDF24DFA5D884FBFBBB8EF46714F108659F605AB281D7709941CFA0

Function 001E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001E1430

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: fc6ae7f94ef664086eea2476200c22f1844242215b3476c98406f9a1f1e5dbcf
Instruction ID: 0f574e2656bade8fdfd1d281406de59404aa4acb5e5adc1b7261d3312ba22141
Opcode Fuzzy Hash: fc6ae7f94ef664086eea2476200c22f1844242215b3476c98406f9a1f1e5dbcf
Instruction Fuzzy Hash: 4391F572A00649AFDB01DFA5D884BFEB7B5FF55724F214029EA00EB292D774AD41CB90

Function 0018948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 52df6c5e1d9a4fc8945e26797e71396170142dcb5fd055686b4927090a6ada15
Instruction ID: 3e2d39698482431cf4b746be8403104f5351a144342d7348ac086429aa9d0549
Opcode Fuzzy Hash: 52df6c5e1d9a4fc8945e26797e71396170142dcb5fd055686b4927090a6ada15
Instruction Fuzzy Hash: 18911871D00219EFCB14DFA9C888AEEBBB9FF49320F28455AE515B7251D374AA41CF60

Function 001F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001F396B
CharUpperBuffW.USER32(?,?), ref: 001F3A7A
_wcslen.LIBCMT ref: 001F3A8A
VariantClear.OLEAUT32(?), ref: 001F3C1F

Part of subcall function 001E0CDF: VariantInit.OLEAUT32(00000000), ref: 001E0D1F
Part of subcall function 001E0CDF: VariantCopy.OLEAUT32(?,?), ref: 001E0D28
Part of subcall function 001E0CDF: VariantClear.OLEAUT32(?), ref: 001E0D34

Strings

Incorrect Parameter format, xrefs: 001F39A6, 001F3BA1
AUTOIT.ERROR, xrefs: 001F3A80, 001F3A85

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: cc8c55e5d0da1172bc9f01c0076cb7a407df15fc949682c9ef3fcec14913afb5
Instruction ID: cdd7e4b7078e30b84cc5a0da135e9d0f77528fd6c95bed537e516ee9f64dfca6
Opcode Fuzzy Hash: cc8c55e5d0da1172bc9f01c0076cb7a407df15fc949682c9ef3fcec14913afb5
Instruction Fuzzy Hash: 489178746083099FCB04EF24C49196AB7E4FF98314F14892EF99A9B351DB31EE45CB92

Function 001F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?,?,001D035E), ref: 001D002B
Part of subcall function 001D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0046
Part of subcall function 001D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0054
Part of subcall function 001D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?), ref: 001D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001F4C51
_wcslen.LIBCMT ref: 001F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001F4DCF
CoTaskMemFree.OLE32(?), ref: 001F4DDA

Strings

NULL Pointer assignment, xrefs: 001F4E23, 001F4E52

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 3f635093f4b32361b55a7f918ad3460ed119b41e3624cdf73bb6f43eadf0b5e7
Instruction ID: 9265d0c79887e73b2dc1808ad4871ed15890b42820fa0881d5723e45854ef96f
Opcode Fuzzy Hash: 3f635093f4b32361b55a7f918ad3460ed119b41e3624cdf73bb6f43eadf0b5e7
Instruction Fuzzy Hash: C9912871D0021DAFDF15DFA4D881AEEB7B8BF18314F10816AE919AB251EB349A44CF60

Function 002020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00202183
GetMenuItemCount.USER32(00000000), ref: 002021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002021DD
_wcslen.LIBCMT ref: 00202213
GetMenuItemID.USER32(?,?), ref: 0020224D
GetSubMenu.USER32(?,?), ref: 0020225B

Part of subcall function 001D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D3A57
Part of subcall function 001D3A3D: GetCurrentThreadId.KERNEL32 ref: 001D3A5E
Part of subcall function 001D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D25B3), ref: 001D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002022E3

Part of subcall function 001DE97B: Sleep.KERNELBASE ref: 001DE9F3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 241ad24fea9490caf08bd63aa5c8e29331ee0108cfaa46cd49d50b3bde46d1a6
Instruction ID: 75634f17e94d5052e6b3e1f52da0ec8839bbe2b14c190ef8104e7d4618442e31
Opcode Fuzzy Hash: 241ad24fea9490caf08bd63aa5c8e29331ee0108cfaa46cd49d50b3bde46d1a6
Instruction Fuzzy Hash: 05717075A10305EFCB14DFA4C849AAEB7F5EF48310F14845AE81AEB382D774AE458B90

Function 00207E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00CB5C88), ref: 00207F37
IsWindowEnabled.USER32(00CB5C88), ref: 00207F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0020801E
SendMessageW.USER32(00CB5C88,000000B0,?,?), ref: 00208051
IsDlgButtonChecked.USER32(?,?), ref: 00208089
GetWindowLongW.USER32(00CB5C88,000000EC), ref: 002080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002080C3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 94be410c8b13d487820ececd3352d17ec2bf7e509ce22af948273293965d703c
Instruction ID: 10946539d89d87339ff17abdd2b22df21bb672fd2f2617315d3d232212e5e186
Opcode Fuzzy Hash: 94be410c8b13d487820ececd3352d17ec2bf7e509ce22af948273293965d703c
Instruction Fuzzy Hash: 07719374918306AFEF259F54C888FAA7BB9EF59300F144459E945972D2CB31B865CB10

Function 001DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001DAEF9
GetKeyboardState.USER32(?), ref: 001DAF0E
SetKeyboardState.USER32(?), ref: 001DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001DB020

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9d81abe34fe08fc3ac2aa98da682fb15c15679beb5d2f9aff4bb35f923b77482
Instruction ID: f1df6970d18b585485ffcb2c7c79a066827b15b7da52802db04e36f68f44d7ad
Opcode Fuzzy Hash: 9d81abe34fe08fc3ac2aa98da682fb15c15679beb5d2f9aff4bb35f923b77482
Instruction Fuzzy Hash: 7151C1A16087D57DFB3683348885BBFBEA95F06304F08858AF1DA459C2C399ADC8D751

Function 001DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001DAD19
GetKeyboardState.USER32(?), ref: 001DAD2E
SetKeyboardState.USER32(?), ref: 001DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001DAE38

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1e508d7152749728964dc15e83748c47ad9c0d12c59ab123c0d4e749ebd317a9
Instruction ID: f0bc265958d987a7f72c43725fd55ab9eb5f844da26beb067a04516d116eee6a
Opcode Fuzzy Hash: 1e508d7152749728964dc15e83748c47ad9c0d12c59ab123c0d4e749ebd317a9
Instruction Fuzzy Hash: 255104A15087D53DFB36C3748C95B7ABFA95F46300F48858AE1D546AC3C394EC88E762

Function 001A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001B3CD6,?,?,?,?,?,?,?,?,001A5BA3,?,?,001B3CD6,?,?), ref: 001A5470
__fassign.LIBCMT ref: 001A54EB
__fassign.LIBCMT ref: 001A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001B3CD6,00000005,00000000,00000000), ref: 001A552C
WriteFile.KERNEL32(?,001B3CD6,00000000,001A5BA3,00000000,?,?,?,?,?,?,?,?,?,001A5BA3,?), ref: 001A554B
WriteFile.KERNEL32(?,?,00000001,001A5BA3,00000000,?,?,?,?,?,?,?,?,?,001A5BA3,?), ref: 001A5584

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: f5d40dbeec0bb8a00e2ea8e1d17e5a8b978946fb2888088496293532d1d245d0
Instruction ID: 77fd8e4a1b435cbcfaff8ff3f78035fa704ffde0c6fa13dec5975a47a750bae9
Opcode Fuzzy Hash: f5d40dbeec0bb8a00e2ea8e1d17e5a8b978946fb2888088496293532d1d245d0
Instruction Fuzzy Hash: 2A51A4B5D046499FDB10CFA8D885AEEBBFAEF0A300F14415AF955E7291D7309A41CB60

Function 00192D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00192D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00192D53
_ValidateLocalCookies.LIBCMT ref: 00192DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00192E0C
_ValidateLocalCookies.LIBCMT ref: 00192E61

Strings

csm, xrefs: 00192DF6

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c05c003296890805b4162a8d0afa1cc4f74f086cbb25feb2a38d3d438853c942
Instruction ID: f58b99823fd5b488740eb0d823ba48eb615ad1c9caaaeaf10e82859437dfc2b7
Opcode Fuzzy Hash: c05c003296890805b4162a8d0afa1cc4f74f086cbb25feb2a38d3d438853c942
Instruction Fuzzy Hash: 5A41CF34E01209BBCF14DFA8C885A9EBBF5BF55324F148155E814AB392D771AE12CBD0

Function 001F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F307A
Part of subcall function 001F304E: _wcslen.LIBCMT ref: 001F309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001F1112
WSAGetLastError.WSOCK32 ref: 001F1121
WSAGetLastError.WSOCK32 ref: 001F11C9
closesocket.WSOCK32(00000000), ref: 001F11F9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 535ac60cb25e4ebb97e525d1d9ab4a4341178ab423ea30460bb27b9d670dbb34
Instruction ID: af2dd6e808040e3ec5942a1b5d78de3f8e14afbcead1d584c84c2c25c3d4fe62
Opcode Fuzzy Hash: 535ac60cb25e4ebb97e525d1d9ab4a4341178ab423ea30460bb27b9d670dbb34
Instruction Fuzzy Hash: A141D471604608EFDB109F24D888BB9B7E9EF45324F148159FE199B292C770AE41CBE1

Function 001DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001DCF22,?), ref: 001DDDFD

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001DCF22,?), ref: 001DDE16

lstrcmpiW.KERNEL32(?,?), ref: 001DCF45
MoveFileW.KERNEL32(?,?), ref: 001DCF7F
_wcslen.LIBCMT ref: 001DD005
_wcslen.LIBCMT ref: 001DD01B
SHFileOperationW.SHELL32(?), ref: 001DD061

Strings

\*.*, xrefs: 001DCFF3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: fd5eebfc11b03fe388447335ed8360462d26c1f7a953895d89bbce3e8a7c3dd0
Instruction ID: 71c94d871f8da71699f100517b7902f7e985bca4ea84b8214f4aa1623203d956
Opcode Fuzzy Hash: fd5eebfc11b03fe388447335ed8360462d26c1f7a953895d89bbce3e8a7c3dd0
Instruction Fuzzy Hash: 2D4147B19452195FDF12EFA4DD81EDEB7B9AF18380F1004E7E509EB242EB34A648CB50

Function 00202DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00202E1C
GetWindowLongW.USER32(?,000000F0), ref: 00202E4F
GetWindowLongW.USER32(?,000000F0), ref: 00202E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00202EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00202EE0
GetWindowLongW.USER32(?,000000F0), ref: 00202EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00202F0B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2491752fd4cd4c59e4d1e10a86320669628f4022a24c8f64aa2b21689ea528ca
Instruction ID: e4b866644a65dae9e3552d9be54d118cb57c11a38a95f6ec6fbdb037f5d5ac04
Opcode Fuzzy Hash: 2491752fd4cd4c59e4d1e10a86320669628f4022a24c8f64aa2b21689ea528ca
Instruction Fuzzy Hash: DD310334694251EFDB218F58EC8CF6537A4EB8A750F240166FA049F2F3CB71B8A49B00

Function 001D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D778F
SysAllocString.OLEAUT32(00000000), ref: 001D7792
SysAllocString.OLEAUT32(?), ref: 001D77B0
SysFreeString.OLEAUT32(?), ref: 001D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001D77DE
SysAllocString.OLEAUT32(?), ref: 001D77EC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 77b62f1479b2b9f06188a454f58aa6096310fc5ef900fe56ab200eb627aa7175
Instruction ID: d8eefecca421e024ee9d858062f314e217fbf866399d39303d83c26255a4d046
Opcode Fuzzy Hash: 77b62f1479b2b9f06188a454f58aa6096310fc5ef900fe56ab200eb627aa7175
Instruction Fuzzy Hash: F021B276604219AFDB10EFA8DC8CCBB73ACFB093647108526FA04DB291E770DC418B60

Function 001D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001D7868
SysAllocString.OLEAUT32(00000000), ref: 001D786B
SysAllocString.OLEAUT32 ref: 001D788C
SysFreeString.OLEAUT32 ref: 001D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001D78AF
SysAllocString.OLEAUT32(?), ref: 001D78BD

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3dad256267195f92e10a041e96767009fb318d72779eb2572967215752a09488
Instruction ID: 4f1274e517242a44edfa962aca949f52816cdff4ba271c53393357f47c7949de
Opcode Fuzzy Hash: 3dad256267195f92e10a041e96767009fb318d72779eb2572967215752a09488
Instruction Fuzzy Hash: 71214F75608204AFDB10AFA8DC8DDAA77ECFB097607118126F915CB2E1EB74DC41DB64

Function 001E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E052E

Strings

nul, xrefs: 001E0567

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 627d5ab0f9702b60c65d76385cc09a34b1d796bd9e6414f56e08fdee75a39eb3
Instruction ID: 97ff86203e82863111fc62f4295cff1b7a3a098632d3b857abc8ba214aca15dd
Opcode Fuzzy Hash: 627d5ab0f9702b60c65d76385cc09a34b1d796bd9e6414f56e08fdee75a39eb3
Instruction Fuzzy Hash: 7E2180B1500745AFDB219F2ADC08A9E77B4BF49724F244A19F8A1D62E0D7B0D980CF20

Function 001E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001E0601

Strings

nul, xrefs: 001E0639

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2c76623f7d72858151ed54319085af684491d23c6dddd005b969745cdc46006b
Instruction ID: 3c98e56fe565d6e5e972642c8c673aad224d888197545d68bb7f3a42cbce4d4d
Opcode Fuzzy Hash: 2c76623f7d72858151ed54319085af684491d23c6dddd005b969745cdc46006b
Instruction Fuzzy Hash: 0A2171755007459FDB219F6A9C04B5E77E4BF9D720F244B19F8A1E72E0D7B098A1CB10

Function 002040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0017600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0017604C
Part of subcall function 0017600E: GetStockObject.GDI32(00000011), ref: 00176060
Part of subcall function 0017600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0017606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00204112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0020411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0020412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00204139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00204145

Strings

Msctls_Progress32, xrefs: 002040E3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2c06360159c39fc9ec66640c465df212b016c4952eb18b49b5de2c169c94f767
Instruction ID: 82ff81d4511e04f955a88961e6eeb51b11b4d6f26eabce0e3179ef7cfe078592
Opcode Fuzzy Hash: 2c06360159c39fc9ec66640c465df212b016c4952eb18b49b5de2c169c94f767
Instruction Fuzzy Hash: 1011B6B215021DBEEF119F64CC85EE77F6DEF09798F008110B718A2091CB729C61DBA4

Function 001AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001AD7A3: _free.LIBCMT ref: 001AD7CC

_free.LIBCMT ref: 001AD82D

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001AD838
_free.LIBCMT ref: 001AD843
_free.LIBCMT ref: 001AD897
_free.LIBCMT ref: 001AD8A2
_free.LIBCMT ref: 001AD8AD
_free.LIBCMT ref: 001AD8B8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: bc3552315721127901d1960116a5ab5cc1711b018583edef86f9b4f3b920ad34
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D3118E75540F14AAD621BFF0DC07FDB7BDCAF22B04F400825F29AA68A2DB34B5058662

Function 001DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001DDA74
LoadStringW.USER32(00000000), ref: 001DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001DDA91
LoadStringW.USER32(00000000), ref: 001DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001DDAB9

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f927f779ae63dc0b50b2ac0f0a86c6dd097cf99b10d79406497dca1665307863
Instruction ID: 67e6c5f6196f1952bebde80e699116076d74412b47dc98b08e421a99db6c5e1f
Opcode Fuzzy Hash: f927f779ae63dc0b50b2ac0f0a86c6dd097cf99b10d79406497dca1665307863
Instruction Fuzzy Hash: F50186F69003087FE7109BA4ED8DEE7736CE708301F504592B706E2182E6749E844F74

Function 001E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00CAEA80,00CAEA80), ref: 001E097B
EnterCriticalSection.KERNEL32(00CAEA60,00000000), ref: 001E098D
TerminateThread.KERNEL32(?,000001F6), ref: 001E099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001E09A9
CloseHandle.KERNEL32(?), ref: 001E09B8
InterlockedExchange.KERNEL32(00CAEA80,000001F6), ref: 001E09C8
LeaveCriticalSection.KERNEL32(00CAEA60), ref: 001E09CF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: fa885fa4c4ec4f4818b3338f43bdbf86a9b8c2152cc75bc0b49d65c88278df86
Instruction ID: 87c50a26374dfb13bcf15fcdc0df98ee0ad4c94bed0b9c291729dea9f88e9066
Opcode Fuzzy Hash: fa885fa4c4ec4f4818b3338f43bdbf86a9b8c2152cc75bc0b49d65c88278df86
Instruction Fuzzy Hash: FEF01D71442A02AFD7426F94EE8CADABA25BF05702F501225F10150CA2C7749465CF90

Function 001F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001F1DE1
WSAGetLastError.WSOCK32 ref: 001F1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001F1EDB
inet_ntoa.WSOCK32(?), ref: 001F1E8C

Part of subcall function 001D39E8: _strlen.LIBCMT ref: 001D39F2

Part of subcall function 001F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001EEC0C), ref: 001F3240

_strlen.LIBCMT ref: 001F1F35

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 76cc8de2d68cdcfb6cc1958ff00524a24e01bdd8bc85ed6705ef160e4e6e1833
Instruction ID: bf0dc6627870ea319834b36c68b26a8ef672ec62ba980616f74537eb538cd69a
Opcode Fuzzy Hash: 76cc8de2d68cdcfb6cc1958ff00524a24e01bdd8bc85ed6705ef160e4e6e1833
Instruction Fuzzy Hash: EDB1BE31204344AFC324EF24C895E3A7BB5AF94318F54854CF55A5B2E2DB31EE46CB91

Function 00175D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00175D30
GetWindowRect.USER32(?,?), ref: 00175D71
ScreenToClient.USER32(?,?), ref: 00175D99
GetClientRect.USER32(?,?), ref: 00175ED7
GetWindowRect.USER32(?,?), ref: 00175EF8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ba1003d79357295755c0789bb44f16191a7bfcc9505703f99a3e60fe1a3c0936
Instruction ID: dd93a61fb3cb19723b7bd92c4542ead43ad6f68d904abca391d1dfb0eeaf9bd8
Opcode Fuzzy Hash: ba1003d79357295755c0789bb44f16191a7bfcc9505703f99a3e60fe1a3c0936
Instruction Fuzzy Hash: 0AB15774A00B4ADBDB14CFA9C4807EAB7F2FF48310F14C51AE8A9D7250DB70AA51DB54

Function 001A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A00D6
__allrem.LIBCMT ref: 001A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A010B
__allrem.LIBCMT ref: 001A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A0140

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 2ed0f818a7eb7ace303a13b8604445a64100d64655ef190365d21577ca3f9a02
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C981297AA00706AFEB259F78CC81BAB73E8AF56364F25413EF511D7281E770D9418B90

Function 001A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001982D9,001982D9,?,?,?,001A644F,00000001,00000001,8BE85006), ref: 001A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001A644F,00000001,00000001,8BE85006,?,?,?), ref: 001A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001A63D8
__freea.LIBCMT ref: 001A63E5

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

__freea.LIBCMT ref: 001A63EE
__freea.LIBCMT ref: 001A6413

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4d8c489e9455caf975fd49b563c2c3ad17bc93470e26880ab406f476a6d51a55
Instruction ID: b1ef66a5d694b8c6d7ce361263cc32e7be0d75a458eda6cc87cee635af8243ab
Opcode Fuzzy Hash: 4d8c489e9455caf975fd49b563c2c3ad17bc93470e26880ab406f476a6d51a55
Instruction Fuzzy Hash: 6251D0B6A00216AFDF258F64DC81FAF77AAEF56710F194629FC09D6180EB34DC45C6A0

Function 001FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FBD25
RegCloseKey.ADVAPI32(00000000), ref: 001FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001FBDF3
RegCloseKey.ADVAPI32(?), ref: 001FBDFF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 47016934b49b66a358913f05ad09b757d86ad99977571a774cabacc7f8068d36
Instruction ID: 6d284029a8e13ce5a628f92366f0c980c9fa7ea03f062545eb9ee9ed2cd6051b
Opcode Fuzzy Hash: 47016934b49b66a358913f05ad09b757d86ad99977571a774cabacc7f8068d36
Instruction Fuzzy Hash: B0817970208245AFD714DF64C885E2ABBF5FF84348F14895CF6598B2A2DB32ED45CB92

Function 001CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001CF7B9
SysAllocString.OLEAUT32(00000001), ref: 001CF860
VariantCopy.OLEAUT32(001CFA64,00000000), ref: 001CF889
VariantClear.OLEAUT32(001CFA64), ref: 001CF8AD
VariantCopy.OLEAUT32(001CFA64,00000000), ref: 001CF8B1
VariantClear.OLEAUT32(?), ref: 001CF8BB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 22377deef739da5fd0c5b8493eeb3ac44e2ada12d67b11efd201ab969a1a90f1
Instruction ID: 4038b1eb70d4cc94d9dbe577e07f33080164d2b3a34669020f716aba7d3991de
Opcode Fuzzy Hash: 22377deef739da5fd0c5b8493eeb3ac44e2ada12d67b11efd201ab969a1a90f1
Instruction Fuzzy Hash: AB51C335600310ABCF14AB65D896F29B3A6AF65314B20946EF906DF292DB70CC46CB57

Function 001E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001E94E5
_wcslen.LIBCMT ref: 001E9506
_wcslen.LIBCMT ref: 001E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001E9585

Strings

X, xrefs: 001E9412

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 2db4f3ac8d69a97eeb8981a11fadb7c8ab36c61348c1564b49b712eef9e19c20
Instruction ID: df87ed8c8395d93b93483e6e00f2c24f02cc08e86f01a5ffc31befd7f8d4435c
Opcode Fuzzy Hash: 2db4f3ac8d69a97eeb8981a11fadb7c8ab36c61348c1564b49b712eef9e19c20
Instruction Fuzzy Hash: 39E1BF315087809FD724EF25C881A6EB7F0BF95314F14896DF8999B2A2DB31ED05CB92

Function 0018920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

BeginPaint.USER32(?,?,?), ref: 00189241
GetWindowRect.USER32(?,?), ref: 001892A5
ScreenToClient.USER32(?,?), ref: 001892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001892D3
EndPaint.USER32(?,?,?,?,?), ref: 00189321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001C71EA

Part of subcall function 00189339: BeginPath.GDI32(00000000), ref: 00189357

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 579fcf9e746d93b2042b8693d941385b982a1e63dfe8d4df5b7474d20c4d310f
Instruction ID: 81772d2d2fba54dbe784f277a117db07384cc83c6d72600b2d30f1b5d06f2535
Opcode Fuzzy Hash: 579fcf9e746d93b2042b8693d941385b982a1e63dfe8d4df5b7474d20c4d310f
Instruction Fuzzy Hash: 7F41AC70104300AFD721EF24E888FBA7BB8EF56720F180629F9A4872E2C7719945DF61

Function 001E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001E0847
EnterCriticalSection.KERNEL32(?), ref: 001E0863
LeaveCriticalSection.KERNEL32(?), ref: 001E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001E0921

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 156244e4b2e572f49be80188dcac6239d0c8c8804a9ede944c6118825c2a6254
Instruction ID: 1fdb2dad87307bf54051f90f4701f0d2a4ac053c8db6f7592f2a2c193c510fc6
Opcode Fuzzy Hash: 156244e4b2e572f49be80188dcac6239d0c8c8804a9ede944c6118825c2a6254
Instruction Fuzzy Hash: 66416871900205EFDF15AF54EC85AAAB7B8FF48300F1440A9ED049A297DB70DEA5DBA0

Function 002081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001CF3AB,00000000,?,?,00000000,?,001C682C,00000004,00000000,00000000), ref: 0020824C
EnableWindow.USER32(?,00000000), ref: 00208272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002082D1
ShowWindow.USER32(?,00000004), ref: 002082E5
EnableWindow.USER32(?,00000001), ref: 0020830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0020832F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 9ca55f8f00ce2b60867b8b5c09d3f4082985fe48b6b71376e8d61b2c1ef0f40d
Instruction ID: f28161655317d821c90acce6a47a9c7888bb8820ef1ba93a9a795537cc67530e
Opcode Fuzzy Hash: 9ca55f8f00ce2b60867b8b5c09d3f4082985fe48b6b71376e8d61b2c1ef0f40d
Instruction Fuzzy Hash: 14418434601745AFDF25CF15D89DBA57BE0BB4A714F1842A9E9484F2F3CB31A861CB50

Function 001D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001D4CEA
_wcslen.LIBCMT ref: 001D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001D4D10
_wcsstr.LIBVCRUNTIME ref: 001D4D1A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a4e7d66c97faa909573b13bf99ca031e788118aae5e2a25e44e3c48a9d23d27d
Instruction ID: 27a236f209721c90285862aca2d256e49e1e3413dd82742b1f7b9194e8f8694d
Opcode Fuzzy Hash: a4e7d66c97faa909573b13bf99ca031e788118aae5e2a25e44e3c48a9d23d27d
Instruction Fuzzy Hash: F0212672204200BBEB295B79EC49E7B7B9DDF95750F10812EF809CA292EF71CD4187A0

Function 001E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00173AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00173A97,?,?,00172E7F,?,?,?,00000000), ref: 00173AC2

_wcslen.LIBCMT ref: 001E587B
CoInitialize.OLE32(00000000), ref: 001E5995
CoCreateInstance.OLE32(0020FCF8,00000000,00000001,0020FB68,?), ref: 001E59AE
CoUninitialize.OLE32 ref: 001E59CC

Strings

.lnk, xrefs: 001E5876, 001E58C1, 001E5985

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: eed2ab0f194eb289ef5e92920a2f8e52380d119d25751f0a2fff3cca8bb6331f
Instruction ID: ff3a1979db346eb29a6ee15c0eb47c387493b581596c700a506b22cc44187ed9
Opcode Fuzzy Hash: eed2ab0f194eb289ef5e92920a2f8e52380d119d25751f0a2fff3cca8bb6331f
Instruction Fuzzy Hash: 39D15370604B019FC714DF26C48496EBBF2EF99718F14885DF8899B262D731ED45CB92

Function 001D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D0FCA
Part of subcall function 001D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D0FD6
Part of subcall function 001D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D0FE5
Part of subcall function 001D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D0FEC
Part of subcall function 001D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D1002

GetLengthSid.ADVAPI32(?,00000000,001D1335), ref: 001D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001D17BA
HeapAlloc.KERNEL32(00000000), ref: 001D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001D17DA
GetProcessHeap.KERNEL32(00000000,00000000,001D1335), ref: 001D17EE
HeapFree.KERNEL32(00000000), ref: 001D17F5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 605b58ac9bc4c2b4e3889ce4fc802e9f835cb6d7f1c9a6078372980ca84bd7a7
Instruction ID: c6de7b2e42d04cc36a0f60ddf33534420398586ce1ea892e8b190544545a5fa8
Opcode Fuzzy Hash: 605b58ac9bc4c2b4e3889ce4fc802e9f835cb6d7f1c9a6078372980ca84bd7a7
Instruction Fuzzy Hash: D711BE72600205FFDB109FA4DC49BAFBBB9FB45355F20422AF44597221C735A940CB60

Function 001D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001D1515
CloseHandle.KERNEL32(00000004), ref: 001D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001D1563

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bab024b6aa76a32528a311262f9226d16bcb6db35f46175203c6dff9619fa879
Instruction ID: 385aa66fb56972fcec9f2918bc0b49405cf3f75157c9580ab8563c1ffc1800bf
Opcode Fuzzy Hash: bab024b6aa76a32528a311262f9226d16bcb6db35f46175203c6dff9619fa879
Instruction Fuzzy Hash: 561167B250420DBBDF119FA8ED49FDE7BA9EF49704F148125FA05A21A0C376CE60DB60

Function 00193382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00193379,00192FE5), ref: 00193390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0019339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001933B7
SetLastError.KERNEL32(00000000,?,00193379,00192FE5), ref: 00193409

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 7cd0085a9329e607475af05c624d57a1fa5fd4574685103ced473b8cd866a4a4
Instruction ID: 6d7e691b71490f92b033e05a05577ceaa5dd0ebcd5eb7af1d245efe1462ca8f3
Opcode Fuzzy Hash: 7cd0085a9329e607475af05c624d57a1fa5fd4574685103ced473b8cd866a4a4
Instruction Fuzzy Hash: 3801DF3266D311BFEF2927B57D89A672AA4EB257797300329F830912F1EF114F025654

Function 001A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001A5686,001B3CD6,?,00000000,?,001A5B6A,?,?,?,?,?,0019E6D1,?,00238A48), ref: 001A2D78
_free.LIBCMT ref: 001A2DAB
_free.LIBCMT ref: 001A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0019E6D1,?,00238A48,00000010,00174F4A,?,?,00000000,001B3CD6), ref: 001A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0019E6D1,?,00238A48,00000010,00174F4A,?,?,00000000,001B3CD6), ref: 001A2DEC
_abort.LIBCMT ref: 001A2DF2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 96027c69258a3e4fddc1c478911fa57fd45d1d7606c328fc6a8ef358129a0f34
Instruction ID: a206bd179b7b03833c716b7e24936e6059a8133b12eb8ef74df3f6467ae15484
Opcode Fuzzy Hash: 96027c69258a3e4fddc1c478911fa57fd45d1d7606c328fc6a8ef358129a0f34
Instruction Fuzzy Hash: 3CF0C87D5056006BC22227BDBC0AF2B265AAFD37B1F350519F828D31D7EF3488025261

Function 00208A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00189639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00189693
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896A2
Part of subcall function 00189639: BeginPath.GDI32(?), ref: 001896B9
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00208A4E
LineTo.GDI32(?,00000003,00000000), ref: 00208A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00208A70
LineTo.GDI32(?,00000000,00000003), ref: 00208A80
EndPath.GDI32(?), ref: 00208A90
StrokePath.GDI32(?), ref: 00208AA0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c7ca4eb3ea44383660ecc89ac0a42112e9d9370bbcdcdaefa56fc709a7aa9b48
Instruction ID: 52467a45c7e4016b1e9df27681e83caae43959fa8f1be4a72c093effe041a43b
Opcode Fuzzy Hash: c7ca4eb3ea44383660ecc89ac0a42112e9d9370bbcdcdaefa56fc709a7aa9b48
Instruction Fuzzy Hash: 45111EB600024DFFEF119F90EC88EAA7F6DEB04350F148111FA19951A1C7719D55DFA0

Function 001D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D5230
ReleaseDC.USER32(00000000,00000000), ref: 001D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001D5261

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e6962d204832bb77a5dba59e598bd2c18a6d0ba70c162b2e110c28e270c3b057
Instruction ID: 419c6aa9ce3e97b29ad8d954a5bd0a381bfeae5bda109f22aa14dc312c0ee413
Opcode Fuzzy Hash: e6962d204832bb77a5dba59e598bd2c18a6d0ba70c162b2e110c28e270c3b057
Instruction Fuzzy Hash: A6018FB5A00708BBEB109BA59C49F4EBFB9EB58751F144166FA04A7281D6709804CBA0

Function 00171BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00171BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00171BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00171C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00171C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00171C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00171C22

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cec40cef614fd2d822a71f30893fa2c586ed7cbab612551ec9c94c3199a8d29e
Instruction ID: 0fa7cbcd10a937b749345293cc7eb401518ea9672fd79ab498ebaff1a23a0eaf
Opcode Fuzzy Hash: cec40cef614fd2d822a71f30893fa2c586ed7cbab612551ec9c94c3199a8d29e
Instruction Fuzzy Hash: 2A016CB09027597DE3008F5A8C85B52FFA8FF59354F00411B915C47942C7F5A864CBE5

Function 001DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001DEB75

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1860760ecef667ed24707e93314c60c98afc2df7d3d33d4eef1fa85147af639a
Instruction ID: 6a5d92ca12229199dac031f4ac1153c81cdfd4f0ab91f3a64b2cbe6004059bad
Opcode Fuzzy Hash: 1860760ecef667ed24707e93314c60c98afc2df7d3d33d4eef1fa85147af639a
Instruction Fuzzy Hash: 3AF054B2140258BBE7316B52EC0DEEF7E7CEFCAB11F104259F601D1192D7A15A01C6B5

Function 001C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001C7469
GetWindowDC.USER32(?), ref: 001C7475
GetPixel.GDI32(00000000,?,?), ref: 001C7484
ReleaseDC.USER32(?,00000000), ref: 001C7496
GetSysColor.USER32(00000005), ref: 001C74B0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: adc77d7886a517bdded66f67e02f244b832d7aa07b12953bc1d0d148d1a1b88c
Instruction ID: 6e49135ae7c688160aa3f8b929647aa7e59366a00119c28ea23879051577997e
Opcode Fuzzy Hash: adc77d7886a517bdded66f67e02f244b832d7aa07b12953bc1d0d148d1a1b88c
Instruction Fuzzy Hash: F2018B71400205EFDB245F64EC0CFAA7FB9FB04321F610264FA15A21E2CB311E51AF10

Function 001D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001D187F
UnloadUserProfile.USERENV(?,?), ref: 001D188B
CloseHandle.KERNEL32(?), ref: 001D1894
CloseHandle.KERNEL32(?), ref: 001D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001D18A5
HeapFree.KERNEL32(00000000), ref: 001D18AC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 738510df06a826285d2e2f458165425e2dc521d75e2f1f2354fb6e02a329503c
Instruction ID: 44fff6088ad8aa84e6b11e7ca6bf62510f22556a442ba014c617a70f7ebc0dec
Opcode Fuzzy Hash: 738510df06a826285d2e2f458165425e2dc521d75e2f1f2354fb6e02a329503c
Instruction Fuzzy Hash: D3E075B6104605BBDB016FA5FD0C94AFF79FF49B22B608725F229814B2CB329461DF90

Function 0017BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0017BEB3

Strings

D%$, xrefs: 0017BCA2
D%$, xrefs: 0017BE9A
D%$D%$, xrefs: 0017BCA5
D%$, xrefs: 0017BDED, 0017BD91, 0017BD1B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%$$D%$$D%$$D%$D%$
API String ID: 1385522511-512792284
Opcode ID: 39ba8c707c93c60312a2d8c1a938b1cbf42bbf08477ef99b1ec5863918f63547
Instruction ID: 5df187be193021547343e73a3e470d86b3fb04bda4406150f4d0552f2816464a
Opcode Fuzzy Hash: 39ba8c707c93c60312a2d8c1a938b1cbf42bbf08477ef99b1ec5863918f63547
Instruction Fuzzy Hash: 8C914B75A0820ACFCB18CF99C0D06AAB7F1FF59314F65C169E949AB351D731E981CB90

Function 001DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001DC6EE
_wcslen.LIBCMT ref: 001DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001DC7CA

Strings

0, xrefs: 001DC6AF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 03abd7093bed7d9dcbb71c700c3996d95adc2c9a0e4b875aea5aeb5a1e12df2b
Instruction ID: 14c4a4a0f071960fb7c7c59f1af50ea78fad3c97d1b5063209f36388c1b65a28
Opcode Fuzzy Hash: 03abd7093bed7d9dcbb71c700c3996d95adc2c9a0e4b875aea5aeb5a1e12df2b
Instruction Fuzzy Hash: 9051AD726143029BD7149F28C885B6BB7E8AF99314F040E2EF995D23E1DB70D944CF92

Function 001FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001FAEA3

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

GetProcessId.KERNEL32(00000000), ref: 001FAF38
CloseHandle.KERNEL32(00000000), ref: 001FAF67

Strings

<, xrefs: 001FAE6B
@, xrefs: 001FAE72

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ba384ee0ca22325fb065f80e374f2c5643ef1dcf7e49363aa2643664c8fb2d80
Instruction ID: 93759b5c381aa90ebdeddc1e1b402e0bfb426f0f07821404d1bcc7ee1b29bed2
Opcode Fuzzy Hash: ba384ee0ca22325fb065f80e374f2c5643ef1dcf7e49363aa2643664c8fb2d80
Instruction Fuzzy Hash: 79719DB0A00619DFCB14DF64D494AAEBBF0FF08314F548499E91AAB392C774ED45CB91

Function 001D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001D72CF

Strings

DllGetClassObject, xrefs: 001D7242

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 988abeeb6be08cc69256a4fc1c80641d71ed6977ede1541ee5372bfb842be682
Instruction ID: b115d1ff99f1cf32e5174bd3a0c60e36f24ca30a9fd9301bc9e6fa0171f059a0
Opcode Fuzzy Hash: 988abeeb6be08cc69256a4fc1c80641d71ed6977ede1541ee5372bfb842be682
Instruction Fuzzy Hash: 104162B1604204EFDB15CF54C884A9A7BB9EF44310F2580AEBD059F38AE7B5DD45CBA0

Function 00203D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00203E35
IsMenu.USER32(?), ref: 00203E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00203E92
DrawMenuBar.USER32 ref: 00203EA5

Strings

0, xrefs: 00203D89

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: f53ee79a79dd41d63e8312e36c02797851d8cb886932b5aa5c1a375f584cd670
Instruction ID: 7f0bc25bdf22da8315679b069a5c9baa7b2cf1153f9896fb94ef18635ade758c
Opcode Fuzzy Hash: f53ee79a79dd41d63e8312e36c02797851d8cb886932b5aa5c1a375f584cd670
Instruction Fuzzy Hash: 49414C75A2130AEFDB10DF50D884AAABBB9FF49350F044219E905A7292D730AE64CF50

Function 001D1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001D1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001D1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001D1EA9

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Strings

ListBox, xrefs: 001D1E25
ComboBox, xrefs: 001D1DF0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a09b15ee88e931fc0a5155b2f877a107f5ec65f8afb9160419bd172fb94b9741
Instruction ID: 3f331feac00b79c85f759aa825e915da30b168927342cd26943f9110e4e6ad66
Opcode Fuzzy Hash: a09b15ee88e931fc0a5155b2f877a107f5ec65f8afb9160419bd172fb94b9741
Instruction Fuzzy Hash: 7D213B71A00104BEDB19AB64DC46CFFB7BDDF56354B14411AF825A72E1DB344A0A9620

Function 00202F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00202F8D
LoadLibraryW.KERNEL32(?), ref: 00202F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00202FA9
DestroyWindow.USER32(?), ref: 00202FB1

Strings

SysAnimate32, xrefs: 00202F68

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ecd8fcac9e2e2644ae564e03d3dd41827665338a7edb24b8edaf20cb534b8d0b
Instruction ID: 9c1e8d45e3f3b0a90b6b2795cc652c81fb1ea7b7a9859bff1a3cd803b67e2a30
Opcode Fuzzy Hash: ecd8fcac9e2e2644ae564e03d3dd41827665338a7edb24b8edaf20cb534b8d0b
Instruction Fuzzy Hash: CA21BE71220307EBEB114F649C8CEBB77BDEB593A4F20021AF910924D2C771DC659760

Function 00194D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00194D1E,001A28E9,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002), ref: 00194D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00194DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00194D1E,001A28E9,?,00194CBE,001A28E9,002388B8,0000000C,00194E15,001A28E9,00000002,00000000), ref: 00194DC3

Strings

mscoree.dll, xrefs: 00194D86
CorExitProcess, xrefs: 00194D98

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: db9ed0a44dc5bb1823e7676e592290227befbfed367f887e45dbd51dea988e9c
Instruction ID: 491d1a58c038f2c62e5af7c6bc53f1c1c6622a4beac5f7b78250ecc7eb545861
Opcode Fuzzy Hash: db9ed0a44dc5bb1823e7676e592290227befbfed367f887e45dbd51dea988e9c
Instruction Fuzzy Hash: 49F0AF34A00308BBDB159F90EC4DBEDBBF4EF14712F1001A4F809A22A1DB705A81CB90

Function 001CD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 001CD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001CD3BF
FreeLibrary.KERNEL32(00000000), ref: 001CD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 001CD3B9
X64, xrefs: 001CD2A8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: ff9f59bdcd40c97c4bf6b3f86150af4e17d1fee1899a601e1c57e494a5c125c6
Instruction ID: 1947794a5bb9aadfc985b9155e01bd339b509b5e1491cdbde746edb008b3e153
Opcode Fuzzy Hash: ff9f59bdcd40c97c4bf6b3f86150af4e17d1fee1899a601e1c57e494a5c125c6
Instruction Fuzzy Hash: 24F05CF18167609BC73917107C58F1AB714AF31701F7652BDF40AE1086CB20CD408B92

Function 00174E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00174EAE
FreeLibrary.KERNEL32(00000000,?,?,00174EDD,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174EC0

Strings

kernel32.dll, xrefs: 00174E94
Wow64DisableWow64FsRedirection, xrefs: 00174EA8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1c9f536cc8a49b0c3ff47ba34f2ff043520e2454e39baafe6d99336bb495c36c
Instruction ID: fab88944054f157180b0b5c8f72aeb709cff5b8dcdd4831bbd72a9bff2e4e066
Opcode Fuzzy Hash: 1c9f536cc8a49b0c3ff47ba34f2ff043520e2454e39baafe6d99336bb495c36c
Instruction Fuzzy Hash: 97E086B6A017225BD22117257C1CA6BA564AF82B72B154215FC08D2142DF68CD0180B4

Function 00174E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00174E74
FreeLibrary.KERNEL32(00000000,?,?,001B3CDE,?,00241418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00174E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00174E6E
kernel32.dll, xrefs: 00174E5B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 59e5c0574e138e8e0f4be9ae6aa06dc40464d0d0ad2729eb5e840c5f63b9fcf3
Instruction ID: 223870cf0058988980583aa3501197b951c082540929de84d8fffb5f05779d5c
Opcode Fuzzy Hash: 59e5c0574e138e8e0f4be9ae6aa06dc40464d0d0ad2729eb5e840c5f63b9fcf3
Instruction Fuzzy Hash: 4AD0C27254272157E6221B247C0CD8BAA2CEF86B213154310B80CE2152CF68CE0182E0

Function 001E2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E2C05
DeleteFileW.KERNEL32(?), ref: 001E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001E2CC0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: b2e55b47d52765245a109f39a26c65cb9b795395dca4b96b959e5d10695920e1
Instruction ID: 755e34c147926aacea587fa41d4b345523def305c3540e686eb247fc5fbf8716
Opcode Fuzzy Hash: b2e55b47d52765245a109f39a26c65cb9b795395dca4b96b959e5d10695920e1
Instruction Fuzzy Hash: 82B16DB2D00519ABDF25EBA5CC95EDEB7BDEF58340F1040A6FA09E7141EB309A448F61

Function 001FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001FA468
CloseHandle.KERNEL32(?), ref: 001FA63D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f1207226162ed45adf9431686bf0cc768465c530d8549844613d337170a5585e
Instruction ID: db4ef4cacddd920a8c275b32243aa020153caae7a5bb721324694f12d869d4d9
Opcode Fuzzy Hash: f1207226162ed45adf9431686bf0cc768465c530d8549844613d337170a5585e
Instruction Fuzzy Hash: 0BA1B0B16043009FD720DF28D886F2AB7E5AF98714F54885CFA5A9B392D774ED418B82

Function 001ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00213700), ref: 001ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0024121C,000000FF,00000000,0000003F,00000000,?,?), ref: 001ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00241270,000000FF,?,0000003F,00000000,?), ref: 001ABC36
_free.LIBCMT ref: 001ABB7F

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001ABD4B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9a566af5b74d2085a966ecb3e9da5d2746b72cbbbb47a4fa6a7610eb0d75ce31
Instruction ID: c8dec4de08db1209a2df12357a7e3ad8b8b36283446683f8179f77f1df832962
Opcode Fuzzy Hash: 9a566af5b74d2085a966ecb3e9da5d2746b72cbbbb47a4fa6a7610eb0d75ce31
Instruction Fuzzy Hash: 79510879908259AFCB14EF75ACC59AEB7B8FF53320B10026AE414D7197EB709E908B50

Function 001DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001DCF22,?), ref: 001DDDFD

Part of subcall function 001DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001DCF22,?), ref: 001DDE16

Part of subcall function 001DE199: GetFileAttributesW.KERNEL32(?,001DCF95), ref: 001DE19A

lstrcmpiW.KERNEL32(?,?), ref: 001DE473
MoveFileW.KERNEL32(?,?), ref: 001DE4AC
_wcslen.LIBCMT ref: 001DE5EB
_wcslen.LIBCMT ref: 001DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001DE650

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2594e69051f2a575a73757d3b9aea47db2029ef1e410f3330686d52db5ea703f
Instruction ID: 732c6807211f241c8838ef22ce9f2ed784369fac43fbdb31bf92063283c3e323
Opcode Fuzzy Hash: 2594e69051f2a575a73757d3b9aea47db2029ef1e410f3330686d52db5ea703f
Instruction Fuzzy Hash: 0E5160B24087859BCB24EB94DC819DFB3ECAF94341F00491FF589D7291EF74A6888766

Function 001FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001FB6AE,?,?), ref: 001FC9B5
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FC9F1
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA68
Part of subcall function 001FC998: _wcslen.LIBCMT ref: 001FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001FBB63
RegCloseKey.ADVAPI32(?,?), ref: 001FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001FBBB3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: fd51491637660f01c45d6b5e2734ac7572f71b29e8d90ee180121bba50ceb0d9
Instruction ID: 15e56a1cad4c3977ee80a5866c3a7c664a4fcfaae340fa11e2c35fba0615658c
Opcode Fuzzy Hash: fd51491637660f01c45d6b5e2734ac7572f71b29e8d90ee180121bba50ceb0d9
Instruction Fuzzy Hash: AA617B71208245AFD714DF14C8D1E2ABBE5FF84308F54899CF59A8B2A2DB31ED45CB92

Function 001D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001D8BCD
VariantClear.OLEAUT32 ref: 001D8C3E
VariantClear.OLEAUT32 ref: 001D8C9D
VariantClear.OLEAUT32(?), ref: 001D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001D8D3B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 1688480a8ade3d9f2222703655439fa91d2e5af70d7579112c6b1f55a8eb130c
Instruction ID: cf85b0f9811c027f15372921159a1ee56c4fc12a88738585fe12c2838660397b
Opcode Fuzzy Hash: 1688480a8ade3d9f2222703655439fa91d2e5af70d7579112c6b1f55a8eb130c
Instruction Fuzzy Hash: A9516AB5A00619EFCB14CF68D894AAAB7F9FF89310B15856AF905DB350E730E911CF90

Function 001E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001E8C5F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 12b7ff5d999c7e339d118c7c047cdd3393f6970ca2fa21fb3b053d8c0f0543be
Instruction ID: cb0e36faf42541af961a959b050a343e285d2055b5b0dc43d9d9c680a6b4467e
Opcode Fuzzy Hash: 12b7ff5d999c7e339d118c7c047cdd3393f6970ca2fa21fb3b053d8c0f0543be
Instruction Fuzzy Hash: 89514935A006189FCB05DF65C881AADBBF5FF49314F18C058E849AB3A2CB31ED51CB90

Function 001F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001F9032
FreeLibrary.KERNEL32(00000000), ref: 001F9052

Part of subcall function 0018F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001E1043,?,7529E610), ref: 0018F6E6
Part of subcall function 0018F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001CFA64,00000000,00000000,?,?,001E1043,?,7529E610,?,001CFA64), ref: 0018F70D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3deb76ee1d2d8ee04b85b5706f7ab7ad9d78ade548e1165cc19ed6d0e84bcc42
Instruction ID: 0b965c802fa30f0be92df58a30b010719886b8b721e77ee416dfc0d8c4576991
Opcode Fuzzy Hash: 3deb76ee1d2d8ee04b85b5706f7ab7ad9d78ade548e1165cc19ed6d0e84bcc42
Instruction Fuzzy Hash: 5E515A34604209DFC715EF58C484DADBBF1FF59314B1981A8E90A9B362DB31ED86CB91

Function 00206B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00206C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00206C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00206C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001EAB79,00000000,00000000), ref: 00206C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00206CC7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 825d5acdb52a5f27ae61855ace0b66632ef46aaf011af3b94f5b3d045a0c0367
Instruction ID: f4c06a5da7eff2f3bc77134aa09421023719dd78f22533b4e5da2b9a6958648a
Opcode Fuzzy Hash: 825d5acdb52a5f27ae61855ace0b66632ef46aaf011af3b94f5b3d045a0c0367
Instruction Fuzzy Hash: 2B41D775624305AFE724CF28CC5CFA97BA9EB09360F140229F895A72E2C771ED71CA40

Function 001A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001A20C3
_free.LIBCMT ref: 001A20E3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 894ca64c1a8fb4a3add6864856b5a4772e5df854cc3711ff4fe8e8180b4d7d86
Instruction ID: 43700c362a8e0f442f8ce7f67d34a88b1977e377d7a72f16f5c035cdbceba2ca
Opcode Fuzzy Hash: 894ca64c1a8fb4a3add6864856b5a4772e5df854cc3711ff4fe8e8180b4d7d86
Instruction Fuzzy Hash: E441D37AA002009FCB24DF7CC981A5EB7F5EF9A714F254569E515EB352D731AD01CB80

Function 0018912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00189141
ScreenToClient.USER32(00000000,?), ref: 0018915E
GetAsyncKeyState.USER32(00000001), ref: 00189183
GetAsyncKeyState.USER32(00000002), ref: 0018919D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6bf9756eeb9874f2f9adad6508a23f04e62f8403fb1b88349281a1cbbaae1454
Instruction ID: 6cb6e44049075c474657ecd72cd316fad84f99d530bb8d46b77226e0eb319397
Opcode Fuzzy Hash: 6bf9756eeb9874f2f9adad6508a23f04e62f8403fb1b88349281a1cbbaae1454
Instruction Fuzzy Hash: 32415F71A0860AFBDF19AF64C848BFEB774FB15324F24421AE425A32D1C7709A54CF51

Function 001E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001E3922
TranslateMessage.USER32(?), ref: 001E394B
DispatchMessageW.USER32(?), ref: 001E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001E3966

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: cdbbf50527dfa202481a4d782fcad60062cd67afaafb922f3196463dcb077341
Instruction ID: 3012ce5b4ba70e119e504a2a188965995ad2048ee22efd34e96e0747ae6de3c7
Opcode Fuzzy Hash: cdbbf50527dfa202481a4d782fcad60062cd67afaafb922f3196463dcb077341
Instruction Fuzzy Hash: A131D974504BC19EEB39CB36EC4CFBA3BA8AB16308F540559E472931A2D3B49685CB21

Function 001ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 001ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001EC21E,00000000), ref: 001ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001EC21E,00000000), ref: 001ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001EC21E,00000000), ref: 001ECFF2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 90c87be49bd6f65694cc1eb5fdd26a7a24ce6516e5b4172ee062b38f6f35fb66
Instruction ID: 4f37e0d58dea45d2c5ff1d73b899f1bac2eb30dba63e1eafb1adb25faeb81a66
Opcode Fuzzy Hash: 90c87be49bd6f65694cc1eb5fdd26a7a24ce6516e5b4172ee062b38f6f35fb66
Instruction Fuzzy Hash: 4E317FB1500B45EFDB24DFA6DC84AAFBBF9EF14311B10452EF506D2111D730AE429BA0

Function 001D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001D19E2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7d3879b19035d915aaf898245ce382d857bda0ed945ffefd123ce9138eddd6bf
Instruction ID: af4796eb0f5f8051c1b0dceba3fdbb45b2bb6ad598996c293a5be72c7650db4b
Opcode Fuzzy Hash: 7d3879b19035d915aaf898245ce382d857bda0ed945ffefd123ce9138eddd6bf
Instruction Fuzzy Hash: 55318F72900219FFCB18CFA8D9A9ADE7BB5EB44319F104326F925A72D1C7709954CB90

Function 00205706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00205745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0020579D
_wcslen.LIBCMT ref: 002057AF
_wcslen.LIBCMT ref: 002057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00205816

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 38a5964d0839b59fb45b3dc4d2cf8e46db57a2bf9a565d3e5861b82d0fa0c8a6
Instruction ID: e82ac8fded7e2d7c22f22e09eb20ef0e1f8ed48b3733aba16fc739bad73fcef3
Opcode Fuzzy Hash: 38a5964d0839b59fb45b3dc4d2cf8e46db57a2bf9a565d3e5861b82d0fa0c8a6
Instruction Fuzzy Hash: 8821A575924729AADF208F60DC84AEEB7BCFF44724F108216F919EA1D2D7B08995CF50

Function 001F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001F0951
GetForegroundWindow.USER32 ref: 001F0968
GetDC.USER32(00000000), ref: 001F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001F09B0
ReleaseDC.USER32(00000000,00000003), ref: 001F09E8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3a1d766aaea50812f0edc11db3a404767b8e6e84fa98048d82af809bd8db250e
Instruction ID: fc3abced1c927a3f46ba8d678b57d5861adfd65619a1cab5a841ef22055f7afd
Opcode Fuzzy Hash: 3a1d766aaea50812f0edc11db3a404767b8e6e84fa98048d82af809bd8db250e
Instruction Fuzzy Hash: C4216F75600204AFD714EF65D889AAEBBF9FF58704F148168F94A97362DB70AC04CB50

Function 001ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001ACDE9

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001ACE0F
_free.LIBCMT ref: 001ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001ACE31

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 798b454f87b7e52ef46ce4d4977192550e7d876bf91bd2d1a59b801e453ed50c
Instruction ID: d3ec915c6d7518b99539f949da7e6bd272910a38644868045c97366f736cffac
Opcode Fuzzy Hash: 798b454f87b7e52ef46ce4d4977192550e7d876bf91bd2d1a59b801e453ed50c
Instruction Fuzzy Hash: 740184BA6013157F672117BA6C8CD7BAD6DDEC7BA13250229F905D7201EB718D0181F0

Function 00189639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00189693
SelectObject.GDI32(?,00000000), ref: 001896A2
BeginPath.GDI32(?), ref: 001896B9
SelectObject.GDI32(?,00000000), ref: 001896E2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 329cff5ceaf5cc3eadd2f6f55bb2169f027e5d07da225594347588a0c0f2fe88
Instruction ID: 1ef52101c3d945e352ffe81505a1e7b5a99d4fcfe164a7a2969aec8a477741ea
Opcode Fuzzy Hash: 329cff5ceaf5cc3eadd2f6f55bb2169f027e5d07da225594347588a0c0f2fe88
Instruction Fuzzy Hash: 75218E74802345EFDB11AF64FC0CBB97BA9BB12725F340216F424A61B1E3709AA1CF90

Function 001D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001D5726
_memcmp.LIBVCRUNTIME ref: 001D5744
_memcmp.LIBVCRUNTIME ref: 001D5757
_memcmp.LIBVCRUNTIME ref: 001D576F
_memcmp.LIBVCRUNTIME ref: 001D5787

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5892c944cd209b3323653becf88b39031b8e71de3345934efeb6dd21112b93c7
Instruction ID: bb8a8f54ec190e54c1f28be7bc8a82acd7bc9a456f1eef8efd96ccd6ef8a9fae
Opcode Fuzzy Hash: 5892c944cd209b3323653becf88b39031b8e71de3345934efeb6dd21112b93c7
Instruction Fuzzy Hash: 48019B71681705FBE71855109E43FBA735EAB32364B504022FD145A782F761ED5086A0

Function 001A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0019F2DE,001A3863,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6), ref: 001A2DFD
_free.LIBCMT ref: 001A2E32
_free.LIBCMT ref: 001A2E59
SetLastError.KERNEL32(00000000,00171129), ref: 001A2E66
SetLastError.KERNEL32(00000000,00171129), ref: 001A2E6F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3ff32a1e1dca6db2ff29c2656e243e4d863758f67b39ac2e2cf1bb0290e88519
Instruction ID: da50d59c88ed406db4baa3e7f580bb0dd12ce711584e0f450f94340be77bb022
Opcode Fuzzy Hash: 3ff32a1e1dca6db2ff29c2656e243e4d863758f67b39ac2e2cf1bb0290e88519
Instruction Fuzzy Hash: 6001F47E2056006BC626673D7C8AE2B2659ABE37B5B310129F425E2293EB70CC815120

Function 001D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?,?,001D035E), ref: 001D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?), ref: 001D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001CFF41,80070057,?,?), ref: 001D0070

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 536366675e806ce1e734da4db604c83e68cc4e6fde6ef467febefe3e8d722ec9
Instruction ID: f85c77e49a51c4081da5a13b2b21f40d2e791b92cf58f832208f272f5fe3c803
Opcode Fuzzy Hash: 536366675e806ce1e734da4db604c83e68cc4e6fde6ef467febefe3e8d722ec9
Instruction Fuzzy Hash: 8F01A2B2600304BFDB124F68EC48BAA7AEDEF88792F248225F905D2311D771DD408BA0

Function 001D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001D0B9B,?,?,?), ref: 001D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001D114D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 155b4b75780201643746ab3a08a156a78054c58bb70839a9763252ca5fa7d2ac
Instruction ID: cd9374658278272204145603e6f0c55f7b82f1aec0f64b6ec1648c611b4f78ba
Opcode Fuzzy Hash: 155b4b75780201643746ab3a08a156a78054c58bb70839a9763252ca5fa7d2ac
Instruction Fuzzy Hash: FC0119B5200305BFEB114FA5EC4DA6A7B7EEF893A0B244529FA45D7361DB31DC009A60

Function 001D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001D1002

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5132c324cad8f6c6607a9c0e96ba1ba3753fe7491847156c9168c2cc0c6b49ac
Instruction ID: 9c4f1cb45723103b25d78cae7843c87c9fbc8c116da60ca28a2d196d73855aac
Opcode Fuzzy Hash: 5132c324cad8f6c6607a9c0e96ba1ba3753fe7491847156c9168c2cc0c6b49ac
Instruction Fuzzy Hash: 87F04F75100311BBD7215FA4AC4DF563B6EEF89761F204515F949C6252CA70DC408A60

Function 001D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1062

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5856ea6562b7a17774536d8f949b2cabbbfa2ed4aaf6e7d44e2bc43f65f9aab7
Instruction ID: 10e99ecf48df94d954f501f11d984a376e8f8ab8ae51d80296e5cd2ba248782e
Opcode Fuzzy Hash: 5856ea6562b7a17774536d8f949b2cabbbfa2ed4aaf6e7d44e2bc43f65f9aab7
Instruction Fuzzy Hash: 6AF049B5200311BBDB216FA4EC4DF563BAEEF89761F200925FA49C6251CA70D840CA60

Function 001E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0324
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0331
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E033E
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E034B
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0358
CloseHandle.KERNEL32(?,?,?,?,001E017D,?,001E32FC,?,00000001,001B2592,?), ref: 001E0365

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 06864dc026a28589bd25e5e07b9f6df09ec317b73748cc18a34afb4a7960d835
Instruction ID: 9a5a32c8ec7d2161a20ae3aa5b46b216bf29dc31d2210fd9c64307a75e287cf5
Opcode Fuzzy Hash: 06864dc026a28589bd25e5e07b9f6df09ec317b73748cc18a34afb4a7960d835
Instruction Fuzzy Hash: E401AE72800F559FCB31AF66D88081AFBF9BF643153158A3FD19652931C3B1A998CF80

Function 001AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001AD752

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001AD764
_free.LIBCMT ref: 001AD776
_free.LIBCMT ref: 001AD788
_free.LIBCMT ref: 001AD79A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7a4288517705ab728f933b9fd8d5a6f5d461c9bccdcc4e3898b5bc4d468dd3f0
Instruction ID: 35b480dbfb48140844abe37887928b6f3462998cebc4f5fc695b586340f697c5
Opcode Fuzzy Hash: 7a4288517705ab728f933b9fd8d5a6f5d461c9bccdcc4e3898b5bc4d468dd3f0
Instruction Fuzzy Hash: 76F0963A504718AFC665EBA8F9C6C2B77DDBB06718BA50C05F049E7911C730FC808761

Function 001D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001D5C6F
MessageBeep.USER32(00000000), ref: 001D5C87
KillTimer.USER32(?,0000040A), ref: 001D5CA3
EndDialog.USER32(?,00000001), ref: 001D5CBD

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9ac6fd742698fb3c380abeb838e2801fd45dbaf4b7efbcd0121b630ed4383b11
Instruction ID: 9df9c09801d843d91ec8d66f3cd15b29a56b8b1a53e547b6ae7f38705e4135cf
Opcode Fuzzy Hash: 9ac6fd742698fb3c380abeb838e2801fd45dbaf4b7efbcd0121b630ed4383b11
Instruction Fuzzy Hash: C101A470510B04ABEB345B10ED4EFA67BBDBF00B45F14066AB583A11E2DBF5AD84CB90

Function 001A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001A22BE

Part of subcall function 001A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000), ref: 001A29DE
Part of subcall function 001A29C8: GetLastError.KERNEL32(00000000,?,001AD7D1,00000000,00000000,00000000,00000000,?,001AD7F8,00000000,00000007,00000000,?,001ADBF5,00000000,00000000), ref: 001A29F0

_free.LIBCMT ref: 001A22D0
_free.LIBCMT ref: 001A22E3
_free.LIBCMT ref: 001A22F4
_free.LIBCMT ref: 001A2305

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4b4fc8da910c3df8a91b701aa4fe2d6046d9218466ff4e0340ef873c249bfb75
Instruction ID: 379558d008bed8324a2cf8d62ff391c39e7183e55c600a4e55b09adf0d06baa1
Opcode Fuzzy Hash: 4b4fc8da910c3df8a91b701aa4fe2d6046d9218466ff4e0340ef873c249bfb75
Instruction Fuzzy Hash: 2FF03ABC8002308FC752AF68BC498293B64B72BB61B11051BF914E32B1CB3009A1AFE5

Function 001895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001895D4
StrokeAndFillPath.GDI32(?,?,001C71F7,00000000,?,?,?), ref: 001895F0
SelectObject.GDI32(?,00000000), ref: 00189603
DeleteObject.GDI32 ref: 00189616
StrokePath.GDI32(?), ref: 00189631

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 194bb0aff0e9099329efc971000290b13c65c5956d11d17d9f29f9e68be8d1e4
Instruction ID: 51a1b1e3b11e32fcde21cd75c4211f9e3ee1dbd753b49afa1afc1a407ce5ac2f
Opcode Fuzzy Hash: 194bb0aff0e9099329efc971000290b13c65c5956d11d17d9f29f9e68be8d1e4
Instruction Fuzzy Hash: A4F03738006348EBDB266F69FD1CB743B61AB02722F288314F429550F1D7308AA5DF20

Function 001A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001A10F9
__freea.LIBCMT ref: 001A1117

Part of subcall function 001A1537: _free.LIBCMT ref: 001A154F

Strings

am/pm, xrefs: 001A117A
a/p, xrefs: 001A11DE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0bfd702a6985a4156dd96875b2066c4f7e10cffce450df620e394e233b5c1fb1
Instruction ID: e894adc5ab1dc1dce51a54a39450a857c4054ad140769b4186a9dbf11a80f9c7
Opcode Fuzzy Hash: 0bfd702a6985a4156dd96875b2066c4f7e10cffce450df620e394e233b5c1fb1
Instruction Fuzzy Hash: AED10F3D900206FACF289F68C995BFAB7B5FF17320F29415AE901AB650D3759D80CB91

Function 001F61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00190242: EnterCriticalSection.KERNEL32(0024070C,00241884,?,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019024D
Part of subcall function 00190242: LeaveCriticalSection.KERNEL32(0024070C,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019028A

Part of subcall function 001900A3: __onexit.LIBCMT ref: 001900A9

__Init_thread_footer.LIBCMT ref: 001F6238

Part of subcall function 001901F8: EnterCriticalSection.KERNEL32(0024070C,?,?,00188747,00242514), ref: 00190202
Part of subcall function 001901F8: LeaveCriticalSection.KERNEL32(0024070C,?,00188747,00242514), ref: 00190235

Part of subcall function 001E359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001E35E4
Part of subcall function 001E359C: LoadStringW.USER32(00242390,?,00000FFF,?), ref: 001E360A

Strings

x#$, xrefs: 001F636F
x#$, xrefs: 001F633A
x#$, xrefs: 001F6353

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#$$x#$$x#$
API String ID: 1072379062-3033266091
Opcode ID: 770832ee50f42e3e842449bca7a413fff05803f28e63aa30c005511828e8c278
Instruction ID: da53a651291ddf624dd6f20e3b7b35c4d254354195917c5e3433cfd9a432772e
Opcode Fuzzy Hash: 770832ee50f42e3e842449bca7a413fff05803f28e63aa30c005511828e8c278
Instruction Fuzzy Hash: B0C18071A00109AFCB14EF98C895EBEB7B9FF59340F148069FA15AB291DB70ED45CB90

Function 001F7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00190242: EnterCriticalSection.KERNEL32(0024070C,00241884,?,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019024D
Part of subcall function 00190242: LeaveCriticalSection.KERNEL32(0024070C,?,0018198B,00242518,?,?,?,001712F9,00000000), ref: 0019028A

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001900A3: __onexit.LIBCMT ref: 001900A9

__Init_thread_footer.LIBCMT ref: 001F7BFB

Part of subcall function 001901F8: EnterCriticalSection.KERNEL32(0024070C,?,?,00188747,00242514), ref: 00190202
Part of subcall function 001901F8: LeaveCriticalSection.KERNEL32(0024070C,?,00188747,00242514), ref: 00190235

Strings

5, xrefs: 001F7C78
G, xrefs: 001F7C7F
Variable must be of type 'Object'., xrefs: 001F7C3A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 6002c5009586b63afdaabc20c7e349e6ac08767461e3ac0e93b921fe6f7c828a
Instruction ID: 7845fbdd2d8213600794822faf9a519870ebe5c2cbfc5368aba71c979da472ad
Opcode Fuzzy Hash: 6002c5009586b63afdaabc20c7e349e6ac08767461e3ac0e93b921fe6f7c828a
Instruction Fuzzy Hash: CD919B70A04209EFCB05EF94D891DBDB7B2FF59300F548059FA069B292DB71AE45CB51

Function 001D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001D21D0,?,?,00000034,00000800,?,00000034), ref: 001DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001D2760

Part of subcall function 001DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001DB3F8

Part of subcall function 001DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001DB355
Part of subcall function 001DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001D2194,00000034,?,?,00001004,00000000,00000000), ref: 001DB365
Part of subcall function 001DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001D2194,00000034,?,?,00001004,00000000,00000000), ref: 001DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001D281A

Strings

@, xrefs: 001D2832

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9183785e672733e560eaed7b8c1467453e64fd5a0d0379bf70756e5fa7ef4b50
Instruction ID: 7ec09df98a0077bac963a6a4e42ad1ca371c14c6b860c56906d573109a8127ab
Opcode Fuzzy Hash: 9183785e672733e560eaed7b8c1467453e64fd5a0d0379bf70756e5fa7ef4b50
Instruction Fuzzy Hash: F4413C72900218BFDB10DBA4CD85EEEBBB8EF59300F104056FA55B7281DB716E45DBA0

Function 001A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 001A1769
_free.LIBCMT ref: 001A1834
_free.LIBCMT ref: 001A183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 001A1760, 001A1767, 001A1796, 001A17CE

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: e132086fd1ab14174a7d1536c6d5256401cc3f0c15a1045251361bfb2aa391e9
Instruction ID: 476e6273210456d25d2060d029ef566e62354f587a8a6db2132f20909fab9ee5
Opcode Fuzzy Hash: e132086fd1ab14174a7d1536c6d5256401cc3f0c15a1045251361bfb2aa391e9
Instruction Fuzzy Hash: 7D316E79A44218BFDB21DB999885D9EBBFCEB96310F14416AF905D7211D7B08E80CB90

Function 001DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00241990,00CB5EE0), ref: 001DC395

Strings

0, xrefs: 001DC2DF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: bdfc3cd3d185d74b460c2eae44ffdfff15ef8be152c2d44485428436a7065eb1
Instruction ID: 0844ea3bca38536ebb474f5496c95625f5ccad0464663e68bd27280e9ef9a375
Opcode Fuzzy Hash: bdfc3cd3d185d74b460c2eae44ffdfff15ef8be152c2d44485428436a7065eb1
Instruction Fuzzy Hash: C641A271204342AFDB24DF29D884B5ABBE4BF95310F148A1EF9A5973D1D770E904CBA2

Function 00204416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0020CC08,00000000,?,?,?,?), ref: 002044AA
GetWindowLongW.USER32 ref: 002044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002044D7

Strings

SysTreeView32, xrefs: 0020447C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: bcdc9a10e065eb04961c380e8e860967a08e35fe8140075fe7c70ac6d7e9892a
Instruction ID: cd176c47808af3e1b016b77b8afac58d52863d541e072d2e4d12f963122a1d4b
Opcode Fuzzy Hash: bcdc9a10e065eb04961c380e8e860967a08e35fe8140075fe7c70ac6d7e9892a
Instruction Fuzzy Hash: 813183B1120706AFDB20AF34DC45BDA7BA9EB55334F208715FA75921D2D770EC609B50

Function 001F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001F3077,?,?), ref: 001F3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001F307A
_wcslen.LIBCMT ref: 001F309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001F3106

Strings

255.255.255.255, xrefs: 001F3095, 001F309A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ed459802898cafc384d9df7090987fb9a1be16b2fed99d21aecb1c193797d95e
Instruction ID: 6d85f1c0e80c27677660ed8fad627401f07d7278bf3a249afdd681db74d83e1b
Opcode Fuzzy Hash: ed459802898cafc384d9df7090987fb9a1be16b2fed99d21aecb1c193797d95e
Instruction Fuzzy Hash: 7731D3756042099FCB20CF28C485EBA77F0EF54318F25C15AEA258B392DB72EE45C761

Function 00203EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00203F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00203F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00203F78

Strings

SysMonthCal32, xrefs: 00203F0B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 56b2274f80cbb007e83534aaf04b6bcb23e385eb9244c2ece293e43a33a54d5b
Instruction ID: 1e739cd9207cfbd5cff5f0c677b114415cc3ad9316750ed36b741ee7438beb13
Opcode Fuzzy Hash: 56b2274f80cbb007e83534aaf04b6bcb23e385eb9244c2ece293e43a33a54d5b
Instruction Fuzzy Hash: D521BF3261021ABBDF25CF50DC4AFEA3B79EF48714F110214FA196B1D1DAB1A860CB90

Function 00204653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00204705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00204713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0020471A

Strings

msctls_updown32, xrefs: 00204684

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6bdb72744cbea2469787da32f7f8ed93dcd2a3fe6707c345e0175557b8ebb983
Instruction ID: 1100baf9efba3e9503d8cdde2346c95cb056f34a6841ce00772f52aa2889a167
Opcode Fuzzy Hash: 6bdb72744cbea2469787da32f7f8ed93dcd2a3fe6707c345e0175557b8ebb983
Instruction Fuzzy Hash: 5E2192F5610209AFDB10EF68DCD5DA777ADEF5A354B004049FA009B2A2CB31EC61CA60

Function 001D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D961D

Strings

#requireadmin, xrefs: 001D95D9
#OnAutoItStartRegister, xrefs: 001D95F3
#notrayicon, xrefs: 001D95B7

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1ec13f829cdd0a7179c18943ca21dad0133d6bfc6b6472897d0775e31d24c4e0
Instruction ID: a21871c8ed262d8a7ee012a4a53408de1ad33966d9e19b27c02298c3203fa209
Opcode Fuzzy Hash: 1ec13f829cdd0a7179c18943ca21dad0133d6bfc6b6472897d0775e31d24c4e0
Instruction Fuzzy Hash: F9216D3220461166D731BB28DC02FB773E89F65310F104037F94997282EB55ED52C3D5

Function 002037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00203840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00203850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00203876

Strings

Listbox, xrefs: 0020380F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ecfb6b15162e41e88fe5f2691ec4a7e38479a49caa9e4565ede6eb53671e7df7
Instruction ID: 6f8298afc9877f8bce40a894ee17a388e179a754759fcdade560a089b7b3b223
Opcode Fuzzy Hash: ecfb6b15162e41e88fe5f2691ec4a7e38479a49caa9e4565ede6eb53671e7df7
Instruction Fuzzy Hash: C0218072620219BBEF21CF54DC45EAB776EEF89750F108114F9449B1E1CA71DC628BA0

Function 001E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0020CC08), ref: 001E4AD0

Strings

%lu, xrefs: 001E4A6F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d61241d82f993f3c0591536aae46b2b6cb9a9fffc226a72eb6a2d778d87831b0
Instruction ID: 1c0ad0f489044d9585b89409a32cd06acbcaaac0178b623f16aab016f5aff85f
Opcode Fuzzy Hash: d61241d82f993f3c0591536aae46b2b6cb9a9fffc226a72eb6a2d778d87831b0
Instruction Fuzzy Hash: D0315175A00209AFDB10DF54C885EAEBBF8EF49318F1480A9F909DB252D771EE45CB61

Function 002041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0020424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00204264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00204271

Strings

msctls_trackbar32, xrefs: 00204226

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 183c212d48b50226488bb70435770d5968c8ebfefa9b152a1c27c8feafb1a089
Instruction ID: c8668b13502f4975be88a84ed0c0ed9a6138d494f5182f6eadb0bb87ba808f73
Opcode Fuzzy Hash: 183c212d48b50226488bb70435770d5968c8ebfefa9b152a1c27c8feafb1a089
Instruction Fuzzy Hash: 7D11E3B1350309BEEF206F28CC06FAB7BACEF95B54F114114FA55E20D1D671D8619B10

Function 001D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

Part of subcall function 001D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001D2DC5
Part of subcall function 001D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D2DD6
Part of subcall function 001D2DA7: GetCurrentThreadId.KERNEL32 ref: 001D2DDD
Part of subcall function 001D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001D2DE4

GetFocus.USER32 ref: 001D2F78

Part of subcall function 001D2DEE: GetParent.USER32(00000000), ref: 001D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001D2FC3
EnumChildWindows.USER32(?,001D303B), ref: 001D2FEB

Strings

%s%d, xrefs: 001D2FFF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 96d946abb62b1ba3ee92e531705faa447f3463643de6cf7b897167d6289a1476
Instruction ID: c41e3894c546b6e6e4fe6fd0811d82de40ef4dbb9c4450c3e857935166cab559
Opcode Fuzzy Hash: 96d946abb62b1ba3ee92e531705faa447f3463643de6cf7b897167d6289a1476
Instruction Fuzzy Hash: 8911E4B53002056BCF147FB09C85EEE376AAFA4304F148076F9199B293DF319A098B60

Function 00205882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002058EE
DrawMenuBar.USER32(?), ref: 002058FD

Strings

0, xrefs: 0020588F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 14c020c61ddc80c6f3aec5b73d7c722dbbfac168be175ef252adb70d3aa47be7
Instruction ID: b59d4297bcab8ad7cb389c1c76fa4e62913349d8aa99c45488ea91757099cfc5
Opcode Fuzzy Hash: 14c020c61ddc80c6f3aec5b73d7c722dbbfac168be175ef252adb70d3aa47be7
Instruction Fuzzy Hash: F4018B71510328EFDB209F11EC48BAFBBB4FF45361F108099E848D6192DB708AA0DF60

Function 001D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafd8248ce85e95692c4f3b92387582b180e3bd4235fd584be4f6e1fc215f1a0
Instruction ID: 9514c2b0facc528afb202ceaed74762d7cc666dd8cdc1571ebc895b7e4411b83
Opcode Fuzzy Hash: dafd8248ce85e95692c4f3b92387582b180e3bd4235fd584be4f6e1fc215f1a0
Instruction Fuzzy Hash: EEC13875A0020AEFDB15CFA8C898BAEB7B5FF48704F218599E505EB251D731EE41CB90

Function 001A3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001A3F0B
__alldvrm.LIBCMT ref: 001A410C
__alldvrm.LIBCMT ref: 001A412E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: a82ee927ff3d939906a61d1033e8bb7e53f6ffeb693c566b141ce365873466f3
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EFA1787AD103869FEB26CF18C8917AEBBE4EFA3350F18416DF5958B281C3B49981C751

Function 001F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001F3459
CoUninitialize.OLE32 ref: 001F3463
VariantInit.OLEAUT32(?), ref: 001F346E
VariantClear.OLEAUT32(?), ref: 001F371B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 11962d41d0c0447fcaed04a8161240ead5cce16135b5646761cc093705491f2d
Instruction ID: 1a3bb45613d510b8532eb367ed7aa463007669aebeb9e83bdbfdd229ed8e1b45
Opcode Fuzzy Hash: 11962d41d0c0447fcaed04a8161240ead5cce16135b5646761cc093705491f2d
Instruction Fuzzy Hash: D7A13A756043049FC700EF28C485A2AB7E5FF98714F148959F99A9B3A2DB30EE01CB91

Function 001D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0020FC08,?), ref: 001D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0020FC08,?), ref: 001D0608
CLSIDFromProgID.OLE32(?,?,00000000,0020CC40,000000FF,?,00000000,00000800,00000000,?,0020FC08,?), ref: 001D062D
_memcmp.LIBVCRUNTIME ref: 001D064E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 43b5fafff00a363a7279f327d12508e2f7b2d621dc329ed19fd5d878d9e04451
Instruction ID: baae43040a7be9c598a8de86acb18296139ee6c01d9d01eb39316754492454b3
Opcode Fuzzy Hash: 43b5fafff00a363a7279f327d12508e2f7b2d621dc329ed19fd5d878d9e04451
Instruction Fuzzy Hash: C3810C71A00209EFCB05DF94C988EEEB7B9FF89315F204559E506AB250DB71AE46CF60

Function 001B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001B14C0

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 159b63547a37c49ec5c973ea0eb70f1ac2e0d7daed64883d5d5f9d7ffefe91de
Instruction ID: 735540039f23eeecd146a7ccd3686867aab691767b7836cd268a948bf0c2f556
Opcode Fuzzy Hash: 159b63547a37c49ec5c973ea0eb70f1ac2e0d7daed64883d5d5f9d7ffefe91de
Instruction Fuzzy Hash: 13416A35A00100BBDF256BFD9C56BFE3AA4EF66370F660265F818D3192EB3489419262

Function 00206278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002062E2
ScreenToClient.USER32(?,?), ref: 00206315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00206382

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 617fd5f1c83c84ed1dfd415f5e22323571a0fc052b7da622756f47a03faf80b3
Instruction ID: 3032de3d15c336de79ddebf7e72f7c71b3d1c71e903071da046ba763a169b309
Opcode Fuzzy Hash: 617fd5f1c83c84ed1dfd415f5e22323571a0fc052b7da622756f47a03faf80b3
Instruction Fuzzy Hash: 0E512C7491020AEFDB24DF54D888AAE7BB5EF45760F108299F8159B2E1D730EDA1CB90

Function 001F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001F1AFD
WSAGetLastError.WSOCK32 ref: 001F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001F1B8A
WSAGetLastError.WSOCK32 ref: 001F1B94

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 987b654c8259dd4b7d62533b4fbc3bbaa51fe8ab37a9913b6c51323e6de69deb
Instruction ID: ff5285d351581de154640cbbafe752f050c99a593a7d718dfde20d20b18719db
Opcode Fuzzy Hash: 987b654c8259dd4b7d62533b4fbc3bbaa51fe8ab37a9913b6c51323e6de69deb
Instruction Fuzzy Hash: 1A41BE74640204AFE721AF24D88AF2A77E5AB58718F54C44CFA1A9F2D3D772ED418B90

Function 001AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb79d25af7a41135671835c7a530ffed3a8fdf2e1cd50685d791f9a237dac61b
Instruction ID: cd15d17beda1851ee6dfa787ff49168be56e4e30ff805543661338c435882194
Opcode Fuzzy Hash: fb79d25af7a41135671835c7a530ffed3a8fdf2e1cd50685d791f9a237dac61b
Instruction Fuzzy Hash: 7641177AA04344BFD7259F78CC81BAABBE9EB99710F10452EF542DB283D771E9018780

Function 001E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001E5783
GetLastError.KERNEL32(?,00000000), ref: 001E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001E57FA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 80a9e2601865806dc2417d4d9eeb474779db8f538347e4f5dff4b2b8e61ba147
Instruction ID: 0bb03e951fd983133555786a91e95a5ade475911cf812ff3810736057848a6a4
Opcode Fuzzy Hash: 80a9e2601865806dc2417d4d9eeb474779db8f538347e4f5dff4b2b8e61ba147
Instruction Fuzzy Hash: 7441FD39600A10DFCB11EF15D585A5DBBF2EF99724B19C488E84A5B3A2CB34FD41CB91

Function 001AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00196D71,00000000,00000000,001982D9,?,001982D9,?,00000001,00196D71,8BE85006,00000001,001982D9,001982D9), ref: 001AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001AD9AB
__freea.LIBCMT ref: 001AD9B4

Part of subcall function 001A3820: RtlAllocateHeap.NTDLL(00000000,?,00241444,?,0018FDF5,?,?,0017A976,00000010,00241440,001713FC,?,001713C6,?,00171129), ref: 001A3852

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2382055b1f3cd62ae11e0b212c802121dbcdb4e321bf80b2e1dbd76a806fe799
Instruction ID: f1f774940599a3be13e06aa6365a544a89466a2e087cb675a0b3b85520da627c
Opcode Fuzzy Hash: 2382055b1f3cd62ae11e0b212c802121dbcdb4e321bf80b2e1dbd76a806fe799
Instruction Fuzzy Hash: 0A31DE76A0060AABDF249F64EC45EAF7BA9EB42314F150268FC05D7251EB35CD54CB90

Function 002052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00205352
GetWindowLongW.USER32(?,000000F0), ref: 00205375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00205382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002053A8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 587d18ea8640fda7831c8ef60d48b29de1a17e58e4cbca33daf50ad3b850c547
Instruction ID: a59791862432f203da344e5067a581a63f7fa073feaae0d8e0706ca403f087e5
Opcode Fuzzy Hash: 587d18ea8640fda7831c8ef60d48b29de1a17e58e4cbca33daf50ad3b850c547
Instruction Fuzzy Hash: FF31E634A75B29EFEB349F14DC06BEA7765AB05390F584181FA10961E3C7F099A0DF42

Function 001DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 001DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001DAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 001DACC6

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e1d0a9bcf346f456909c553722e968629fb66e73c8b92e27bcb0dc57131194a
Instruction ID: 4bb34f66a52cf6550158f6850a87bea00882009a2a84c6db21d326f9d4244875
Opcode Fuzzy Hash: 1e1d0a9bcf346f456909c553722e968629fb66e73c8b92e27bcb0dc57131194a
Instruction Fuzzy Hash: 87313770A20718AFEF34CB648C087FE7BA5AF89330F98431BE481963D1C37999818752

Function 00207674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0020769A
GetWindowRect.USER32(?,?), ref: 00207710
PtInRect.USER32(?,?,00208B89), ref: 00207720
MessageBeep.USER32(00000000), ref: 0020778C

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 394143d570046cc2e9e30840863e8c7374d9d6d4451d9a317fe4c552d149fdc1
Instruction ID: f3c03d6ab63ce11ce02b3fa33178e0b4dea0aff13974170ccccfcb5566d9f820
Opcode Fuzzy Hash: 394143d570046cc2e9e30840863e8c7374d9d6d4451d9a317fe4c552d149fdc1
Instruction Fuzzy Hash: 2341AD38A15315DFDB11CF58D898EA9B7F4FB49384F1481A8E8149B2B2C371B9A1CF90

Function 002016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002016EB

Part of subcall function 001D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001D3A57
Part of subcall function 001D3A3D: GetCurrentThreadId.KERNEL32 ref: 001D3A5E
Part of subcall function 001D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001D25B3), ref: 001D3A65

GetCaretPos.USER32(?), ref: 002016FF
ClientToScreen.USER32(00000000,?), ref: 0020174C
GetForegroundWindow.USER32 ref: 00201752

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a23473795f58b4221d063c5e10abdd9f06d48387475f447f6546b69a50545a2d
Instruction ID: 7a731cb71063fc7e16751f97529976adb69c312e1fc770f7a37d4d5e81b431e4
Opcode Fuzzy Hash: a23473795f58b4221d063c5e10abdd9f06d48387475f447f6546b69a50545a2d
Instruction Fuzzy Hash: 92314175D00249AFC704DFA9C885CAEFBF9EF59304B50806AE415E7252D7319E45CBA0

Function 001DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001DD501
Process32FirstW.KERNEL32(00000000,?), ref: 001DD50F
Process32NextW.KERNEL32(00000000,?), ref: 001DD52F
CloseHandle.KERNEL32(00000000), ref: 001DD5DC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fb365f6d225c80abe00fe4c310c822a42f3a4e8f58dfda2d40d0b1e1c13edb8d
Instruction ID: 4f193af55ae3c2cc55351990f506dcfdaf45540549c954a41fc6334f90789608
Opcode Fuzzy Hash: fb365f6d225c80abe00fe4c310c822a42f3a4e8f58dfda2d40d0b1e1c13edb8d
Instruction Fuzzy Hash: A231A4711083009FD301EF54E885EAFBBF8EFA9354F14452DF589862A2EB719949CB93

Function 00208FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

GetCursorPos.USER32(?), ref: 00209001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001C7711,?,?,?,?,?), ref: 00209016
GetCursorPos.USER32(?), ref: 0020905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001C7711,?,?,?), ref: 00209094

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ddf8350e40b3c19045b1939545d029ca10a3e02c505994d61a4ceb051f019e09
Instruction ID: 18ab191c8ac7886e4c92a98a9f7e0a41290fa991657e7c9216570f982bc692f2
Opcode Fuzzy Hash: ddf8350e40b3c19045b1939545d029ca10a3e02c505994d61a4ceb051f019e09
Instruction Fuzzy Hash: CD21B135610218EFDB258F94DC58EFB3BBAEB49350F144155F9465B1A3C33199A0DB60

Function 001DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0020CB68), ref: 001DD2FB
GetLastError.KERNEL32 ref: 001DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0020CB68), ref: 001DD376

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: dc2d10ba370f654a1a376dd581ac0bb6e3f8eafe310e3740c4aa6f6d60302c6a
Instruction ID: 1573f3a67c311345bcc6e4652576c4690e3d22f07ee5eb9245cd1672b4289b89
Opcode Fuzzy Hash: dc2d10ba370f654a1a376dd581ac0bb6e3f8eafe310e3740c4aa6f6d60302c6a
Instruction Fuzzy Hash: 382171B0505301AFC714DF68E88586A77E4BE56364F204A1EF499C73E2D731D949CB93

Function 001D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001D102A
Part of subcall function 001D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001D1036
Part of subcall function 001D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1045
Part of subcall function 001D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001D104C
Part of subcall function 001D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001D15BE
_memcmp.LIBVCRUNTIME ref: 001D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001D1617
HeapFree.KERNEL32(00000000), ref: 001D161E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 453d75fd8bded0cb5533dc5f9a5fd4b25850102509f480f753d0a1af9f8829e3
Instruction ID: 281bb6215f4bf89a5211960a1b362275fe677d8d457e874f381d1d86039770ca
Opcode Fuzzy Hash: 453d75fd8bded0cb5533dc5f9a5fd4b25850102509f480f753d0a1af9f8829e3
Instruction Fuzzy Hash: 7621A971E00208FFDF00DFA4D948BEEB7B8EF40344F18855AE401AB241E770AA45CBA0

Function 00202782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0020280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00202824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00202832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00202840

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 33186726827afb1ced91fc17b7fd41399292fcbb6ad9ef38119a55cf1ea51b79
Instruction ID: ff39cbc08e4a5b862896521c8e493a4f2a6b7d87e9cadcf12a5d686bafa9106c
Opcode Fuzzy Hash: 33186726827afb1ced91fc17b7fd41399292fcbb6ad9ef38119a55cf1ea51b79
Instruction Fuzzy Hash: 7621C435214211EFD7149B24DC48F6ABBA9EF45324F248259F4168B6E3CB71FC56CB90

Function 001D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001D790A,?,000000FF,?,001D8754,00000000,?,0000001C,?,?), ref: 001D8D8C
Part of subcall function 001D8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 001D8DB2
Part of subcall function 001D8D7D: lstrcmpiW.KERNEL32(00000000,?,001D790A,?,000000FF,?,001D8754,00000000,?,0000001C,?,?), ref: 001D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001D8754,00000000,?,0000001C,?,?,00000000), ref: 001D7923
lstrcpyW.KERNEL32(00000000,?), ref: 001D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001D8754,00000000,?,0000001C,?,?,00000000), ref: 001D7984

Strings

cdecl, xrefs: 001D797B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9173386bf5fb34ea3b72e6ecf3d7e8cb0c2fd4caec2761cfe12c32234300da11
Instruction ID: a58bb892ab726c3a6385dff5809be68594db2050761094174f52767ce45b1846
Opcode Fuzzy Hash: 9173386bf5fb34ea3b72e6ecf3d7e8cb0c2fd4caec2761cfe12c32234300da11
Instruction Fuzzy Hash: C711E47A200342ABCF196F38D855D7B77A9FF95364B10402BE806C73A5FB319811C761

Function 00207CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00207D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00207D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00207D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001EB7AD,00000000), ref: 00207D6B

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: c858946d89650b2aa9375eb4ca370d9c734afa92780c3c834bcc6ba422f284e4
Instruction ID: 99d892224202bbecd8562291928ea5145c37aea5b71084e33c7fe5f06458bb03
Opcode Fuzzy Hash: c858946d89650b2aa9375eb4ca370d9c734afa92780c3c834bcc6ba422f284e4
Instruction Fuzzy Hash: D111D235A25715AFDB109F28DC08A663BA4AF46360B254324F835D72F1E730E960CB50

Function 00205660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002056BB
_wcslen.LIBCMT ref: 002056CD
_wcslen.LIBCMT ref: 002056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00205816

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: b70958887db441a43d3f93e35f72ebf4d8f65ee4105f77b096a479a5e07748f5
Instruction ID: 2d8f194ebeae39678f512cb26b246c7b39b521f6f7715fcbc2d21e0bc1fba63a
Opcode Fuzzy Hash: b70958887db441a43d3f93e35f72ebf4d8f65ee4105f77b096a479a5e07748f5
Instruction Fuzzy Hash: 2411E175A20729A6DF209F61CC85AEF77ACFF11764B104026F905D60C3EBB08AA0CF60

Function 001A1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3344d833e54245ef00bec47d5fb3a63820def36d13cd66c9ff073fbc90dfef7
Instruction ID: eae85c125a1fb3b069f843da7a74fb95b6ea720110b82e5568b03519f8d1de1e
Opcode Fuzzy Hash: e3344d833e54245ef00bec47d5fb3a63820def36d13cd66c9ff073fbc90dfef7
Instruction Fuzzy Hash: 8401ADBA209A167EF62126B87CC8F67661CDF937B8F310329F525A11D2DB708C004170

Function 001D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001D1A8A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e463a0dcb6871b49f4f93baacc41f42d6a114fa44c1bf4bb5d92a8681cb2f41
Instruction ID: 79a3634667856c203578061a6c6c1900fdfbdfbbc9bdf8117112c65c2ef28362
Opcode Fuzzy Hash: 3e463a0dcb6871b49f4f93baacc41f42d6a114fa44c1bf4bb5d92a8681cb2f41
Instruction Fuzzy Hash: 6211273A901219FFEB109BA4C985FADBB79EB08750F200092EA00B7290D7716E50DB94

Function 001DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001DE24D

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: eb1a5eca45c0de900fa1776dc57db2bc9f5ea3f1ad82ee55b95d3fda6ce239d8
Instruction ID: e836c0254fc6991feb9582ba6a272b54914443d7cf7c0c17ce100b29c57cb091
Opcode Fuzzy Hash: eb1a5eca45c0de900fa1776dc57db2bc9f5ea3f1ad82ee55b95d3fda6ce239d8
Instruction Fuzzy Hash: 2711C8B6904254BBC701AFA8BC0DA9F7FAC9B45321F14435AF915D7391D770D90487A0

Function 0019D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0019CFF9,00000000,00000004,00000000), ref: 0019D218
GetLastError.KERNEL32 ref: 0019D224
__dosmaperr.LIBCMT ref: 0019D22B
ResumeThread.KERNEL32(00000000), ref: 0019D249

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 3e6bd6fd637a08668a0d8f9c1ecfafdabc266880ecfc677c600bc93351438faa
Instruction ID: 0ae67bfd003bfc5ba10ce81bde399105e2ede4ff8b19caf717329fc003bfd48d
Opcode Fuzzy Hash: 3e6bd6fd637a08668a0d8f9c1ecfafdabc266880ecfc677c600bc93351438faa
Instruction Fuzzy Hash: 5D01F576805204BBCF116BA5FC09BAE7A69DF91730F200369F925921D0CF70C901C6A0

Function 00209EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00189BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00189BB2

GetClientRect.USER32(?,?), ref: 00209F31
GetCursorPos.USER32(?), ref: 00209F3B
ScreenToClient.USER32(?,?), ref: 00209F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00209F7A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 926c9714a9fba407bac7c1578fd1d1113676882ff621d191436e8705590bcd14
Instruction ID: 8dbee5515d1d05d411a8f1af412039862b979e508ad8a4cccfbc45a4d29cf563
Opcode Fuzzy Hash: 926c9714a9fba407bac7c1578fd1d1113676882ff621d191436e8705590bcd14
Instruction Fuzzy Hash: 1511883291021AABDB10EF68D8899EE77B8FB05301F100551F902E3482C330BAE1CBA1

Function 0017600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0017604C
GetStockObject.GDI32(00000011), ref: 00176060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0017606A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 6369731012eb5217c2a92c236a6bf3ffe49574aca7752e80b0028d5a6bc931e8
Instruction ID: 3aac193bed9023cb0fe65831039cf4dd3f539013cabd47524d606c89351b520e
Opcode Fuzzy Hash: 6369731012eb5217c2a92c236a6bf3ffe49574aca7752e80b0028d5a6bc931e8
Instruction Fuzzy Hash: 95118BB2101A08BFEF164FA49C48AEABB7DEF083A4F104201FA0852021C7369C609FA0

Function 00193B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00193B56

Part of subcall function 00193AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00193AD2
Part of subcall function 00193AA3: ___AdjustPointer.LIBCMT ref: 00193AED

_UnwindNestedFrames.LIBCMT ref: 00193B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00193B7C
CallCatchBlock.LIBVCRUNTIME ref: 00193BA4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8ba9317196bd544ae320d82001c4973f00f9d72b0b84b14c4b4a246288f8ed5d
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 6E01E932100149BBDF126E95CC46EEB7B6AFF58754F044014FE5896121C732E962EBA0

Function 001A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001713C6,00000000,00000000,?,001A301A,001713C6,00000000,00000000,00000000,?,001A328B,00000006,FlsSetValue), ref: 001A30A5
GetLastError.KERNEL32(?,001A301A,001713C6,00000000,00000000,00000000,?,001A328B,00000006,FlsSetValue,00212290,FlsSetValue,00000000,00000364,?,001A2E46), ref: 001A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001A301A,001713C6,00000000,00000000,00000000,?,001A328B,00000006,FlsSetValue,00212290,FlsSetValue,00000000), ref: 001A30BF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: aae9cd41c9ababd91b65060d311b0e27a2177116dd321d3de7d0eff9e8453e09
Instruction ID: a0b1627e5b9108570ef4ec9f88440b6a94681c6c07fc3d18f3b3a1d3c70bc345
Opcode Fuzzy Hash: aae9cd41c9ababd91b65060d311b0e27a2177116dd321d3de7d0eff9e8453e09
Instruction Fuzzy Hash: 0101FC7A301322ABC7314B79AD4CB677B989F477A1B310720F925D3181C721D905C6E0

Function 001D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001D74CA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 377ba2ddda71c83442d7e37676495e4871ad7b6a29db9ff4951b47d1fd7eeb39
Instruction ID: fb4e56b009f12c9bec9d6ad1ff7667e692f479dfda79251cca8e7e6fef8f570f
Opcode Fuzzy Hash: 377ba2ddda71c83442d7e37676495e4871ad7b6a29db9ff4951b47d1fd7eeb39
Instruction Fuzzy Hash: AC1161B52093159BE7218F14ED4DB92BBFCEB00B04F10856AA656D6292E770E904DB60

Function 001DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001DACD3,?,00008000), ref: 001DB126

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a1a5c5a76d3e74b32f008c9bafedea796f413684ef27a1a61d58312d498af705
Instruction ID: 94efdadf7c7052cd42c5cb5ae933b34efc19651363fe23472cdbec1ea86d30ab
Opcode Fuzzy Hash: a1a5c5a76d3e74b32f008c9bafedea796f413684ef27a1a61d58312d498af705
Instruction Fuzzy Hash: 53116171C0561CD7CF04AFE4F9D96EEBB78FF09711F124196E942B2241CB3056508B91

Function 00207E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00207E33
ScreenToClient.USER32(?,?), ref: 00207E4B
ScreenToClient.USER32(?,?), ref: 00207E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00207E8A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e48903e31db86c2aa688922d89121f09c379d067b911f2de2ed6784c205d1c3c
Instruction ID: a5986d9be5cbad926abdcccb09810f7eed173f5e04fb53bae3ff528db667e941
Opcode Fuzzy Hash: e48903e31db86c2aa688922d89121f09c379d067b911f2de2ed6784c205d1c3c
Instruction Fuzzy Hash: D71186B9D0020AAFDB41CF98D8849EEBBF9FF08310F104156E911E3251D735AA54CF50

Function 001D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001D2DD6
GetCurrentThreadId.KERNEL32 ref: 001D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001D2DE4

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 9ea35c112b10d5636c4d441966b5f066d17221c784f94980268b59678925aaec
Instruction ID: f6c12a1d68dcdcfd64c01e24e5d463762614b5ff2d3ffea32ad1955da3baf8d1
Opcode Fuzzy Hash: 9ea35c112b10d5636c4d441966b5f066d17221c784f94980268b59678925aaec
Instruction Fuzzy Hash: 62E092B11017247BD7301BB6AC0DFEB7E6DEF96BA1F100216F105D11819BB1C840C6B0

Function 00208863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00189639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00189693
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896A2
Part of subcall function 00189639: BeginPath.GDI32(?), ref: 001896B9
Part of subcall function 00189639: SelectObject.GDI32(?,00000000), ref: 001896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00208887
LineTo.GDI32(?,?,?), ref: 00208894
EndPath.GDI32(?), ref: 002088A4
StrokePath.GDI32(?), ref: 002088B2

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c0a9387579edfcf6c0257753b0eab4a50312c387c275402ee6fd2e554e2204aa
Instruction ID: dfd815d111e729950377c5e491ad8584fb1c9d90d127a1430dc742ae3fda955f
Opcode Fuzzy Hash: c0a9387579edfcf6c0257753b0eab4a50312c387c275402ee6fd2e554e2204aa
Instruction Fuzzy Hash: 11F03A76041259FAEB126F94AC0DFCA3E6AAF06710F148100FA11650E2C7755561DFE5

Function 001898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001898CC
SetTextColor.GDI32(?,?), ref: 001898D6
SetBkMode.GDI32(?,00000001), ref: 001898E9
GetStockObject.GDI32(00000005), ref: 001898F1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 14bcc827e16b0f31561aaf5a004182a9d6f539decd838fd657507673b0c1d915
Instruction ID: 97d5b0ef86b07b3e48551d460a3fdce49edd4b0b73cae6e110c163b4b138a65b
Opcode Fuzzy Hash: 14bcc827e16b0f31561aaf5a004182a9d6f539decd838fd657507673b0c1d915
Instruction Fuzzy Hash: 22E06D71244380AEDB215B74BC0DBEC7F20AB22336F248319FAFA580E2C3B186509F10

Function 001D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001D11D9), ref: 001D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001D11D9), ref: 001D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001D11D9), ref: 001D164F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 625d916e13527e93b019a1bbe3fc9683b05255284286263d3d6f2e918d3da43f
Instruction ID: 066d4bb3bbe994afa1d7dfdccb65a2038471e3fd28bae0a1837090ad718827a6
Opcode Fuzzy Hash: 625d916e13527e93b019a1bbe3fc9683b05255284286263d3d6f2e918d3da43f
Instruction Fuzzy Hash: B4E08CB2606311FBE7202FA0BE0DB863B7DAF44792F248909F645C9081E7749440CB60

Function 001CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001CD858
GetDC.USER32(00000000), ref: 001CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001CD882
ReleaseDC.USER32(?), ref: 001CD8A3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f52a8f556cdf7d8b138380c3a0140d5d47e0fd6f699d365641dad2fce81ea266
Instruction ID: 40e3493786ee56ded07cbdab7960c4ae6f482418c6b805a0ae6dafb6312fe1b2
Opcode Fuzzy Hash: f52a8f556cdf7d8b138380c3a0140d5d47e0fd6f699d365641dad2fce81ea266
Instruction Fuzzy Hash: E3E01AB0800304DFCF51AFB0E84CA6DBBB6FB48310F218119F856E7251CB398A01AF50

Function 001CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001CD86C
GetDC.USER32(00000000), ref: 001CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001CD882
ReleaseDC.USER32(?), ref: 001CD8A3

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3de45df1a4c11987203491a714a783d01a20472ceef5de96db3b8b431265e67
Instruction ID: 4edddd0209f192a0134b15c3dc06f26f2a1c91fce985fbce13e457c972bc6068
Opcode Fuzzy Hash: a3de45df1a4c11987203491a714a783d01a20472ceef5de96db3b8b431265e67
Instruction Fuzzy Hash: EEE09AB5800304DFCF51AFB4E84C66DBBB5BB48311F248549F95AE7251CB395A019F50

Function 001E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00177620: _wcslen.LIBCMT ref: 00177625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001E4ED4

Strings

LPT, xrefs: 001E4DFB
*, xrefs: 001E4E10

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 0d6de0d653cd94c685a2d42a453036df020c7c665fdaa5d8926f8060df236b36
Instruction ID: f128db02d00cfce539632b8ef1c0d6451a7a48f618fcfc7ccf07ca4e6e7bfc9a
Opcode Fuzzy Hash: 0d6de0d653cd94c685a2d42a453036df020c7c665fdaa5d8926f8060df236b36
Instruction Fuzzy Hash: 6F916E75A006449FCB14DF59C484EAEBBF1BF45704F198099E80A9F3A2C735EE85CB91

Function 0019E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0019E30D

Strings

pow, xrefs: 0019E2E5, 0019E302

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f0bd0b871696b708d067aec651d1e3f176dde04ea22a154a6764bc42ab3128bc
Instruction ID: aafc905bd7d47c0be8d2456b7c4b1887aa3e518c5d7d013f1af8db4f808adb5e
Opcode Fuzzy Hash: f0bd0b871696b708d067aec651d1e3f176dde04ea22a154a6764bc42ab3128bc
Instruction Fuzzy Hash: 0B518D65A0C20296CF15B714DD053BA3BE4FB51740F348D68F0D6833E9EF318E959A86

Function 001F7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001C569E,00000000,?,0020CC08,?,00000000,00000000), ref: 001F78DD

Part of subcall function 00176B57: _wcslen.LIBCMT ref: 00176B6A

CharUpperBuffW.USER32(001C569E,00000000,?,0020CC08,00000000,?,00000000,00000000), ref: 001F783B

Strings

<s#, xrefs: 001F77C8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s#
API String ID: 3544283678-1950719649
Opcode ID: ea1ff2df5f1f12bfe30e9c2cfe3501b1018326d6c3775e73a24e7b24e6f9b5a3
Instruction ID: dcb5067bdb3bc2c31bcd48c46e7c37cf863f2cc68a33358b6f4740b2e433de63
Opcode Fuzzy Hash: ea1ff2df5f1f12bfe30e9c2cfe3501b1018326d6c3775e73a24e7b24e6f9b5a3
Instruction Fuzzy Hash: 38613D72914119EACF14EBA4DC91DFDB378BF28704B548129F646A70D2EF705A09DBA0

Function 0018E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0018E1B1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d0d96783bb4cb216e81ea67845b9b0da5a4d7ed1df5ae4086a396f7c0d391362
Instruction ID: 5335c210b0a41dcc4727a0db11e399c043a962ef1999c7d4ce0c66a8375ba4fc
Opcode Fuzzy Hash: d0d96783bb4cb216e81ea67845b9b0da5a4d7ed1df5ae4086a396f7c0d391362
Instruction Fuzzy Hash: 57510175500346DFDB29EF68C482EBA7BE9EF75310F248059E8919B290D734DE52CBA0

Function 0018F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0018F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0018F2BB

Strings

@, xrefs: 0018F2AF

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3425d542fe3d01329313419b5a62f8e12284aba42b0a31939cf5f388b040caf1
Instruction ID: 0998e42df3510000410605ccac57216e34f62389eb2cb711235448f34cf027f9
Opcode Fuzzy Hash: 3425d542fe3d01329313419b5a62f8e12284aba42b0a31939cf5f388b040caf1
Instruction Fuzzy Hash: C05138714087449BD320AF54EC86BAFBBF8FBA5300F81885DF1D9411A5EF708629CB66

Function 001F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001F57E0
_wcslen.LIBCMT ref: 001F57EC

Strings

CALLARGARRAY, xrefs: 001F57E6, 001F57EB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: b71cef3fd084235f7c926211f266a4b5284e008fa17b368668b684fd3034f254
Instruction ID: 10f1d41fdd2a434f7573268cd020ca729f0bde9a236f68e633db61ec5e8bee19
Opcode Fuzzy Hash: b71cef3fd084235f7c926211f266a4b5284e008fa17b368668b684fd3034f254
Instruction Fuzzy Hash: 8B41A271E002099FCB14DFA9D8858BEBBB6FF69354F104129F605A7292E7349D81CF90

Function 001ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001ED13A

Strings

|, xrefs: 001ED10B

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6ac2ea778794bd1f3a928142b8ce79ac883332120a5eb5e5b2a541eb17f2b12d
Instruction ID: 61d6e6a9a97d92e43e5dbbec46390908a07d360bdc692664c885fcefbcfa7f62
Opcode Fuzzy Hash: 6ac2ea778794bd1f3a928142b8ce79ac883332120a5eb5e5b2a541eb17f2b12d
Instruction Fuzzy Hash: 33315071D00209ABCF15EFA5DC85EEEBFB9FF18300F104059F819A6162DB31AA46CB61

Function 0020356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00203621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0020365C

Strings

static, xrefs: 002035BC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a96c4eea9d46068e5b00ae33aadc3bcb37689ec04a9926985c2aaeb240837662
Instruction ID: b248ade8231e5e1c4c1cebdcf7ceb0d9122821a9a20ebd528cb95a73fc49cb92
Opcode Fuzzy Hash: a96c4eea9d46068e5b00ae33aadc3bcb37689ec04a9926985c2aaeb240837662
Instruction Fuzzy Hash: 1431AF71120704AADB10DF28DC80EBB73ADFF88720F108619F8A597291DB31ADA1CB64

Function 00204537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0020461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00204634

Strings

', xrefs: 0020458E

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0733dc84cf8bfa445c2e66a0fd1e35dc1a9a3840307e4892b59284bb68bcf94b
Instruction ID: 7bff8f2f4bbb31b43a725a14f87b15abbb0c41457a911033a301334a3fae1a52
Opcode Fuzzy Hash: 0733dc84cf8bfa445c2e66a0fd1e35dc1a9a3840307e4892b59284bb68bcf94b
Instruction Fuzzy Hash: CE314FB4A1130A9FDF14DFA5C980BDA7BB9FF59300F504169EA049B382E771A951CF90

Function 002031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0020327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00203287

Strings

Combobox, xrefs: 00203249

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5a689832270b7908384eaf8ad219e2d798e68fdd7b7729cfc2f04191cd030b4e
Instruction ID: 0c82ece2d2b42080dfe1ccf1947f5260eed363020d03168602bafc09dd65cce0
Opcode Fuzzy Hash: 5a689832270b7908384eaf8ad219e2d798e68fdd7b7729cfc2f04191cd030b4e
Instruction Fuzzy Hash: 5C11D0712202097FEF25DF54DC84EBB376EEB94364F104125F918972D2D6319D618B60

Function 00203710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0017600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0017604C
Part of subcall function 0017600E: GetStockObject.GDI32(00000011), ref: 00176060
Part of subcall function 0017600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0017606A

GetWindowRect.USER32(00000000,?), ref: 0020377A
GetSysColor.USER32(00000012), ref: 00203794

Strings

static, xrefs: 00203757

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0b87a9a4dbc65c59015aa0321d914b28bf90a8fb6f54b50e68a5caba133906b7
Instruction ID: 3933e6e993f6659cd6152b8c81ca91aa8ac5b08a1d61d8b6de1b38e24a03ee04
Opcode Fuzzy Hash: 0b87a9a4dbc65c59015aa0321d914b28bf90a8fb6f54b50e68a5caba133906b7
Instruction Fuzzy Hash: 3A113AB262020AAFDF00DFA8CC45EEA7BB8FF09314F104A15FD55E2291D775E8619B50

Function 001ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001ECDA6

Strings

<local>, xrefs: 001ECD66

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9b90e8f6fed608894ba9ce3f4cced8dd51453f60dbf0dd16c4abc8f87c3064a9
Instruction ID: bed1db157d3ae84269ab14bb36b82ca988b144a7e2b5eb598ad2cdee090f663c
Opcode Fuzzy Hash: 9b90e8f6fed608894ba9ce3f4cced8dd51453f60dbf0dd16c4abc8f87c3064a9
Instruction Fuzzy Hash: E611C6B1205A71BAD7384BA78C49FEBBEACFF127A4F104226B10983090D7759842D6F0

Function 00203429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002034BA

Strings

edit, xrefs: 0020348F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 98ed6d37d2c3ef2392d397182eaaf62f377d885e6e215cfb41353f22b45b5ad3
Instruction ID: 9dd9d904f7eb0bff247084588d98be010ef19b8bba1d31b5c40814107ced05b3
Opcode Fuzzy Hash: 98ed6d37d2c3ef2392d397182eaaf62f377d885e6e215cfb41353f22b45b5ad3
Instruction Fuzzy Hash: 6211BF71120309ABEB118F64EC84ABB376EEF05374F604324F9649B1D1C771DC619B50

Function 001D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

CharUpperBuffW.USER32(?,?,?), ref: 001D6CB6
_wcslen.LIBCMT ref: 001D6CC2

Strings

STOP, xrefs: 001D6CBC, 001D6CC1

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 73a5b8f2c5d4e5af1dadf2527dea42d700560719d0f20084da8c443ef17c9413
Instruction ID: 284deaf87e56d393bd6dbd2b841bde49942dde17a702769fd80c492c1ba069f4
Opcode Fuzzy Hash: 73a5b8f2c5d4e5af1dadf2527dea42d700560719d0f20084da8c443ef17c9413
Instruction Fuzzy Hash: 9F0104326249268BCB209FFDEC808BF33B5EB717507100526E85296291EB31D800C650

Function 001D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001D1D4C

Strings

ListBox, xrefs: 001D1D16
ComboBox, xrefs: 001D1CEB

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c39dabbe64cce166911126bfaa4aa91c5ea07a0c00762443b78b58032439c1d4
Instruction ID: 2907b91db0f548bbf9a8a3dcaa1a60f6bd63861e3a946006aa49a7b0da044106
Opcode Fuzzy Hash: c39dabbe64cce166911126bfaa4aa91c5ea07a0c00762443b78b58032439c1d4
Instruction Fuzzy Hash: 1E01F171650228BBCB08EBE0CC19CFE73A9EB62350B000A0BE836673C1EB30590CC661

Function 001D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001D1C46

Strings

ListBox, xrefs: 001D1C10
ComboBox, xrefs: 001D1BE5

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 921fa57ef0abdbc662ba90f5c702a4bf134a2eb85aa78382aeef96ce887faf5b
Instruction ID: df32bc222dcc22988a70228df815fde77459a3fe8baaeeb44ab832b0368b4dc3
Opcode Fuzzy Hash: 921fa57ef0abdbc662ba90f5c702a4bf134a2eb85aa78382aeef96ce887faf5b
Instruction Fuzzy Hash: BC01A7B57A110876DF18EB90DD52DFF77A89F22340F14001BA41A67382EB209F1C96B2

Function 001D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001D1CC8

Strings

ListBox, xrefs: 001D1C94
ComboBox, xrefs: 001D1C69

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1a137891be23ebb88bcf8345fcea814a316e1341c2a8de8e66cce9cde4e7d715
Instruction ID: 072abe65f04e54ac93032b4dd1f38e9af980f1f4bf449d57e6d76398add8005a
Opcode Fuzzy Hash: 1a137891be23ebb88bcf8345fcea814a316e1341c2a8de8e66cce9cde4e7d715
Instruction Fuzzy Hash: 5E01A2B17A011876CB18EBA4CA02EFF73AC9B22340F540016B80677382EB219F199672

Function 001D1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179CB3: _wcslen.LIBCMT ref: 00179CBD

Part of subcall function 001D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001D3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001D1DD3

Strings

ListBox, xrefs: 001D1DA0
ComboBox, xrefs: 001D1D75

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 40df741f4a97347ed5c381ca8e2c97f0271511a6ae93259e32e020a97b6ec287
Instruction ID: 003c27d5aa29ece92fa16e69096be6b1e145d086e983e96d2aa4d4a56c2a951f
Opcode Fuzzy Hash: 40df741f4a97347ed5c381ca8e2c97f0271511a6ae93259e32e020a97b6ec287
Instruction Fuzzy Hash: 7FF0F471B6061876CB08E7E4DC56EFF737DAB22354F040916B826673C1DB60590C8261

Function 0018FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00190668

Part of subcall function 001932A4: RaiseException.KERNEL32(?,?,?,0019068A,?,00241444,?,?,?,?,?,?,0019068A,00171129,00238738,00171129), ref: 00193304

__CxxThrowException@8.LIBVCRUNTIME ref: 00190685

Strings

Unknown exception, xrefs: 00190692

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e3d6eeecc6c993d4a580dc4f35fcf7e8ec3994533647328d48e02bb8b299ed68
Instruction ID: c56c6aab3181af3422bf777d930355ed042cffb13d78232b3b2d88ebb661c7c8
Opcode Fuzzy Hash: e3d6eeecc6c993d4a580dc4f35fcf7e8ec3994533647328d48e02bb8b299ed68
Instruction Fuzzy Hash: 6EF06D3490030DBBCF05BAA4D846C9E7B6C9F55350B604635B924D65E2EF71EB66CAC0

Function 00208172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00243018,0024305C), ref: 002081BF
CloseHandle.KERNEL32 ref: 002081D1

Strings

\0$, xrefs: 0020818A

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0$
API String ID: 3712363035-2040716516
Opcode ID: e63710095706fabda21aa6455b1a12628c5656a868d828889d0fda4827d74dad
Instruction ID: cf7d8f3f33402c418480e0d622b17d6a5ddc67b3e0b424657431e9a4a1d8bc5b
Opcode Fuzzy Hash: e63710095706fabda21aa6455b1a12628c5656a868d828889d0fda4827d74dad
Instruction Fuzzy Hash: 52F05EF6650300BAE720AB61BC49FB73A9CEB19B50F105560FB08D51A2D6768A1082B8

Function 001F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001F7493
_wcslen.LIBCMT ref: 001F74B9

Strings

3, 3, 16, 1, xrefs: 001F7483

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: db009123af979866040391a8bed0929c79182bc506630e41a9b6995443a981c0
Instruction ID: c00d0eb15dacf46baa59accf8920158c6c40de63f10e7115156a014cc23ce660
Opcode Fuzzy Hash: db009123af979866040391a8bed0929c79182bc506630e41a9b6995443a981c0
Instruction Fuzzy Hash: 8CE02B4221422411963122799CC1D7F56C9CFDD750714182BFA81C22E6EB948D9393A1

Function 001D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001D0B23

Strings

Error allocating memory., xrefs: 001D0B1C
AutoIt, xrefs: 001D0B17

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 50373a4dcf77445ede8030f90c8d3e2c9fa2239da3099c695ec3ed4e3f707762
Instruction ID: 665acd57816adad1cda38a6744282bf48ef8c09f79068ecc4fff63b6370c6623
Opcode Fuzzy Hash: 50373a4dcf77445ede8030f90c8d3e2c9fa2239da3099c695ec3ed4e3f707762
Instruction Fuzzy Hash: AEE0D87124431866D31437947C07F897B848F19B61F20042BF748555C38BD225A00AE9

Function 00190D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0018F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00190D71,?,?,?,0017100A), ref: 0018F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0017100A), ref: 00190D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0017100A), ref: 00190D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00190D7F

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 3a71e90b8b3411a542481105a474091367f8f11ce0d411e9c0b5d8b832feae15
Instruction ID: 98c614750143cb92d5d5e3d036fa0abadacff642123084f95401341b3d6b66a2
Opcode Fuzzy Hash: 3a71e90b8b3411a542481105a474091367f8f11ce0d411e9c0b5d8b832feae15
Instruction Fuzzy Hash: C6E092B42003018FE7719FB8E5083427BE4BF18740F008A2DE896C6A92DBB0E4448B91

Function 0018E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0018E3D5

Strings

0%$, xrefs: 0018E3B5
8%$, xrefs: 0018E3CA

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%$$8%$
API String ID: 1385522511-2281168666
Opcode ID: a9a9903f3fd9991d067161bba674dec5976b73bb2c8121963504bdc00edddd2f
Instruction ID: f7b12c8e5a2dd460af28b61e95f81897fbed0ba2cd70c4ea5386c13025342aff
Opcode Fuzzy Hash: a9a9903f3fd9991d067161bba674dec5976b73bb2c8121963504bdc00edddd2f
Instruction Fuzzy Hash: DAE02635510910CFCA0DB719BA58A883391FB1A320BD00179F902871D19BB02D458B44

Function 001E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001E302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001E3044

Strings

aut, xrefs: 001E3038

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a2e5ca1328d1fe39b7e9212b1ae438e7594d53d0298d1286f4e963c8c3f22497
Instruction ID: 8c03e6437de338dbb6f4e16d868a523811b504cc1d70ebe6ca1fe45eb6100279
Opcode Fuzzy Hash: a2e5ca1328d1fe39b7e9212b1ae438e7594d53d0298d1286f4e963c8c3f22497
Instruction Fuzzy Hash: B9D05EB25003287BDA20A7A4AC0EFCB3A6CDB05750F0002A1BA55E20D2DAB09984CAD0

Function 001CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001CD220

Strings

%.3d, xrefs: 001CD22B
X64, xrefs: 001CD2A8

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 63021897ed0dac421572eee8ffd6155a389da3e9b62ad2c95e7b158dac27746a
Instruction ID: f8915733765dc89ea43b045d75ed1277cd3231d71ac27ca004769a4694f5be4f
Opcode Fuzzy Hash: 63021897ed0dac421572eee8ffd6155a389da3e9b62ad2c95e7b158dac27746a
Instruction Fuzzy Hash: BBD012A1C08208E9CB58A7D0EC49EBAB3BCEB29341F62847AFC0692040D734C6496B61

Function 00202322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0020233F

Part of subcall function 001DE97B: Sleep.KERNELBASE ref: 001DE9F3

Strings

Shell_TrayWnd, xrefs: 00202325

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 93b7874ee893cfe79fad164715c8ea7a7439541d30ee332e56c04b818cda44ba
Instruction ID: 89687f85b978a6f68a46136b244ce637f9ec16073acb543a5780c7a580820257
Opcode Fuzzy Hash: 93b7874ee893cfe79fad164715c8ea7a7439541d30ee332e56c04b818cda44ba
Instruction Fuzzy Hash: C3D0A9B63D0300B6E66CB330AC0FFC6AA089B00B04F204A027205AA1D1C9A0A8008A50

Function 00202356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0020236C
PostMessageW.USER32(00000000), ref: 00202373

Part of subcall function 001DE97B: Sleep.KERNELBASE ref: 001DE9F3

Strings

Shell_TrayWnd, xrefs: 00202365

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a096c0b90438ca1a358ce5ee191333bce9b2242289455b1ec722e2dc69529b30
Instruction ID: a412bb99ff2518e60cb090b9bb8c0017f0c0d7299bde30ab2bee9437f2aabf7f
Opcode Fuzzy Hash: a096c0b90438ca1a358ce5ee191333bce9b2242289455b1ec722e2dc69529b30
Instruction Fuzzy Hash: D9D0A9B23C13007AE66CB330AC0FFC6AA089B00B04F604A027201AA1D1C9A0A8008A54

Function 001ABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 001ABE93
GetLastError.KERNEL32 ref: 001ABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001ABEFC

Memory Dump Source

Source File: 00000000.00000002.3318818374.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.3318789339.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.000000000020C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318895420.0000000000232000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3318974833.000000000023C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3319004396.0000000000244000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 63a9cbfbc034aaf823b0be2ce1d1f68cb47a297f04bb2537c4f9e2c38c606826
Instruction ID: ace04692057af0c361c97ac2b0c54d4fede4b6b9b082073144d6b4062577a169
Opcode Fuzzy Hash: 63a9cbfbc034aaf823b0be2ce1d1f68cb47a297f04bb2537c4f9e2c38c606826
Instruction Fuzzy Hash: 1441FC38609286AFCF258F74DCD4ABA7BA5EF43310F194169F959971A3DB308D01CB50

Source: global traffic	TCP traffic: 192.168.2.5:62103 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.5:50934 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 23.54.161.105 23.54.161.105
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 465Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HA11Sf1GnK9Cx1x&MD=4vAUTgo9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HA11Sf1GnK9Cx1x&MD=4vAUTgo9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.228
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.228
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.228
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.206

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\028b2604-954e-4881-8073-b496fcea600d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\129618f1-61e7-4148-a0df-41719c74ce70.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1faec218-0ebf-4651-9b9b-55a613986089.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5e195fbc-e770-4a3e-b564-965795c1cc88.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\7e8b4564-6ad0-433a-b11b-9b81061981ed.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\850d6b3a-ebd4-4ce7-a792-fffac87e1160.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\979bd243-a712-42a3-a2af-0f2e2fe8b222.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\b130fc92-2212-4491-80d2-e8e26f305032.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CEF304-1558.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66CEF305-1C5C.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\1ed43701-8a60-45d1-8457-6b5fb10faa26.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\546f0035-47c1-43e9-a3d2-1257c9a99ba8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\6e8b79c9-5196-40a7-b873-16ec8458ea2f.tmp

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre