Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1501239
MD5:	dced9153dcb405dfd6499434ef1d56f2
SHA1:	7bfd2b92028a46e1ee32f52b4ecbd8c6889b9663
SHA256:	74e22f5a723899273ae1cc4e59dd44dc6ab193c05035b297614bdc77a9457411
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3664 cmdline: "C:\Users\user\Desktop\file.exe" MD5: DCED9153DCB405DFD6499434EF1D56F2)

msedge.exe (PID: 4136 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4132 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2032,i,16988494494668534220,2822882406971420008,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7200 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8752 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3416 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8764 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7396 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2172 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 336 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3920 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2560 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9584 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9840 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1236 --field-trial-handle=2576,i,11118179262118238298,6927410186781767715,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: file.exe, 00000000.00000002.2468324195.0000000000A10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2468324195.00000000009E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.104.136.2:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.64:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.124.78.146:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49759 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00EAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00EAED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00EAEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00E9AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EC9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a9b21ab0-1
Source: file.exe, 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1d24e425-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f8fa9974-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_be2ba5ab-3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00E9D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00E91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E9E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E38060	0_2_00E38060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA2046	0_2_00EA2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E98298	0_2_00E98298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6E4FF	0_2_00E6E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6676B	0_2_00E6676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC4873	0_2_00EC4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3CAF0	0_2_00E3CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5CAA0	0_2_00E5CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4CC39	0_2_00E4CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E66DD9	0_2_00E66DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4D063	0_2_00E4D063
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E391C0	0_2_00E391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4B119	0_2_00E4B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E51394	0_2_00E51394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E51706	0_2_00E51706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5781B	0_2_00E5781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E519B0	0_2_00E519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4997D	0_2_00E4997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E37920	0_2_00E37920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E57A4A	0_2_00E57A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E57CA7	0_2_00E57CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E51C77	0_2_00E51C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E69EEE	0_2_00E69EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EBBE44	0_2_00EBBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E51F32	0_2_00E51F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E39CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E50A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00E4F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@71/307@12/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA37B5 GetLastError,FormatMessageW,

0_2_00EA37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E910BF AdjustTokenPrivileges,CloseHandle,		0_2_00E910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00E916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EA51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EBA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EBA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00EA648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E342A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\fdb769c4-866e-41c6-8a72-1045d245f656.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2032,i,16988494494668534220,2822882406971420008,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3416 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7396 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2560 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1236 --field-trial-handle=2576,i,11118179262118238298,6927410186781767715,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2032,i,16988494494668534220,2822882406971420008,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3416 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7396 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2560 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1236 --field-trial-handle=2576,i,11118179262118238298,6927410186781767715,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E50A76 push ecx; ret

0_2_00E50A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E4F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EC1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96485

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6081

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe TID: 4684

Thread sleep time: -60810s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6081 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E9DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6C2A2 FindFirstFileExW,	0_2_00E6C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA68EE FindFirstFileW,FindClose,	0_2_00EA68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00EA698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E9D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E9D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EA9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EA979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00EA9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EA5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00EA5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E342DE

Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Web Data.23.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Web Data.23.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Web Data.23.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Web Data.23.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Web Data.23.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Web Data.23.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Web Data.23.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Web Data.23.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Web Data.23.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Web Data.23.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Web Data.23.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Web Data.23.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Web Data.23.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Web Data.23.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-96393

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EAEAA2 BlockInput,

0_2_00EAEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E62622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E54CE8 mov eax, dword ptr fs:[00000030h]

0_2_00E54CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00E90B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E62622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E5083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E509D5 SetUnhandledExceptionFilter,	0_2_00E509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E50C21

Source: C:\Users\user\Desktop\file.exe

0_2_00E91201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E72BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E72BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E9B226 SendInput,keybd_event,

0_2_00E9B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00EB22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00E90B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E91663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E50698 cpuid

0_2_00E50698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00EA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00EA8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E8D27A GetUserNameW,

0_2_00E8D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E6B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00E6B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E342DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00EB1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00EB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00EB1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	unknown
s-part-0014.t-0009.fb-t-msedge.net	13.107.253.42	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bzib.nelreports.net/api/report?cat=bingbusiness	false	URL Reputation: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.65.174	unknown	United States	15169	GOOGLEUS	false
142.250.80.110	unknown	United States	15169	GOOGLEUS	false
23.219.161.132	unknown	United States	20940	AKAMAI-ASN1EU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.107.253.42	s-part-0014.t-0009.fb-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.217.165.132	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.250.31.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.7
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501239
Start date and time:	2024-08-29 16:11:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@71/307@12/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 74.125.206.84, 204.79.197.239, 13.107.21.239, 13.107.6.158, 2.19.126.152, 2.19.126.145, 142.250.185.99, 216.58.212.131, 2.23.209.154, 2.23.209.166, 2.23.209.156, 2.23.209.148, 2.23.209.168, 2.23.209.160, 2.23.209.167, 2.23.209.149, 2.23.209.158, 20.103.156.88, 93.184.221.240, 142.250.81.227, 142.250.65.163, 142.251.41.3, 142.251.40.131, 142.251.35.163
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, time.windows.com, arc.msn.com, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, dual-a-0036.a-m
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
16:12:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
16:12:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
239.255.255.250	https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Get hash	malicious	HTMLPhisher	Browse
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse
	https://piclut.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWNrcHVSM2s9JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=	Get hash	malicious	Unknown	Browse
	Message-ID 08282024 110831 PM.pdf	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://mpcpallc.weebly.com/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse
23.219.161.132	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
s-part-0014.t-0009.fb-t-msedge.net	Message-ID 08282024 110831 PM.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	https://security.microsoft.com/url?url=http%3A%2F%2Fwww.galeriaetterem.hu%2Fmodules%2Fbabel%2Fredirect.php%3Fnewlang%3Den_US%26newurl%3Dhttps%3A%2F%2Fmedium.com%2Fm%2Fglobal-identity-2%3FredirectUrl%3Dhttps%3A%2F%2Feuropenicoming.fr%2Fclf%2Findex.html	Get hash	malicious	Unknown	Browse	13.107.253.42
	Play Now_AUD_autoresponse..html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	https://u46158161.ct.sendgrid.net/ls/click?upn=u001.StSodu0PS4xAHWUBPquyp0biXYNUE1xClPbog2TAE8raqnWa6SPwaz-2FNr-2B87SU-2FQyIyS_uld-2Buw4PU-2FGPIaOUmIz7DITa6GBdygAMshgqPclk0h0kYgb3uUwooEVcuadGUivHcBVltljb2DWDnI0DtwXa4WUtU-2F-2FvAeHYvcXM2-2BBv83Z-2FvmwbeuumMh1Z5k-2FECg-2BuoKbvUWPScbH6gCUtnLvM6PTvgCdxJ54fl4Ak0WXptY6hSyOn4Ut9bFkkoi0la2yqTk8DNzixw1Ob5iaFnAyM-2Fih7YJHjdzegTsK-2FE3ILMrVDSZGLuZH9lRnqW6GTOKHtdqIc-2FntT5tP4RKn726p4NR6pLUT9s66CvxqITqPtJWtNhYCU-2FPxeXNx0GkuN0LHRx-2FdNKG0GZdr0bC9j0Pjs-2FXnnRnqdgtv8wZYJXDkoxJEaAQyqxuvPFTalR6GOwCMI81tUvKFy1JCPPXkJrSD3WCmehjmXta2ZIAwulLGrVA0johq4HIDjvcfR3FTdUfDOGeQ3qWuPb-2BInufkenPhnFCb6wG1pHwnffLr-2BwxuKVUDRhkFo6e3bF-2FnoM5jNNc6BwpMEsUzOOmhMDTsSGLiESbixxqGxuPwu5ChErGyrJShlw03Ga2rgrEnascDQjkHDgZtt612RrKiTLy6SP7jnqItyY8bmlP9lXAi6tLSJIiY26HAMsSCUfoyBX90JFr-2BaIAIRH9xWFWuigMpCEgyFH7hIDBo5XwQfpEKUGGOoUsuz-2Bp0cY-2Fx1Y7QAxb957hycIdWZPqzMWwTfMqqR6m4I07hAHcvy6Fh7AOYisdq-2BBYXnEHKdqNzU433XYfxYVw7b1xlTFN6Z1pP-2B5h3-2BT8R2319TDIw43xDAC-2FY2AAbLNBYwJC8Y6a-2Brg9Xwlkud8-2FKpmfEsVuyLDSS8fVYSheyXmQ-3D-3D	Get hash	malicious	Unknown	Browse	13.107.253.42
	https://k9xy.olimidem.com/QiA7/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	Listen____Now_AUD__autoresponse.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	email_2024-08-08_093556_00 (2).mht	Get hash	malicious	Coinhive, Xmrig	Browse	13.107.253.42
	orden_8676787969.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.107.253.42
	jVPxoykH1b.exe	Get hash	malicious	AgentTesla	Browse	13.107.253.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Page1.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	0Subtitle Edit.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	0Subtitle Edit.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	188.114.96.3
	https://piclut.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWNrcHVSM2s9JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=	Get hash	malicious	Unknown	Browse	104.21.92.125
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse	104.17.24.14
AKAMAI-ASN1EU	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.9
	5qckfVuvzX.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.236.107.96
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	https://emp.eduyield.com/el?aid=28gedda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/spesbonaconstruction.com/.css/Gb1K92P0/di5hbmRyaWVpZXZhQGdtcy13b3JsZHdpZGUuY29t$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	HTMLPhisher	Browse	172.233.33.244
	https://d4g6kw04.na1.hubspotlinks.com/Ctc/I9+113/d4G6KW04/VVDXvw2129f7W9lgpSl3-BQgwW4125np5kh8PvN1n_9Xx5kBl-W50kH_H6lZ3lBW5xCLbK6c416cW6G0HMx6QhV7VVrZqSG3HBKSjV6wDNg4ZyZn6W7_FTpm1dqZm4W723tVM4rftccW3vWlSp1wGvTJW2zXXwV1X740xN1t2gyvnMRlqW7JdFVP1Ty-FHN3Fp_ww3m7TdW66_q2r1Q3VwtW7Dpks077Qf8bM1V49whQ40NW6RphCp8kpt1HV_HZcV84HKmBW5lF7ZC61FD66W73XZV57GJ9ZkVDMN0b9hXGx2W8dysfm3qm-8VMZTWKPM6VCVW6l8ws98dhwKqW4Z2gzl8fZ601N7pH1zqJ5vZ5N90-353vPlZ7VD24xR8Rht6PVyTztF65g6ScN24XQrJRlvxMW20qlrM4TTNP7W6Lc5vQ43Pq7NW32bHwR84HFLgVgWx3d5S85nlf8gcVNq04	Get hash	malicious	Unknown	Browse	88.221.110.227
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	23.197.127.21
MICROSOFT-CORP-MSN-AS-BLOCKUS	SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elf	Get hash	malicious	Mirai	Browse	20.41.197.130
	SecuriteInfo.com.Linux.Siggen.9999.16227.30183.elf	Get hash	malicious	Mirai	Browse	20.46.111.111
	Message-ID 08282024 110831 PM.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.73
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://sesh-gangrene.shop/	Get hash	malicious	HTMLPhisher	Browse	20.190.159.0
	https://set.page/cdtautomotive/	Get hash	malicious	Unknown	Browse	13.107.246.60
	SBSLMD5qhm.msi	Get hash	malicious	Metasploit	Browse	23.98.101.155
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.42

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://elc-path.com/pdfglobal2/docs89q9eqwwe/login.php#wa=wsignin1.0&rpsnv=13&ct=1539585327&rver=7.0.6737.0&wp=MBI_SSL&wreply=https%3a%2f%2foutlook.live.com%2fowa%2f%3fnlp%3d1%26RpsCsrfState%3d715d44a2-2f11-4282-f625-a066679e96e2&id=292841&CBCXT=out&lw=1&fl=dob%2cflname%2cwld&cobrandid=90015	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	https://gocloud.co.ke/ShareDocu.php/?email=cmFjaGVsakBjb21wbHl3b3Jrcy5jb20=	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	https://piclut.com/n/?c3Y9bzM2NV8xX29uZSZyYW5kPWNrcHVSM2s9JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	Message-ID 08282024 110831 PM.pdf	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	https://mpcpallc.weebly.com/	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	output.lnk.download.lnk	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64
	https://tmx.velsol.com/Reporting/Document.aspx?MasterAgreementID=i1339-005394573&ID=aQAxADMAMwA5AC0AMAAwADUAMwA5ADQANQA3ADMA.	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 51.104.136.2 51.124.78.146 20.190.159.64

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.586172420998677
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afzEV/T0JvekHB+JMdrxJvBkToRfiaJkXEycYxwlR5NXlB0:Xq8NkC1fzEV8vBBfXv2QfLJkbcY+H1q
MD5:	7DAA7886652996A5C3F64A5CFC6634D8
SHA1:	256F7B51508CA8F202B7C5C8F3879FF3FDC6FEEE
SHA-256:	299A99C5CDABF9A5909A91FD78B630E396912C7F601BEF92AF0CF94A7740AE4F
SHA-512:	94324ACF9DDEACFC27287F4295157B6F84DBB9E27FA213211DA7B3E3CE99E8DF176A6501330BD8546A234B9F913868ECF4CDC53D2D0BD2A23D7686FA6CE74133
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"policy":{"last_statistics_update":"13369414315327566"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\0c7c2aac-283f-4a71-8a53-8a250ed30171.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24102
Entropy (8bit):	6.054608420875861
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NluNhKqdaVEQYuzg95Wxp+Mh0lkdHd5qX:LMGQ7FCYXGIgtDAWtJ4nbhlQYuzg95Wi
MD5:	CAA9B82D4023C12764C1AD2EA914306C
SHA1:	9026954B9FC39D0E3A258E7F4B6562F435AEF7B3
SHA-256:	FB83CD9995C9196CC0017422B98E497C4BE1D5899B657BB2D166873223B564C7
SHA-512:	98018EDA8661905612F63C8A32B77FEA003A2512F114F1A09BCA2ED5941820E599378A6D8FB43B1C6ECC17B61AD7EDFEDDA62E9516E92AD13E5D813626BA3187
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\14bf73ce-ddca-4671-93fc-5830a585a006.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20787
Entropy (8bit):	6.06535404279071
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSuN34bE+Mh0lkdHd5qX:LMGQ7FCYXGIgtDAWtJ4nm34bkh02td4
MD5:	173318227EFC4A861BBB810490BC1C6A
SHA1:	52C12B5AAFEA5A6987E4876D18A8F38E1DE4D8C1
SHA-256:	EB457AA3276D8FE37762A70C5117E11E5010485EB0976087275B99D40B49B19A
SHA-512:	F64FCEBA45CDEBE66DF1ABE89B3D88E89642BC61CA8B64810B2E10F50293756508736A70E977F2D4453BF88A128C03C111B456F929FD8BEBAAD8AF20770A9E26
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3b6886d4-c45c-4818-9a80-c24ca1c68f49.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70920
Entropy (8bit):	6.072154154083686
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBGJlPIkt3QedJ0noL1o7rnJr4Umj1tpKtQYuz0WxVg:LMrJM8bAkt3ND0noWfnGUU1tpUQYuz0z
MD5:	9B1286BFBAF39DA4B966F7EEC25580FF
SHA1:	0538BC9E95EFA6B742BBC0C17E38E6894943AF19
SHA-256:	98CD59C8EBD52F13514D01C0563EF39C85EE489E8BB593CAD690E3CAD8CB67AC
SHA-512:	84E02E30BA69A1C67070654C3E785A6C57C213165A21905FCD55C68CAC94E09989B86D2B07F7F6F7B4075A844DDA80BBBD17A5DC46D5C31C48E90ED75438E146
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\561a2f8e-d994-4e78-9946-b6e2dff63a33.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70959
Entropy (8bit):	6.072232541175553
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBGqlPIkt3QedJ0noL1o7rnJr4Umj1tpKtQYuz0WxVg:LMrJM8wAkt3ND0noWfnGUU1tpUQYuz0z
MD5:	2CFF8F74E8FD42461E4C939734D16D07
SHA1:	7B6BC930311A44693FF5004EEF7EA44F9BE23142
SHA-256:	6C65F48C4AB5113E03F06E85C6B65B2E6C490982124911F8852EB9A259924B4D
SHA-512:	D128B0D2F8CC26D676B82EC045B57B1E9B003365D7999E4648B86E17AA5B970F103FB1902822E8AF2787E7FAEB4A3C9FA15D34B19CB006A5A5612B6479D8AF11
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\84de3965-d8e5-4118-ada7-7032ccf98f58.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.495006850210731
Encrypted:	false
SSDEEP:	96:0q8NkGS1fzEV8v58rh/cI9URoDotouXBfXv27+1JkbcPSDS4S4SDSyI4a:/8NBSdgeoDUny+7kbZ
MD5:	6E5D33C85F6E0C78453C87BF29B6A26D
SHA1:	7B701C4629FF1E7FE2509D785244392CD58EA90B
SHA-256:	BA3287AA885CE159D0A806C40548918C3B246101B74F0F970A0EEB72C8BDE543
SHA-512:	54E392CB79B034E27659CC912DFEB316389B69113638068803C1BC0ECA262E85FD55344BDD9FE70CA9975EB71A15F9293ECE3037F91EF6B2A304A1B1A589DCF9
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUI

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\49d57e84-2e88-4eb4-851e-4ed622d0edb0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.6401569698103895
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7b:fwUQC5VwBIiElEd2K57P7b
MD5:	5B83F91225F50186ABB459230B33DBF0
SHA1:	1C44304A72BF45D8E9C4D2B474D24451F8C4A508
SHA-256:	6D502C546AF1F8B068A44CFB5F457924B9443C3C4AC3314FE2286DDEAAA27E7C
SHA-512:	E824B6FA1B79A807616E4B638B7D0038DFABB3442AF9C5992C78488B44D6A4CAE66F7D97A69CC7DC620C5749CC734C16AB181D6B887F9964A2292FCC7E2FD6CE
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.6401569698103895
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7b:fwUQC5VwBIiElEd2K57P7b
MD5:	5B83F91225F50186ABB459230B33DBF0
SHA1:	1C44304A72BF45D8E9C4D2B474D24451F8C4A508
SHA-256:	6D502C546AF1F8B068A44CFB5F457924B9443C3C4AC3314FE2286DDEAAA27E7C
SHA-512:	E824B6FA1B79A807616E4B638B7D0038DFABB3442AF9C5992C78488B44D6A4CAE66F7D97A69CC7DC620C5749CC734C16AB181D6B887F9964A2292FCC7E2FD6CE
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D081AB-1028.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.040496063672908846
Encrypted:	false
SSDEEP:	192:grUjLYiVWK+ggCdlZJtD+FX9X7okgV8vYhanwNE1bcRQM9SDHn8y08Tcm2RGOdB:cUjjldqynhrcQQDH08T2RGOD
MD5:	4328AA341803053ED7D9CA16E6EA20C2
SHA1:	DA33D14087979DEB8E56AC1609DA0297559CAC76
SHA-256:	7EF6114354D517DF1DA8C4334721000981F23BAB9B6D33E28D0DE53B07ACAF7A
SHA-512:	0C3E965FF0C7D104327AB78435ABCD16A212C7AE8B0F690FB9F8C2D90FD6617CDECEDB20A2CDFCE0CF7440ADADAB23E056CE09C5696E5AA792BB23FEA5512213
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".oqpbti20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.................................0..$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....u.....@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D081AB-1C20.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.45070447864122515
Encrypted:	false
SSDEEP:	6144:gBxM5URHtaHSUsxfl3aHTOL05DBWSPdiJmn:CRHsxrD
MD5:	4876136B4E8CA73749B5E6DA48FDDF00
SHA1:	C15042F3C51AEC4EEBE8B8598D71CD54FECC7126
SHA-256:	DFF3797FBBB3542B1A4D2CACC6D494576EA3BDF2B829D09346DB48616534129E
SHA-512:	E397D2E0897234CEE348238E5144A063F7AFE36316DE8807226EACEBEF52708B95D188DED8727B77B342879ECEC31DC3F01C1B89162E638CB4DBE15DD86410DC
Malicious:	false
Preview:	...@..@...@.....C.].....@................2...2..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?.......".oqpbti20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.1558095576005165
Encrypted:	false
SSDEEP:	3:FiWWltlMTHup3/HSRqOFhJXI2EyBl+BVP/Sh/JzvGhOU+gRiUImWzlkltl:o1MTeyRqsx+BVsJDGzRpIJlklX
MD5:	D9E5FD0A4AB740770C8B4D305C6EF5B8
SHA1:	15293C5BFD782D02ABEFE4E5D8EABE8A4453A6C8
SHA-256:	C68E9726D732B5703120A58B10DC1FACA40198B285A1E204248BC17CEC89FE37
SHA-512:	CF87A3C791CECB206A9319EC9A34488FF2505409E25F290A044436CF17B634FFEA647BA310A1F3BDC3E5CFB486DE6C4BA4E4BC3654EFF87B3A17AF98C8AE243E
Malicious:	false
Preview:	sdPC.....................:;v.lbK....?."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................943a9a4b-419e-4d31-9683-70384478c53d............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\37dbbeb7-4926-4425-81ff-b0e4616429ee.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\8d60c8ca-c206-403e-ab70-b87d44157cf8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\9022b4dc-47f5-4392-89a9-d69b36c87d73.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.5660916211837765
Encrypted:	false
SSDEEP:	768:91/sixWPk2fIe8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mJVxrwKpGtuh:91/sixWPk2fIeu1ja+sVCXtW
MD5:	764C188CAF5F150E99C80EE1F4861CD4
SHA1:	CFA1EDE6137E1D4083E29D14A7DC5034A2F1F69C
SHA-256:	DAEF929533A944E723C0305A360730D1054085471F9259649920B5ED6CBACF7E
SHA-512:	9F3A329520CCE5DB5A503A8945623072CD50A5600E5928F5E38140C8194EDCAFA72FF116AC05E343228ED2FE5730278D9ED09AE96AC58598CA2218467CFF3952
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369414315988872","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369414315988872","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.32110038492396
Encrypted:	false
SSDEEP:	192:NAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:WOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	8131C32E6EEC4CF54BB5C568DED21D15
SHA1:	C8501C4617C0014968DA07CCDC8A02139BED2752
SHA-256:	BF5555AB3BD93EDA879852962A17CC2F2C218A2D6410667C72BCD087DED29156
SHA-512:	23E50218E2EC9D604C57A1000BD0C25EBDDA60ECD20D9760CF3AD0E1B407E4ECE25306365A963EF6D88E15B9BD25E04416299CA049D77BE92EB011F190170F4D
Malicious:	false
Preview:	...m.................DB_VERSION.1.^.[.................QUERY_TIMESTAMP:arbitration_priority_list4...13369414322053292.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.077714242015909
Encrypted:	false
SSDEEP:	6:N5egU8f3B1cNwi23oH+TcwtOEh1ZB2KLlL5egUZCQQ+q2PcNwi23oH+TcwtOEh1b:NHf3PZYebOEh1ZFL1orvLZYebOEh16F2
MD5:	B40FE099017C4FEAAB64467885E4E047
SHA1:	A1FD136600450980605AF5ECF7E455F94E6ACB57
SHA-256:	3F73B64A268EBD65C82958EFF3BCCCDBC94E7E91145CD1925A81F062D319FF26
SHA-512:	2CF4B86B7A461CC17885F8BA935D9C50A0172A5E96F345F544FBFE69F029A8C762B255AA705AF1B80EADFAB2287C86EF0334B553678856F36E436EA48003274B
Malicious:	false
Preview:	2024/08/29-10:12:01.049 22b8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/29-10:12:01.191 22b8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.04427860579762155
Encrypted:	false
SSDEEP:	6:/Fii2vebTXWM/lXqcE9R1HbHfeFUhLkllq2MOuH/lQ0/:d/OR17/eFD/q2Mf3/
MD5:	1170FC62B8A25F5CEC0FD84AD7C84A02
SHA1:	069D31D06BF9ECBE30540B9FEEC0B88B4D926928
SHA-256:	90A75672B8F1CADE74D9F19238EC32B402264AD4B396AC244E93878D8BF4F23F
SHA-512:	4EDEFDAE041A3DA1D8A258304EBEB777E5148E1EA85ED676334DE4CDBC704EADABC1FE3CAB0133DC325D843605B28358C3D00491C12512D330B052483B8000B8
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09548317843052594
Encrypted:	false
SSDEEP:	24:sQ6V4XeaPVHhrLV4XQ3eaPVHaUAPnQzLIoMmHVIRBNUe11ggQzEAwl3aYAYT38E0:aV4Xes5V4A3esrAzNUefKEACDT3lWp4
MD5:	B9FA2359C2ED98930BEFDA90E5A0420C
SHA1:	27C5ACA2D87BEE65DEFBE8F55421CE5B75665F0F
SHA-256:	174C300362D9470D64BF230B8160C22C3A0C5837B21886A5A6477A107BE15B49
SHA-512:	5740FC5BD7C81FF9E7A321120092F6D859F7A51A4A95CCBB86687389B1D64B0671CCCD546D275746F21CEC772F757061C7143A54AA332A9C258EB216526E5157
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.2853230257914889
Encrypted:	false
SSDEEP:	384:2SYJtnmSYJtn8T2x9JthjT2x9Jth5xZJJtL:2SYJtmSYJt8CJt5CJt1PJt
MD5:	836228CA9A7508CF4C74A97A672067E6
SHA1:	D2A50E743AA4F57275691A96762DEC68F43ADA00
SHA-256:	D25DB2EEECA0792B28B29EF80B498D5A9BEE92E038A659146CC41D17E6721A8C
SHA-512:	E037ED6B51F999C6FD1CEDC32968E7A036FA82E064FA3B3CE21FB61481D0A9E51C6DFB8ED1EE2CC993FF90019F373DB79890B5270071ED8F906E7647DE394028
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulMyb+l:Lseq
MD5:	92124A3C4B1445DA6DA8DF2E3249E25D
SHA1:	50610A77A909CA8F4CA0F7715D228275D6F70158
SHA-256:	9C11514D7895D3ACD6ED239E89195075A09FD4A2D02702535A5AB60427140C6A
SHA-512:	5DBCFC4B5DF9D558F5BE566038863220FFFAFE9837D3612FAA186E1B2465F5098E3D1DA96BC3151BA5CB84F54229BB47303ACE4D2CEAF538B373FA31A687FEB7
Malicious:	false
Preview:	..........................................AWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:iqYFXAyEPDk:iqYFXA9PA
MD5:	45FE717B6E760D3E78C0FA8FB43CA828
SHA1:	177C5F07BFDB62DD526897399BA67BB96D2AC2C1
SHA-256:	85D520679CBD7B9C31828F1307CB63EE62F6DBF79F1868B25491E6ACF1130960
SHA-512:	809A90F6D0F0FFB704E578BD39BB870192B76BD912D5AE3AFD757A40E253DEF00F766424137AE6E981FAADA6D206B911DD12DC40C70F9519CBFDC2D7D7594B73
Malicious:	false
Preview:	(.....~yoy retne..........................7Wi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:iqYFXAyEPDk:iqYFXA9PA
MD5:	45FE717B6E760D3E78C0FA8FB43CA828
SHA1:	177C5F07BFDB62DD526897399BA67BB96D2AC2C1
SHA-256:	85D520679CBD7B9C31828F1307CB63EE62F6DBF79F1868B25491E6ACF1130960
SHA-512:	809A90F6D0F0FFB704E578BD39BB870192B76BD912D5AE3AFD757A40E253DEF00F766424137AE6E981FAADA6D206B911DD12DC40C70F9519CBFDC2D7D7594B73
Malicious:	false
Preview:	(.....~yoy retne..........................7Wi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:iqYFXAyEPDk:iqYFXA9PA
MD5:	45FE717B6E760D3E78C0FA8FB43CA828
SHA1:	177C5F07BFDB62DD526897399BA67BB96D2AC2C1
SHA-256:	85D520679CBD7B9C31828F1307CB63EE62F6DBF79F1868B25491E6ACF1130960
SHA-512:	809A90F6D0F0FFB704E578BD39BB870192B76BD912D5AE3AFD757A40E253DEF00F766424137AE6E981FAADA6D206B911DD12DC40C70F9519CBFDC2D7D7594B73
Malicious:	false
Preview:	(.....~yoy retne..........................7Wi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:iqYFXAyEPDk:iqYFXA9PA
MD5:	45FE717B6E760D3E78C0FA8FB43CA828
SHA1:	177C5F07BFDB62DD526897399BA67BB96D2AC2C1
SHA-256:	85D520679CBD7B9C31828F1307CB63EE62F6DBF79F1868B25491E6ACF1130960
SHA-512:	809A90F6D0F0FFB704E578BD39BB870192B76BD912D5AE3AFD757A40E253DEF00F766424137AE6E981FAADA6D206B911DD12DC40C70F9519CBFDC2D7D7594B73
Malicious:	false
Preview:	(.....~yoy retne..........................7Wi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl5K:Ls35K
MD5:	19344334833F44FFD2A20C64350370B6
SHA1:	067FE5439DEF353FD77A2FB5D94D66C0EC5EDD2E
SHA-256:	1D76B3FBA554660CBB4AC594A6434A87A367912E2985FAF9E9AC83B61A7E8652
SHA-512:	DE5CB71F89CA857DB00EC69CAB5876614C21E7C165D717637B8FF3EC12FCDB4CD1E4069BF2974C888DADBEE05820F66CE9B1B61963A1FDF32ED818A1185FDAB3
Malicious:	false
Preview:	........................................3.BWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354119718370844
Encrypted:	false
SSDEEP:	6144:OA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:OFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	98C2913151D9B5613F969F5AC4FE69C4
SHA1:	4630551ACF6A8621527C802FFD87FBE2476BEC01
SHA-256:	64376B9C06C4AC0B3BC05B5E93C3112E22353A228CE175E8AA8D7EF05421C38E
SHA-512:	B61CEDFF0DFE8CB9234C4AEAA5A3B386EBBF7073EBE0175E31690E1A4EEA79F4F8578A916E497C7A1AA8D263CBD2D721645D472BE609A9F8EB9E1EFC8CA5C61F
Malicious:	false
Preview:	...m.................DB_VERSION.1..."q...............&QUERY_TIMESTAMP:domains_config_gz2...13369414322057847..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.1656941114143144
Encrypted:	false
SSDEEP:	6:N5eg21cNwi23oH+Tcwtj2WwnvB2KLlL5egUwSN+q2PcNwi23oH+Tcwtj2WwnvIF2:NMZYebjxwnvFL1nSN+vLZYebjxwnQFUv
MD5:	A35538D1901FF59268BC764A3367D119
SHA1:	6FB1F5F17DC06C1D67068325160787F2B7D638BA
SHA-256:	70CFCDFBCB61336367BBE657B083FF6DE58F8688B050553A324294E63E99A263
SHA-512:	D59F162EB32CA77B985562CAACC916289836E2EB7B8D3678CF9934F6C4A3E0F62E77007D077C4F9119F0874C96C726620BAD58067EC94A71A5CFF3875911D2D6
Malicious:	false
Preview:	2024/08/29-10:12:00.876 22cc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/29-10:12:01.183 22cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.324609451927561
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RY:C1gAg1zfvA
MD5:	D610077B74CBB1E8EE2BBA92E9D62B09
SHA1:	395C997EF777AB9939FC67008AEC2C3D9B815EF3
SHA-256:	04A8EA39678F824571BBE17F9BF7AB06A72CF68BBDA33266A8A917EEDF3040F9
SHA-512:	444DDED951E90D32E25B7E4DD2942B237D8F54C12F315A228192A7CC847789B8AA519922BEB841FAF7FD2227EC939908749013E7851360E34C3D6C49A394D116
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.198497302209774
Encrypted:	false
SSDEEP:	6:N5enB1cNwi23oH+TcwttaVdg2KLlL5eJX2M+q2PcNwi23oH+TcwttaPrqIFUv:NGZYebDL1QGM+vLZYeb83FUv
MD5:	ED5D3BA31C266C8855687B31E944A7FC
SHA1:	E73F18B48896479A03D5FC415CA3C9E5CCDA1B48
SHA-256:	CF8A91ACE186F0FF40E9C5E01B2DA4619D8D85DD64DD74216E68B95A0D16CD8E
SHA-512:	28ED8CD3ABB8597BCB69975402DDC2DA436B3C1628139390F88B0083EA8F441778DCCA6BA289972CD093E31D91D0D230C31CADB13849DA1919D8F834A00D44E7
Malicious:	false
Preview:	2024/08/29-10:11:56.230 1d8c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/29-10:11:56.320 1d8c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.202417640089638
Encrypted:	false
SSDEEP:	6:N5eJX03B1cNwi23oH+Tcwtt6FB2KLlL5eJRzsMM+q2PcNwi23oH+Tcwtt65IFUv:NQE/ZYeb8FFL1QRgMM+vLZYeb8WFUv
MD5:	AB15664F4AB08DCA4CCA4C701D77E6E9
SHA1:	A1E2719849F82D37D62B4859F35DA7ED23E536AC
SHA-256:	9F628AD01470448BCB3AB91F6CA49124942DA036F197FED7C01EB807EA310F5B
SHA-512:	AA66B6BA19239B2F374A395771B9A558ACA2D75964A49F36D5A4265BC828D600328EB3E1D1D77440F549D04A365DF6DBCF5A7FD5CBDB40B1F2C9CD94C44A9321
Malicious:	false
Preview:	2024/08/29-10:11:56.325 1d8c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/29-10:11:56.349 1d8c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.184235725333783
Encrypted:	false
SSDEEP:	6:N5eRn2YSR1cNwi23oH+TcwttYg2KLlL5eRlJyq2PcNwi23oH+TcwttNIFUv:NAYZYebJL1UsvLZYeb0FUv
MD5:	CD40B4CD09D86A009B110BA86E02ADC0
SHA1:	A029D678F502418028D37E8F258EABC47DF2323A
SHA-256:	769D28A971D32837A9181B1E24968527F130509E85C40103DBA07B399395F816
SHA-512:	75E65321C0FF59C54E9C6B5644E30B9DA40DAB32CD20E881E9926ECE8FE5779873D22F7C00049A450C85C55E8DC394C8EF97E9F92F787DB49FDC1180FFD73271
Malicious:	false
Preview:	2024/08/29-10:11:57.757 1d30 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/29-10:11:57.778 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlIKll:Ls3I+
MD5:	27A0BBBF9E61D1BDAEC9A81029ED9941
SHA1:	652A2777A41E89B167005E177E3376DC66EB6F84
SHA-256:	68319C0E09710768CD81EE0242136BDA725A75C2B6D895956B56CBC7EB263801
SHA-512:	0D97053FE5F70F0ECB7A28BD5B7E14BFAC1B9927F5F87A6AC930B2DECAF6400E7B83B69C0658DD5E4F0DEAC9691A97C7C4EC7EDAD8789A832E96D234D4F2FB47
Malicious:	false
Preview:	..........................................AWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21880421027789762
Encrypted:	false
SSDEEP:	3:XvBntFlljq7A/mhWJFuQ3yy7IOWUnrDlQ/dweytllrE9SFcTp4AGbNCV9RUIwX:i75fOBDlQ/d0Xi99pEYO
MD5:	BE1647112A4AE308A6722D0D33C5222A
SHA1:	93D755AF470A3C612AC8D5D088B74673DBDF3359
SHA-256:	831F5AFC84201D3BEAB259DB3C317CB77AE304DFE0FB163A2C02EF4609B8B77A
SHA-512:	468FE6CCB1B7BBD603689086D5B6ABB9794BD7CAE3641B936ED4640EDEF6A4D1A42C6BB51257CDF50D28DD1DA872AEF92409C606DDF5B59AF6992B66605723FC
Malicious:	false
Preview:	...............&...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	385
Entropy (8bit):	5.203793728772455
Encrypted:	false
SSDEEP:	12:Nn4cZYebRrcHEZrEkVL1mFx9+vLZYebRrcHEZrELFUv:NtYebRnZrEkVL1yxKlYebRnZrEx2
MD5:	3BE7A5AB863C1A469F744481A5074F52
SHA1:	D17FB400F2BB4DFCB4BEFB4F6361B1E76B2802F6
SHA-256:	F4A2CF47559F474186BB0D369639609F41A23E0F350259CEFBE71063427A502F
SHA-512:	68CFC938723A70E0D5D7759D421D9785F36B7FAD1D53CC4BF30AFF51885A3517F0C901F661EFFD8E142254E1E3887FE76FF2E6830618EEE6359765C8B53FD8A1
Malicious:	false
Preview:	2024/08/29-10:11:58.710 1d0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/29-10:11:58.722 1d0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.222314172082664
Encrypted:	false
SSDEEP:	6:N5eRXuM1cNwi23oH+TcwtRa2jM8B2KLlL5eRDnlyq2PcNwi23oH+TcwtRa2jMGIg:NUu2ZYebRjFL18lyvLZYebREFUv
MD5:	4E31B6B7CF79DC0D512D4A897A649B39
SHA1:	1A34FCB0E7D00F8D689706563C9F302F1A2FE963
SHA-256:	CA4EA6D053BB693575495966D5169C67EA9D39A26D4176CD55CA19C711595690
SHA-512:	FDA22DDA7855B69E29594DD18EBFC1C2A5FE03AE4E7079407AA0237FA5357A026EB2C2332789D4D1F0A1020F93002E6A1CEB34F068F3E8DCA35E5BE60CF7113F
Malicious:	false
Preview:	2024/08/29-10:11:57.164 1e34 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/29-10:11:57.344 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\2536c1d8-5d92-428b-9be5-599bd32a16e5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\3f3aec9a-5ef5-4e88-ae53-c4e8ab87301d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF30ade.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7598613288132904
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBkBX:uIEumQv8m1ccnvS6iX
MD5:	056E566821D04BB94C46B55284D92E7B
SHA1:	E2E10EBF0047628A12D5BB1105BFE53CE96312E0
SHA-256:	F0625F3F2481F212907F6FBF171B96B90D3F1C84764BF2205D6CD9310F854694
SHA-512:	2BD6EC9CAD132C64B3AA80C0CB7F869D064D3F5214C3681870DC73AA688D7F13023242629A45BBF7BB50C0E7A0F4E14F00D28359E05AC5BF42BED6CB5E29D19F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF1ebd2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\b81c1d8e-0dd8-4f41-832f-31b300894975.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.902189221807403
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbSpDkYMKWKWMS7PMVKJq0nMb1KKtiVY:YHpo03h6ubSpDd4MS7PMVKJTnMRK3VY
MD5:	176882E2C5301BB3929B39FF4DAB2E4E
SHA1:	B8B8E3C038708D56429C86D9F0FBB832EE6047F1
SHA-256:	2EB4EBEE3CEED5D175975BAED1834CBADC2C8CE1F416ABA18F73BAEC0B8A7C6C
SHA-512:	519A55DA583DA9E56B06BBAA50878C9D9A928F12F64C14AF471A600D24F660640AE0D66274291F8A20D217F545C447FBBF0638A864D822E606AEDCF481EB8CCA
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\bb2425bb-645c-4667-8af0-b1b80aadb196.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\f01bd59a-c76e-40dd-ae05-1a60515b865c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.96666853924346
Encrypted:	false
SSDEEP:	96:stHqfHis1eb9Et26IN8zYys85eh6Cb7/x+6MhmuecmAeVSd2MR/EJ:stHBsPzINk3s88bV+FiABPRMJ
MD5:	245C1D7501D2761D8681425ADB8EEFA1
SHA1:	9DBD98276959B0A8AC13F82F47263B2774F8444D
SHA-256:	FD73EF20F361EA4F5292D46735112196B9802BBE8035D172FA8307E31C7DB24A
SHA-512:	64891FED9759C38F8629A0D5720FFC810AE0DC0B07A58EC57CA15F3226A0CB796EBDBB9455E82C01CAA0F16C1BC33FBE8CE06217E566B2873AE78A50CF22389A
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414317594441","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369414317593911"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF279e9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.96666853924346
Encrypted:	false
SSDEEP:	96:stHqfHis1eb9Et26IN8zYys85eh6Cb7/x+6MhmuecmAeVSd2MR/EJ:stHBsPzINk3s88bV+FiABPRMJ
MD5:	245C1D7501D2761D8681425ADB8EEFA1
SHA1:	9DBD98276959B0A8AC13F82F47263B2774F8444D
SHA-256:	FD73EF20F361EA4F5292D46735112196B9802BBE8035D172FA8307E31C7DB24A
SHA-512:	64891FED9759C38F8629A0D5720FFC810AE0DC0B07A58EC57CA15F3226A0CB796EBDBB9455E82C01CAA0F16C1BC33FBE8CE06217E566B2873AE78A50CF22389A
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414317594441","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369414317593911"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF2ef09.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.96666853924346
Encrypted:	false
SSDEEP:	96:stHqfHis1eb9Et26IN8zYys85eh6Cb7/x+6MhmuecmAeVSd2MR/EJ:stHBsPzINk3s88bV+FiABPRMJ
MD5:	245C1D7501D2761D8681425ADB8EEFA1
SHA1:	9DBD98276959B0A8AC13F82F47263B2774F8444D
SHA-256:	FD73EF20F361EA4F5292D46735112196B9802BBE8035D172FA8307E31C7DB24A
SHA-512:	64891FED9759C38F8629A0D5720FFC810AE0DC0B07A58EC57CA15F3226A0CB796EBDBB9455E82C01CAA0F16C1BC33FBE8CE06217E566B2873AE78A50CF22389A
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414317594441","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369414317593911"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565915606704647
Encrypted:	false
SSDEEP:	768:91/sixWPk2fve8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mJVxrwVpGtuI:91/sixWPk2fveu1ja+sVCitb
MD5:	64BEF7CEE76A3FCBFCD5DCFB1185614D
SHA1:	36DCD8685882818547ED788E1C3086BEE8E9DC58
SHA-256:	38343D4EA7A07DB2D3AA6441948305D389CD65BF2A8BE7DD875A11700DFC1D58
SHA-512:	D9F7136CC190737CAFF6FC06A5C2751825F4D0E853D32E29A8E9150960FA9A5297F4313D922210043285C55006D0B55FD1FBE4126529FF4AD8D0067BA00F8755
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369414315988872","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369414315988872","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF24a5d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565915606704647
Encrypted:	false
SSDEEP:	768:91/sixWPk2fve8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mJVxrwVpGtuI:91/sixWPk2fveu1ja+sVCitb
MD5:	64BEF7CEE76A3FCBFCD5DCFB1185614D
SHA1:	36DCD8685882818547ED788E1C3086BEE8E9DC58
SHA-256:	38343D4EA7A07DB2D3AA6441948305D389CD65BF2A8BE7DD875A11700DFC1D58
SHA-512:	D9F7136CC190737CAFF6FC06A5C2751825F4D0E853D32E29A8E9150960FA9A5297F4313D922210043285C55006D0B55FD1FBE4126529FF4AD8D0067BA00F8755
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369414315988872","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369414315988872","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.15548201066983
Encrypted:	false
SSDEEP:	6:N5efuM1cNwi23oH+TcwtSQM72KLlL5euyq2PcNwi23oH+TcwtSQMxIFUv:Nuu2ZYeb0L1ByvLZYebrFUv
MD5:	0DDB2F0A482A6ECB1F04F612DDC3F6B2
SHA1:	CE56B21834ED5675E088AFA9444604E9DF7A24C4
SHA-256:	89C83ADF9C73E6662655CB1CC1E0F0C2C67603A3CB3127AB56884ADEBA09EE5F
SHA-512:	76EB29C0609444A9C8E6FBB0205A66BF1DF0FF646D9A27341F9B78EE0CA799B219F313C0ADD280CE2E5F3E81F0ECEA4434CD903F8F27F1E5DF9768C262A439DF
Malicious:	false
Preview:	2024/08/29-10:12:13.556 1e34 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/29-10:12:13.593 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.099151189829401
Encrypted:	false
SSDEEP:	6:N5e47os1cNwi23oH+TcwtgUh2gr52KLlL5eRwOq2PcNwi23oH+TcwtgUh2ghZIF2:Np7RZYeb3hHJL1lOvLZYeb3hHh2FUv
MD5:	3E4ABD57063A64B147E7B05247DFEB29
SHA1:	0D7F552D3167EBB0250F393D6760EFD7D695BBCC
SHA-256:	61485D4FD7850BA1C4E9888A83AD51E49AF3D28E29A27381230AEB001AF43031
SHA-512:	2431BA1BF0719C33FCC2866F51BBA522AFDFA53381E67BA2BBCF4439AF0DA923F7ECABCD3B2502B7E0F50CCAB891CA92A74EC442FE5D4C4AD232A38C1B32CFDD
Malicious:	false
Preview:	2024/08/29-10:11:56.002 1d10 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/29-10:11:57.085 1d10 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:Lsul:Ls
MD5:	3F5F36CB7382E6D51AA038BAEB5B9785
SHA1:	D7DDD6DC70E3E5EF1250D99E2667EE3155193763
SHA-256:	41E0CD26AACE7EC1A40D5395ACA89E758FA855E70155564AF2C2FABEC574F241
SHA-512:	53E3A53F4D1B441703ADFB172703853697BD8469EAD0CD4E2502D3CE87AC768BE217D320C65D1270DEF9C350879D0B165DB8700A1BA3A0FA855143EC2CF5FA03
Malicious:	false
Preview:	.........................................y.Wi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:xuHFXTEmo+:kHFwC
MD5:	3A1526F2702FC4FACDDFB3AB6EFC2173
SHA1:	0920B500AF20EA00381CD8D0F6F6A9299E582BF0
SHA-256:	9337004D7CF1D5B486E107EE9F4B2CDE9F8EE9E33FAEB35A87B5FCE5EA4F8571
SHA-512:	970DFF1B53731951115129100C4D04E94B68496FE09ABAD32934E9827D1C2FD24E437A1DC25A6D28A52063B7EB039983649AE3C853B585946671C3C91F4B320F
Malicious:	false
Preview:	(......oy retne........................:.BWi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:xuHFXTEmo+:kHFwC
MD5:	3A1526F2702FC4FACDDFB3AB6EFC2173
SHA1:	0920B500AF20EA00381CD8D0F6F6A9299E582BF0
SHA-256:	9337004D7CF1D5B486E107EE9F4B2CDE9F8EE9E33FAEB35A87B5FCE5EA4F8571
SHA-512:	970DFF1B53731951115129100C4D04E94B68496FE09ABAD32934E9827D1C2FD24E437A1DC25A6D28A52063B7EB039983649AE3C853B585946671C3C91F4B320F
Malicious:	false
Preview:	(......oy retne........................:.BWi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:SFFQyEWN:So9q
MD5:	18D3924959FBF3B30C8AB360B87D2B1B
SHA1:	4515465FCD531656D93F4E01DE855DB67AAC0BCA
SHA-256:	4D5F646E0D188973FB86EC2F885D03A23A85BC704E605399F832EEF908447716
SHA-512:	064FFB2EA2A28CCE446EA51E9182D6D741E9FECB6847172EF3DF563F74BD1E88F2727E57363E4E644A930F58E51FEA9E967ECEC0DE2E435C3EB8792DE9033B75
Malicious:	false
Preview:	(.... .coy retne..........................BWi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:SFFQyEWN:So9q
MD5:	18D3924959FBF3B30C8AB360B87D2B1B
SHA1:	4515465FCD531656D93F4E01DE855DB67AAC0BCA
SHA-256:	4D5F646E0D188973FB86EC2F885D03A23A85BC704E605399F832EEF908447716
SHA-512:	064FFB2EA2A28CCE446EA51E9182D6D741E9FECB6847172EF3DF563F74BD1E88F2727E57363E4E644A930F58E51FEA9E967ECEC0DE2E435C3EB8792DE9033B75
Malicious:	false
Preview:	(.... .coy retne..........................BWi./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlwba:Ls3w
MD5:	7F3B525A5D345B1BD2276435F83FA9FF
SHA1:	3C323EF4293AC4F4C7E7109BCEB120E9524D439E
SHA-256:	B0ADD4D27FAF86EEC820071684821F1121262AA76261925A594FB7CEF1A6E9BB
SHA-512:	B49BEAC5F7CD5D2ABDF5A631937713310E7A830B7071347A3AE6145721BF8D94046726621396ED5F1F121B844D29CD6D570CC1A402A48F13BDAB56BC16D12C61
Malicious:	false
Preview:	.........................................tJWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl++:Ls3v
MD5:	9A0C94F2C775034490A6B6CE4F7451C3
SHA1:	6340B10B05517672EB1DE3F687AE638FE312778F
SHA-256:	4AC0BF4B8E0623C433FAE4950DA685AD603BAC64CA1793DC557B6ACA9A7EE31B
SHA-512:	F74FD8FB496BD16B7980DB2F23F01510A0E168AF98692314D739550833B0C538AED9FBFA5190445FED69BD72EC90A289E4A95CECADC1680F37EDF92D97313345
Malicious:	false
Preview:	..........................................IWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.225243445821497
Encrypted:	false
SSDEEP:	6:N5eRhijuM1cNwi23oH+Tcwt0jqEKj3K/2jM8B2KLlL5ebyq2PcNwi23oH+Tcwt0w:NQiju2ZYebqqBvFL1EyvLZYebqqBQFUv
MD5:	190AF942AB51A76BF9C0E6D78B880B2F
SHA1:	E06AF5A95646C10DD939D0B2BFCBA44393050E9B
SHA-256:	12FBCE2D2B00D154BAC9A34EEE55A71AA23401E63CF5A50F6F0D74D5F5941307
SHA-512:	8A0656D77A2663C9531FD6021A004DCEBD26ADBB0934FE9FE12734EB191D472E422670E62E44DF4C362CE19195D6F37D5CF355A63FACEF69E3FB8BE2EB44E5C8
Malicious:	false
Preview:	2024/08/29-10:11:57.736 1e34 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/29-10:11:58.141 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\36a43b7d-9e7f-4a2c-93b6-45ce793fbb55.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7c83cc43-c90e-4783-a39c-ca5e24b9d3be.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF30b2c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\bd5b9bfe-60b9-447d-a21e-1d99f8edd4a1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\e9d804a0-b596-4e53-982a-97a5f55b53e6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	399
Entropy (8bit):	5.181818223647076
Encrypted:	false
SSDEEP:	6:N5e1CuM1cNwi23oH+Tcwt0jqEKj0QM72KLlL5emjyq2PcNwi23oH+Tcwt0jqEKje:NVu2ZYebqqB6L1dyvLZYebqqBZFUv
MD5:	E504E50FF27F2287154566A3A3702AF1
SHA1:	A88E1A847DA1DC968560DBC38CD3F67623228D3D
SHA-256:	D92881965F56B338A414CE23FA09AB9FEEC313429BB440AE919AAF5EC59CE770
SHA-512:	4E5B0F8CBBF0C9E845A509E732431E94F2545304E6BACADD7475D9F028EC06A543DDF41BB42175965EE3F5E0723953DBDDE8D8E43CCA714CADB5FB4D5036281F
Malicious:	false
Preview:	2024/08/29-10:12:13.784 1e34 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/29-10:12:13.931 1e34 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.246278599769065
Encrypted:	false
SSDEEP:	6:N5eTofeERM1cNwi23oH+Tcwtkx2KLlL5eLUH4q2PcNwi23oH+TcwtCIFUv:NGofbR2ZYebkVL1avLZYebLFUv
MD5:	4275ECB320952B230DECA79E7851EA17
SHA1:	3AF1D52D5C9560C3DA203C5B3F768F4E8314F54C
SHA-256:	EF1505BFDDA5AEC6352CD3A99A1B1702233237F5C71FD50D2345811601BC82FE
SHA-512:	DB129FB2AECF22332B29DCF4E1638CFA0F0EAD27DB6250DBB152F0D3613819F608B0C84376BAA25E910A00C7B2CF7A0DABCD7012C18D6003A23BA205BE7E9CF2
Malicious:	false
Preview:	2024/08/29-10:11:55.966 1d04 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/29-10:11:56.883 1d04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVl8:IiVS
MD5:	EC29031E665F949FA11D3D0FBAE64799
SHA1:	A9A1DB636AECD5518A56E414D63A1A60DF27D77D
SHA-256:	4A9F1B07BDE7190A2FB9AB7099985EB2B4F781A8635D844FA8B281D5C3FE7D90
SHA-512:	B56F1A5F4C592C2F9C3ABB56E9EF5558AD119255648AF13C8012A125DBDEF40647E465492146C97F3E41A1DCE32654D99C2DAC187A4D2289A020038DD09246E3
Malicious:	false
Preview:	VLnk.....?.........d.\w................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0768617564890726
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkO4SAE+WslKOMq+vVumYkGn66:e/2qOB1nxCkO4SAELyKOMq+vVumap
MD5:	A68BC9C19E8016A12E1D7CB5C0B07AE7
SHA1:	31C9846D06F758CC1EF145060285B2CF2D913B5B
SHA-256:	78D60B41D6048A15DADD70644FA0D31BA14569601A7AD4009E5D7506F4018079
SHA-512:	20540776A11FB6E1E8867B19D3E19BC87D0C91C638FC35A1716FA03E0C9C898EC458E7697044F689C648A1C0189E80D29C1477A5B679C802FB5F0438908AB0AE
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c125c2b1-c172-4fa6-8c2f-61e948aed44a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6432
Entropy (8bit):	4.974885219207433
Encrypted:	false
SSDEEP:	96:stHqfHis1eb9Et26IN8zYys85eh6Cb7/x+6MhmuecmAeV6QH2MR/EJ:stHBsPzINk3s88bV+FiAEPRMJ
MD5:	EB06394CB6B076963DFA7F761F1F4841
SHA1:	D6451741017C23713CEDC5BC9AA63E2569F9FD42
SHA-256:	53B449C9E9AFD9BAF6A816E9E994B1B22DD5D94D59CF668C1B856AA7BDAF6D9B
SHA-512:	B2B67B313371188EC3098BC02861DAD6A9708A206E5C0ECBDF7754AB79A7141784CE3E11E62D02F5401763093774E0B08DDCA6AFD4C669DB4BFEE39B5B64BB1C
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414317594441","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369414317593911"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\d4225ab9-10cb-4f8e-aa6d-6d6c0c2c698b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6534
Entropy (8bit):	4.9768487038228715
Encrypted:	false
SSDEEP:	96:stHqfHis1eb9Et26IN8zYys85eh6Cb7/x+6MhmuecmAeVeQH2MR/EJ:stHBsPzINk3s88bV+FiA0PRMJ
MD5:	9CCF840C0AC06C7123C2CED8A18C9E41
SHA1:	AED48262D30384DFCD33926063BDDE3FD74D9093
SHA-256:	D4A9E6C1B0406C6A2EBAFA2A7D2F5E591B730BDB082F78849CE752DDCA371F73
SHA-512:	4B945262B82FCEADE8EF5D1293398582255A855AD690EEA212244CFC5F421C25808C3CE063A323B546A0864A38F82091D7A365137D67F931F53223A4621E7741
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414317594441","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369414317593911"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\d62e6443-8d8f-4b2f-9dad-41d17552b695.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.96666853924346
Encrypted:	false
SSDEEP:	96:stHqfHis1eb9Et26IN8zYys85eh6Cb7/x+6MhmuecmAeVSd2MR/EJ:stHBsPzINk3s88bV+FiABPRMJ
MD5:	245C1D7501D2761D8681425ADB8EEFA1
SHA1:	9DBD98276959B0A8AC13F82F47263B2774F8444D
SHA-256:	FD73EF20F361EA4F5292D46735112196B9802BBE8035D172FA8307E31C7DB24A
SHA-512:	64891FED9759C38F8629A0D5720FFC810AE0DC0B07A58EC57CA15F3226A0CB796EBDBB9455E82C01CAA0F16C1BC33FBE8CE06217E566B2873AE78A50CF22389A
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414317594441","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369414317593911"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\e494023f-fd44-4c24-9d31-9683ef41e0fe.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565915606704647
Encrypted:	false
SSDEEP:	768:91/sixWPk2fve8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mJVxrwVpGtuI:91/sixWPk2fveu1ja+sVCitb
MD5:	64BEF7CEE76A3FCBFCD5DCFB1185614D
SHA1:	36DCD8685882818547ED788E1C3086BEE8E9DC58
SHA-256:	38343D4EA7A07DB2D3AA6441948305D389CD65BF2A8BE7DD875A11700DFC1D58
SHA-512:	D9F7136CC190737CAFF6FC06A5C2751825F4D0E853D32E29A8E9150960FA9A5297F4313D922210043285C55006D0B55FD1FBE4126529FF4AD8D0067BA00F8755
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369414315988872","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369414315988872","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/3DMXlFll:7+/l/3Q
MD5:	AFD26A743D95234979A7A17AF5FD86D6
SHA1:	D8576214B4D3C1AA246E496CE3967BE40CD7AA37
SHA-256:	66436502F8A4472E9E1EE0C65982E70E0D85EB09B853D850569A20A14EA98F00
SHA-512:	54BDFB3D49BA7BBB6B3EB83DFDCD81D9DA3D5FFA95A00074CE856189B647EF3D3194ADB7035A01256E1DC15CD4560D50065DD28B23DDF5F42E093F7F40D372F8
Malicious:	false
Preview:	.... .c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.05010601478646411
Encrypted:	false
SSDEEP:	6:GLW0J+SBzsW0J+SBztCL9X8hslotGLNl0ml/XoQDeX:aQSFyQSFt6GEjVl/XoQ
MD5:	17716A418C4E111F61549CE82DDE5C8C
SHA1:	2E2EE9D877A10FDF02623A9D5A4182510A003D74
SHA-256:	8AB91EE33C734A5DEAE10C25370DEC29DD0FC4707E4FCD5D258F6880B70F223A
SHA-512:	1DB6B8541317A342F3A4656BD98DDB446BEC4934CFDCB99BD13CBD50AD416D9FCE3A90C2CF12F4FA6E5750EF8F4F8D6F300E946278BB11B2DF9AB8E33DF628C9
Malicious:	false
Preview:	..-.....................E.%h.hy..6.w..0..su+.....-.....................E.%h.hy..6.w..0..su+...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9993828233353846
Encrypted:	false
SSDEEP:	48:Qkzxb+lO+URcbX+Gn9VAKAFXX+sF2VAKAFXX+hyxOqVAKAFXX+aHnUYVAKAFXX+n:QMxae/NssDNsaO5Nsa2NsNV
MD5:	80A21CF916A1073D66D3D3556BDEEF3B
SHA1:	0D5BD68EA4736686813AB1BB1FD431CCE055267F
SHA-256:	7DB54D11FC5C59B49BAF75B14E1DFE215708F6EB7243787F4BA5BA132DAE9E50
SHA-512:	E79885370A7712B5039E9D8C6923FF1EB861830FDE954B1C5B184C2A1D221ACAD39AAA4654AC938EBD762CCA86674FAF4A5ACC8E4DFE3F84E045E8560BD291ED
Malicious:	false
Preview:	7....-...........6.w..0L~9.5............6.w..0.9p....SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.495372812417272
Encrypted:	false
SSDEEP:	48:gk8wSBSoQmPJHRHlxTIYjIYVzVqkEMYjMYzyGAlkfAlkq3:q0oQAIYjIYVzVbEMYjMYzYcYH3
MD5:	A70B6AC3322700FC00C3CB02457A6ABD
SHA1:	6B8908528A0F925869E30AED806F72A7C10C773E
SHA-256:	4B9C60C20C00B8949D7FA67809F370A2FA1ABFB1FBFFD0BC4D18E1C849340F57
SHA-512:	E54D20F0F22E986E3198CD95E9FF36291344CB2A04AD6A93530A5AC9260B0AE3832ED3A0332342189B20E412E3D29C5D171C4982A4C1473D821D37C5297AB45E
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f...................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.263681195115732
Encrypted:	false
SSDEEP:	6:N5eRuBc81cNwi23oH+Tcwt0rl2KLlL5eRj+q2PcNwi23oH+Tcwt0rK+IFUv:NSGZYebeL1a+vLZYeb13FUv
MD5:	4A885B03D3754984C5134E6510EE5875
SHA1:	6816C39555CBE550EC2550C72FAFE0F86E39B76B
SHA-256:	5FF35EC41C4CEB62A0C3CE16595C11AFC83CCFF3B56E7F96AAD086050662F748
SHA-512:	A728A1283247260EF361FBAE01EEF69F158D0CF79A6A0DB4513B659CFEAE8F767AAE77751660DC04CD7EE798C5986837B9C1E9DE1DF4A202BC1BEDDF8F1AE29A
Malicious:	false
Preview:	2024/08/29-10:11:57.284 1d3c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/29-10:11:57.296 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.958141412815535
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Wui+it/4JbZfPStub/RG0lbANqa:G0nYUtypD3RXi6FZfc25m
MD5:	FBC524D02048C176A0A5D1B8B752932A
SHA1:	294C48557549A4C978326D9B7969E293A024F157
SHA-256:	F3FC95AE128DB918FC126F15CD9D96618482BA6ACCC622AAA19B10CE80B15EA0
SHA-512:	9B6434442E11610B8B5DDA43AA56656599925C9C8F0A364DDB69D15B37A912D223EE600012468E0DB723CAF3546FFBDF56F085A0159EA7968BBACE894AAFF856
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................37_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.2028856289992245
Encrypted:	false
SSDEEP:	6:N5eRnc81cNwi23oH+Tcwt0rzs52KLlL5eRUSN+q2PcNwi23oH+Tcwt0rzAdIFUv:NWcGZYeb99L1e+vLZYebyFUv
MD5:	270159320D43E774C3CEE5180BB88AAF
SHA1:	5B861B2C8E5EF3DC84B1B607C53499EA435C3FCF
SHA-256:	912778D5F1601CC473CCE1C3563A18E63DA00D5116E678A75E902AEDBDCD6962
SHA-512:	5ED08AA3EC5CA13A0671E58B31555540E6C518A0EC1EE2EAE3FF736F232DE203CDF906A952A1C066BCFCB0783BA6AEDD1A60A539DE3B89C6648B910779574173
Malicious:	false
Preview:	2024/08/29-10:11:57.270 1d3c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/29-10:11:57.281 1d3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl:Ls3
MD5:	ABAD28A26B77AF23F3F8724A212B503A
SHA1:	1B7C8499E86C202CD17750FD5B1B105650188708
SHA-256:	DF53CA65AEBC877B75E7F6CE2B68754840809517A87A4B5C2CF3F42238542742
SHA-512:	628168FC977A793505CA77BE896164E1C87DAD899D50EACB50A666DD27DD7F3D234B7BF78590BB733C1FC626CFD37EE5E594012E229781B93D81E71FE05426BE
Malicious:	false
Preview:	..........................................DWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlEaK:Ls3zK
MD5:	DA2582A26701BEBC743CD96B4BD00CFB
SHA1:	40B079E07C63323D994E3E2CB29772E323096704
SHA-256:	44B1FC33B0759E6EEC5B5C2121CB4E7BF83519B5EBCF76CF01086C0A52FFB2EF
SHA-512:	EA0D1A7AEC6D5FB7BE56E4B263BB9C864B6D8C74076A24C27055D18ECA5A4C8A1F4EDF709F9B09FF550218A2D4AB7C25469FCBD5713B29F982BC1E8AB7CE7830
Malicious:	false
Preview:	......................................... IWi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1dc03.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1dec2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1df01.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2064f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF247ad.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2c7ea.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2ef09.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF34efc.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl0ybKl:Ls30yKl
MD5:	1B5FCDA48C4AEBEF7C895E0DCF0A89E9
SHA1:	D3C14C6FBDE899945BC47F16863FFB5197500FA9
SHA-256:	E5C8D1B9EA6D219B1C34AA9F99227494CFE5095E1316F48B1FA357ED4A16E7F6
SHA-512:	D4B9A7332B4929250D18D417D2E86307858F134C0021F240724CE86BCA1F3B63758C12CE1810E0AD12546A9CD3614D3D5F23B6B78A64448C441E587D10E4446E
Malicious:	false
Preview:	.........................................8.Wi./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\c1183a3f-88b5-40c4-8aa5-d11066f5b8a9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20787
Entropy (8bit):	6.065390256126543
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSXN34bE+Mh0lkdHd5qX:LMGQ7FCYXGIgtDAWtJ4nh34bkh02td4
MD5:	016F574620966CA7A0B690F9A5FB92AC
SHA1:	6A29144B234690D53B14628551D6B6CA51C6AFB5
SHA-256:	9D4EA6F9B18715219D39D216969ADF8B3B83297E15F0BB2EE678E0EBAD2ECAC1
SHA-512:	51A640E65B5808E26704FD089198A07164F4CE328B896BC35CEBFF54F8EED3E7F3915C2494F45BC69FDCD18A73CCB15DA620880973C1FCA64039DFB7E3E1CE91
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\d32fd7c3-7908-40bc-8838-84731bd20fe9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.586172420998677
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afzEV/T0JvekHB+JMdrxJvBkToRfiaJkXEycYxwlR5NXlB0:Xq8NkC1fzEV8vBBfXv2QfLJkbcY+H1q
MD5:	7DAA7886652996A5C3F64A5CFC6634D8
SHA1:	256F7B51508CA8F202B7C5C8F3879FF3FDC6FEEE
SHA-256:	299A99C5CDABF9A5909A91FD78B630E396912C7F601BEF92AF0CF94A7740AE4F
SHA-512:	94324ACF9DDEACFC27287F4295157B6F84DBB9E27FA213211DA7B3E3CE99E8DF176A6501330BD8546A234B9F913868ECF4CDC53D2D0BD2A23D7686FA6CE74133
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"policy":{"last_statistics_update":"13369414315327566"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ddac262a-db43-4858-ab07-34634b3aa1ab.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.607156989886598
Encrypted:	false
SSDEEP:	96:0q8NkC1fzEV8vlpBfXv27+1JkbcPSDS4S4SDSyI4a:/8Nbdty+7kbZ
MD5:	A4D9CAA16B2C7438F39D900975A4C166
SHA1:	8835EF0B440C1EC51E88966B88CF7E0281FCD880
SHA-256:	C8309B19565825E54A31935B55F3DE19BB3E5BE4AB5353F56AC8A6FD99DD9032
SHA-512:	BAC99EF8FDCF4ED9ADEEECF41ADBE0D57D152D7ECFF9F0E25C144B348D064ED2356EC2B17A03558E041B445D57C8220210964C4F4207131E95374E62CF4BE6E6
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\e1f615a2-3840-4e22-8152-6a0260d66103.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.545583970369572
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtVEVTNYuNczo3kiGH6yikxJJdXBuBuwBkajNhKTXxRQQRCYfYg:YuBqDPafzEV/T0JwegBzBk4KTgB0
MD5:	2202AA7496E15C71914B8104A435277D
SHA1:	202DDE8D6988189DBA95DB8DCC487784C8EF54F1
SHA-256:	B8BEA27D083B60937DFACF89E45C862745182455CF960E14F55F275A67C820F9
SHA-512:	D818A03E1E030CB861BF26A95A3E991905E082687705DDF02B0A3D1D037E597AA17ACC937F0B47006EFC563A1511B7710B76A30919703594F14A5DEDD4FD1973
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADKvEE55n4hTY6J+MK6HuYjEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAACT3w/C0UeJlXLU0COFg3lrRjkj48Gj7WMgTZC/62DIhQAAAAAOgAAAAAIAACAAAAAUEk6k4I3QLBTUnZ5dBO7mjz7aNilri/sf239pq96XYDAAAADcvWD9QcL73sar4UvzSSSA/Dt12uWSJVjvDzSmuYylayrp0aqkoy6caeFo7Wh5vdlAAAAAvHpUjQ/8LgJnSu4QWVtklGfZ19XkpiwA/oA9gK0uaFWR5XGNL4kq5ZzO7K8z6LQGwGVIcktpaY+qMLuUIPoFYw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369414315299648","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724940715"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2953a88a-b0b7-480d-8bdb-f2f9b0df73a2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57676
Entropy (8bit):	6.104100486548827
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOdPGWv/sxtw+j7VLyMV/YoskFoz:z/0+zI7yO9v/4KoVeZoskG
MD5:	E2B56BF0B54FD841B5869241284829F3
SHA1:	9AFB0F7FB22F9C560CD51381E9B472A7D05E17B3
SHA-256:	37522B7E671BFD03E9B8BC52BF6CF6A62D64079D1FC7F690C826FC0CBCA05129
SHA-512:	A38D6399119A6F98BAB1D8A25392DF2885EECCC330F8BF4828C304DCA4062C55D6B8EA859650E33AB5596AEC1E830459E18400754987011142FE56777BD23E87
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\62a93d97-eb41-49c4-9c2c-2ba80066457b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D081BD-87C.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 2048.000000, slope 17753217332035315519916605440.000000
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1605508748077004
Encrypted:	false
SSDEEP:	1536:f5ZIh/V7pgq82miNKrRGrvbHxTSUe7ELORG:fPIZJpgq70UjbHxTg7ELn
MD5:	A41D13058FBF1E5BC21BD700A85D6D91
SHA1:	A465E1EBB70C65DEA0AB9189CB9CCA6CB7C2EC22
SHA-256:	B549EE995C049AD87FB583FAA8EA85C2B550B7071093B9D22EE67942AA047DD5
SHA-512:	316FEFB237CFF8C4C9036E4B33CF40EADA80B7515D28A21B4E8FFB7F85CEDA53C03920A9F90FDF4C629C5267AC639C876F9A70D175C1B8F06BA7AC3B7A6DC4C6
Malicious:	false
Preview:	...@..@...@.....C.].....@...................P...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".oqpbti20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U].0r........>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2........9...... .2.........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D09D26-2570.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.12725273767001033
Encrypted:	false
SSDEEP:	768:f2jtXjjliZpx4vgeRGOZaZ5bBRaptBjyZvCAQzLRGO:f2ZXjxiXxwgeRGGobBRit23QzLRG
MD5:	BA292D31C1960F3758D329F516213AF5
SHA1:	1CA13C9EC46ABEF5499881CE592E33C903AE50F7
SHA-256:	E7FAEADE81FCBDE79E5B1E27521C81456E36E1571035738D6E3075246F6148E4
SHA-512:	C88D2EE58DC7B6280A525005FF1846895A8914C2C1B64F8543FA7D8F17CF197F27EDFB53DEF0F6874D68BEAF0D9EBA303D6FE8A2AD1C253F97E49527F86B5D72
Malicious:	false
Preview:	...@..@...@.....C.].....@................#..................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".oqpbti20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U].0r........>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................. ....2....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.16517681506792
Encrypted:	false
SSDEEP:	3:FiWWltlrPYjpVjP9M4UcLH3RvwAH/llwBVP/Sh/Jzv/jSIHmsdJEU9VUn5lt:o1rPWVjWZq3RvtNlwBVsJDL7b/3U7
MD5:	C847567DEE0317368C1EC824DE025887
SHA1:	554098F22FEA9282FE1AAB35560849CD6FF546B1
SHA-256:	3CF2B1CBE4F4CCFC640BCF581FD4D9FC84254D2B3839C96EA4909B61AAF28932
SHA-512:	A976744405F6ABEBFB7513A3A6A776680334BB94A9E52AEEFE2B05259BCB3CF9781B1CCDA3655D8AA4C1E923143168F29EF3208F81ABCB93AFF5215ED3798219
Malicious:	false
Preview:	sdPC.....................!...W.F....+F."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................8889edf7-b09d-4a45-9ea5-adabbfd01bb9............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\00eded8c-ed94-40e1-8a8f-1e8f379c2836.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.087538496623932
Encrypted:	false
SSDEEP:	96:stSqKcs1WWbDZQomXKaCvlPm8zDsY5eh6Cb7/x+6MhmuecmAeiMDkCML/EJ:stScswomaNPmkDsY8bV+FiAwkbLMJ
MD5:	63F6DA8530F1FF9179B2668026487380
SHA1:	542BE74CBF9BEE6B9BEDFBF4F8F56D92367A94D6
SHA-256:	F154542503850433F8DBD6A46C12DE68DB9469C5261DE3C1DFA6C82E08AA15B3
SHA-512:	E5ECD300B1B28DCF27ADC4F6C794124F227F63A61B86F6510D3BD910D00E9F457C4E13023A39E31509F5E009FE0A23F3F1F1AA312BC843EDAF58F5E31A04D89E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414333819219","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369414333718728"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\05c2faef-6de2-41b8-8fdf-b18370b98016.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.567821810024232
Encrypted:	false
SSDEEP:	768:kZHTVuWPbCfTa8F1+UoAYDCx9Tuqh0VfUC9xbog/OV5AwmDrwupWtuJ:kZHTVuWPbCfTau1jaw3m4Tt2
MD5:	6BC990E74DA8E142407A940B5063038F
SHA1:	77070BF52B259722031DD5022E5D2EFF2264630A
SHA-256:	C55AD4DB45D4E04088DFA5CECD107DB3FEE791E6773EBC6197744D964C693CE6
SHA-512:	9A0595536047DC7FEB2F7ED14B25B62D9FB626856029413A70F3F22E496CBBED36838899B85AE031152C5D76D60BCC9874A5157563A6865130F239AA79EB5498
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369414333592883","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369414333592883","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\15f1d167-fe37-424b-9358-2c553ddebafe.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3953cbd7-e8f9-4997-95dd-da953adec59b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\7347db13-5ff8-46d2-b992-bf3ad22ee39f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.086977988862884
Encrypted:	false
SSDEEP:	96:stSqKcs1WbDZQomXKaCvlPm8zDsY5eh6Cb7/x+6MhmuecmAeiMDYCML/EJ:stScslomaNPmkDsY8bV+FiAwYbLMJ
MD5:	9ECB91F58206ACE54A81ADCCE1AC3804
SHA1:	D449A4A4C80F0AA840E364995B335A2BE4103848
SHA-256:	0FE4C2082CB7F83D4F0283C61EE03D20BB7D9152DB51D286D08803722538B05E
SHA-512:	8CD307379EB30026808D93AE9A5008C096373A1B6FDC41B9E03713F0116E87FB29ED510DFD5FA903D98CD4B0E26DE771FE70ED3210EF57E7179F40EA7DF95398
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414333819219","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369414333718728"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\94de1557-4c8a-4ba5-824c-ddf1e9c9d83c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.242077224589967
Encrypted:	false
SSDEEP:	6:N5wZ4Zq2PcNwi23oH+TcwtnG2tMsIFUt885wZn8XZmw+85wZhkwOcNwi23oH+Tci:NeQvLZYebn9GFUt88eFo/+8e/54ZYebB
MD5:	693DE70BE8D0A2A4A1EB0FC82D6F14B5
SHA1:	32E03CC4A5AD3BD1E1F5FBA43C4D9F73E3D959E9
SHA-256:	7FFCA9D7417C865A8E20F1B557F97010CAC21C5690F7DA16E3A8D3211E431CA4
SHA-512:	808FD486109155E752AEB33184CFF26B8DED70101ACCDFA61ECA5CE02FDDCB164786F8AC2958E78670F9625899BD9C2B68716649329AD0116D4FF0D785E392AD
Malicious:	false
Preview:	2024/08/29-12:09:11.253 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-12:09:11.256 2614 Recovering log #3.2024/08/29-12:09:11.257 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.242077224589967
Encrypted:	false
SSDEEP:	6:N5wZ4Zq2PcNwi23oH+TcwtnG2tMsIFUt885wZn8XZmw+85wZhkwOcNwi23oH+Tci:NeQvLZYebn9GFUt88eFo/+8e/54ZYebB
MD5:	693DE70BE8D0A2A4A1EB0FC82D6F14B5
SHA1:	32E03CC4A5AD3BD1E1F5FBA43C4D9F73E3D959E9
SHA-256:	7FFCA9D7417C865A8E20F1B557F97010CAC21C5690F7DA16E3A8D3211E431CA4
SHA-512:	808FD486109155E752AEB33184CFF26B8DED70101ACCDFA61ECA5CE02FDDCB164786F8AC2958E78670F9625899BD9C2B68716649329AD0116D4FF0D785E392AD
Malicious:	false
Preview:	2024/08/29-12:09:11.253 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-12:09:11.256 2614 Recovering log #3.2024/08/29-12:09:11.257 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF24358.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.242077224589967
Encrypted:	false
SSDEEP:	6:N5wZ4Zq2PcNwi23oH+TcwtnG2tMsIFUt885wZn8XZmw+85wZhkwOcNwi23oH+Tci:NeQvLZYebn9GFUt88eFo/+8e/54ZYebB
MD5:	693DE70BE8D0A2A4A1EB0FC82D6F14B5
SHA1:	32E03CC4A5AD3BD1E1F5FBA43C4D9F73E3D959E9
SHA-256:	7FFCA9D7417C865A8E20F1B557F97010CAC21C5690F7DA16E3A8D3211E431CA4
SHA-512:	808FD486109155E752AEB33184CFF26B8DED70101ACCDFA61ECA5CE02FDDCB164786F8AC2958E78670F9625899BD9C2B68716649329AD0116D4FF0D785E392AD
Malicious:	false
Preview:	2024/08/29-12:09:11.253 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-12:09:11.256 2614 Recovering log #3.2024/08/29-12:09:11.257 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.206422651926535
Encrypted:	false
SSDEEP:	6:N5ecgqcM+q2PcNwi23oH+Tcwt8aPrqIFUt885ecOJZmw+85ecGqcMVkwOcNwi230:N9gPM+vLZYebL3FUt889I/+89YMV54ZE
MD5:	A69E0A420E5859C6E1BFC2AE70F20038
SHA1:	E5C096E03D03625D1DFEFE52A7CA838B468A95CA
SHA-256:	1EBCAAA72063A015960EDABBDA92C1BD600A4F626D620DF13353DAA707F534AB
SHA-512:	E7B8AF538DFCD27DDF1B2028615CC72C398B15AFF835CC35C2F50BB86CD402A5263FF177FA5BA57CD0EFCAB5F6DA1507E0190C0E4AD1809BDCC05D2799CFDD04
Malicious:	false
Preview:	2024/08/29-10:12:13.650 19fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/29-10:12:13.651 19fc Recovering log #3.2024/08/29-10:12:13.652 19fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.206422651926535
Encrypted:	false
SSDEEP:	6:N5ecgqcM+q2PcNwi23oH+Tcwt8aPrqIFUt885ecOJZmw+85ecGqcMVkwOcNwi230:N9gPM+vLZYebL3FUt889I/+89YMV54ZE
MD5:	A69E0A420E5859C6E1BFC2AE70F20038
SHA1:	E5C096E03D03625D1DFEFE52A7CA838B468A95CA
SHA-256:	1EBCAAA72063A015960EDABBDA92C1BD600A4F626D620DF13353DAA707F534AB
SHA-512:	E7B8AF538DFCD27DDF1B2028615CC72C398B15AFF835CC35C2F50BB86CD402A5263FF177FA5BA57CD0EFCAB5F6DA1507E0190C0E4AD1809BDCC05D2799CFDD04
Malicious:	false
Preview:	2024/08/29-10:12:13.650 19fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/29-10:12:13.651 19fc Recovering log #3.2024/08/29-10:12:13.652 19fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.243665701835572
Encrypted:	false
SSDEEP:	6:N5ectYcM+q2PcNwi23oH+Tcwt865IFUt885ec8JZmw+85ec8cMVkwOcNwi23oH+v:N9t1M+vLZYeb/WFUt889O/+89xMV54Zr
MD5:	7E2CEE74C8FB90B722B24F731C952C08
SHA1:	9974D388B5DAB2260D55DD3C5AE0DB263B981084
SHA-256:	65415FAB9EA4A703EEDCF166FFAAA8A6FD5FDA51F82BF6F6BC4994FACAA0C9A6
SHA-512:	4E24EADA57AA77FF95062BE2B635FE8B35D6F81B01C6452B1DD4D56006F4AE82C815B19492A58292C26CEF1B8AAE50488F8D2C6375D00B51AA2814C341820D16
Malicious:	false
Preview:	2024/08/29-10:12:13.655 19fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/29-10:12:13.657 19fc Recovering log #3.2024/08/29-10:12:13.657 19fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.243665701835572
Encrypted:	false
SSDEEP:	6:N5ectYcM+q2PcNwi23oH+Tcwt865IFUt885ec8JZmw+85ec8cMVkwOcNwi23oH+v:N9t1M+vLZYeb/WFUt889O/+89xMV54Zr
MD5:	7E2CEE74C8FB90B722B24F731C952C08
SHA1:	9974D388B5DAB2260D55DD3C5AE0DB263B981084
SHA-256:	65415FAB9EA4A703EEDCF166FFAAA8A6FD5FDA51F82BF6F6BC4994FACAA0C9A6
SHA-512:	4E24EADA57AA77FF95062BE2B635FE8B35D6F81B01C6452B1DD4D56006F4AE82C815B19492A58292C26CEF1B8AAE50488F8D2C6375D00B51AA2814C341820D16
Malicious:	false
Preview:	2024/08/29-10:12:13.655 19fc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/29-10:12:13.657 19fc Recovering log #3.2024/08/29-10:12:13.657 19fc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.180698823322575
Encrypted:	false
SSDEEP:	6:N5wZX+q2PcNwi23oH+Tcwt8NIFUt885wZ3Zmw+85wZXVkwOcNwi23oH+Tcwt8+ed:NeMvLZYebpFUt88e9/+8eP54ZYebqJ
MD5:	C3C310689F8BBC42004637BB07CBA718
SHA1:	837225ECEAC3FB8BE6A55F5FF90BB66E58A84A63
SHA-256:	7B606739E2FF6B7DC513AADC19DAACB1E9A648908885C8EA616EECC88D68DCB2
SHA-512:	E429EE33A83D0EBE6FBFA0414701547D61BFF09417215A2A6F060B8297DB8997F8FAAACD709A6BEE2BEF0A5E9301B58393CA862DD1B5AD3F037B18F56849EFE5
Malicious:	false
Preview:	2024/08/29-12:09:11.368 2628 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-12:09:11.368 2628 Recovering log #3.2024/08/29-12:09:11.368 2628 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.180698823322575
Encrypted:	false
SSDEEP:	6:N5wZX+q2PcNwi23oH+Tcwt8NIFUt885wZ3Zmw+85wZXVkwOcNwi23oH+Tcwt8+ed:NeMvLZYebpFUt88e9/+8eP54ZYebqJ
MD5:	C3C310689F8BBC42004637BB07CBA718
SHA1:	837225ECEAC3FB8BE6A55F5FF90BB66E58A84A63
SHA-256:	7B606739E2FF6B7DC513AADC19DAACB1E9A648908885C8EA616EECC88D68DCB2
SHA-512:	E429EE33A83D0EBE6FBFA0414701547D61BFF09417215A2A6F060B8297DB8997F8FAAACD709A6BEE2BEF0A5E9301B58393CA862DD1B5AD3F037B18F56849EFE5
Malicious:	false
Preview:	2024/08/29-12:09:11.368 2628 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-12:09:11.368 2628 Recovering log #3.2024/08/29-12:09:11.368 2628 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF243d5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.180698823322575
Encrypted:	false
SSDEEP:	6:N5wZX+q2PcNwi23oH+Tcwt8NIFUt885wZ3Zmw+85wZXVkwOcNwi23oH+Tcwt8+ed:NeMvLZYebpFUt88e9/+8eP54ZYebqJ
MD5:	C3C310689F8BBC42004637BB07CBA718
SHA1:	837225ECEAC3FB8BE6A55F5FF90BB66E58A84A63
SHA-256:	7B606739E2FF6B7DC513AADC19DAACB1E9A648908885C8EA616EECC88D68DCB2
SHA-512:	E429EE33A83D0EBE6FBFA0414701547D61BFF09417215A2A6F060B8297DB8997F8FAAACD709A6BEE2BEF0A5E9301B58393CA862DD1B5AD3F037B18F56849EFE5
Malicious:	false
Preview:	2024/08/29-12:09:11.368 2628 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-12:09:11.368 2628 Recovering log #3.2024/08/29-12:09:11.368 2628 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\371b9dff-8f59-4b15-a9ba-3427ccf9b5a3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\795cf19e-c93f-4a76-baef-caa2c3cb7497.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\842fa3c4-af3d-418f-bfc7-fa9a25cc7e1e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF2451d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF22810.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF2451d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\a90b443a-9305-4f88-9eca-8466c9bdf6e3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\f97bfeca-1b5b-46bd-976a-62104940f0d9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.086977988862884
Encrypted:	false
SSDEEP:	96:stSqKcs1WbDZQomXKaCvlPm8zDsY5eh6Cb7/x+6MhmuecmAeiMDYCML/EJ:stScslomaNPmkDsY8bV+FiAwYbLMJ
MD5:	9ECB91F58206ACE54A81ADCCE1AC3804
SHA1:	D449A4A4C80F0AA840E364995B335A2BE4103848
SHA-256:	0FE4C2082CB7F83D4F0283C61EE03D20BB7D9152DB51D286D08803722538B05E
SHA-512:	8CD307379EB30026808D93AE9A5008C096373A1B6FDC41B9E03713F0116E87FB29ED510DFD5FA903D98CD4B0E26DE771FE70ED3210EF57E7179F40EA7DF95398
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414333819219","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369414333718728"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF24491.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.086977988862884
Encrypted:	false
SSDEEP:	96:stSqKcs1WbDZQomXKaCvlPm8zDsY5eh6Cb7/x+6MhmuecmAeiMDYCML/EJ:stScslomaNPmkDsY8bV+FiAwYbLMJ
MD5:	9ECB91F58206ACE54A81ADCCE1AC3804
SHA1:	D449A4A4C80F0AA840E364995B335A2BE4103848
SHA-256:	0FE4C2082CB7F83D4F0283C61EE03D20BB7D9152DB51D286D08803722538B05E
SHA-512:	8CD307379EB30026808D93AE9A5008C096373A1B6FDC41B9E03713F0116E87FB29ED510DFD5FA903D98CD4B0E26DE771FE70ED3210EF57E7179F40EA7DF95398
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369414333819219","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369414333718728"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.567821810024232
Encrypted:	false
SSDEEP:	768:kZHTVuWPbCfTa8F1+UoAYDCx9Tuqh0VfUC9xbog/OV5AwmDrwupWtuJ:kZHTVuWPbCfTau1jaw3m4Tt2
MD5:	6BC990E74DA8E142407A940B5063038F
SHA1:	77070BF52B259722031DD5022E5D2EFF2264630A
SHA-256:	C55AD4DB45D4E04088DFA5CECD107DB3FEE791E6773EBC6197744D964C693CE6
SHA-512:	9A0595536047DC7FEB2F7ED14B25B62D9FB626856029413A70F3F22E496CBBED36838899B85AE031152C5D76D60BCC9874A5157563A6865130F239AA79EB5498
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369414333592883","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369414333592883","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.1596185328298905
Encrypted:	false
SSDEEP:	6:N5wZYKZq2PcNwi23oH+Tcwt7Uh2ghZIFUt885wZYRC9Zmw+85wZYjkwOcNwi23oz:NeyEvLZYebIhHh2FUt88ey09/+8eyj5h
MD5:	303CC1599AF2FD90F34C33794F84F116
SHA1:	488D3B0CC1ABDF212E331025CB0467A251575D22
SHA-256:	392591D361B6160B40AF1574F14A89C8EC6DBF7A834782B1936451054714FA4D
SHA-512:	E95D944A3C61632BD2E3B91525645006E18438334433388EC85D60B79096C3835B83E26F31419F68B2B6477E5591B3CE5B00FAEF120F50C6AE8166AD7E6A29FB
Malicious:	false
Preview:	2024/08/29-12:09:11.243 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-12:09:11.244 2614 Recovering log #3.2024/08/29-12:09:11.247 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.1596185328298905
Encrypted:	false
SSDEEP:	6:N5wZYKZq2PcNwi23oH+Tcwt7Uh2ghZIFUt885wZYRC9Zmw+85wZYjkwOcNwi23oz:NeyEvLZYebIhHh2FUt88ey09/+8eyj5h
MD5:	303CC1599AF2FD90F34C33794F84F116
SHA1:	488D3B0CC1ABDF212E331025CB0467A251575D22
SHA-256:	392591D361B6160B40AF1574F14A89C8EC6DBF7A834782B1936451054714FA4D
SHA-512:	E95D944A3C61632BD2E3B91525645006E18438334433388EC85D60B79096C3835B83E26F31419F68B2B6477E5591B3CE5B00FAEF120F50C6AE8166AD7E6A29FB
Malicious:	false
Preview:	2024/08/29-12:09:11.243 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-12:09:11.244 2614 Recovering log #3.2024/08/29-12:09:11.247 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF24348.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.1596185328298905
Encrypted:	false
SSDEEP:	6:N5wZYKZq2PcNwi23oH+Tcwt7Uh2ghZIFUt885wZYRC9Zmw+85wZYjkwOcNwi23oz:NeyEvLZYebIhHh2FUt88ey09/+8eyj5h
MD5:	303CC1599AF2FD90F34C33794F84F116
SHA1:	488D3B0CC1ABDF212E331025CB0467A251575D22
SHA-256:	392591D361B6160B40AF1574F14A89C8EC6DBF7A834782B1936451054714FA4D
SHA-512:	E95D944A3C61632BD2E3B91525645006E18438334433388EC85D60B79096C3835B83E26F31419F68B2B6477E5591B3CE5B00FAEF120F50C6AE8166AD7E6A29FB
Malicious:	false
Preview:	2024/08/29-12:09:11.243 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-12:09:11.244 2614 Recovering log #3.2024/08/29-12:09:11.247 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.200217969770215
Encrypted:	false
SSDEEP:	6:N5wZ6q2PcNwi23oH+TcwtpIFUt885wZYVSZmw+85wZYVekwOcNwi23oH+Tcwta/o:NeEvLZYebmFUt88eyQ/+8eyY54ZYebaQ
MD5:	34A2082B8E301548A2E90E55D97FC2BB
SHA1:	F4267E4F88BC05F31F3E967D11E08D518D2B26AC
SHA-256:	E622FCE11F3EB957A40C330659211F6442AF80BC44557936FE69703E05AB2C0E
SHA-512:	D5812DCBBF2B433BB3466EFC5735961C750829B726D6AB2D6C096A2F2291D7FE8F83C78D871DE0F66B3941CE696F7228EEBF80B1AE96B95616628E0AF15CDEDC
Malicious:	false
Preview:	2024/08/29-12:09:11.239 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-12:09:11.240 2614 Recovering log #3.2024/08/29-12:09:11.240 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.200217969770215
Encrypted:	false
SSDEEP:	6:N5wZ6q2PcNwi23oH+TcwtpIFUt885wZYVSZmw+85wZYVekwOcNwi23oH+Tcwta/o:NeEvLZYebmFUt88eyQ/+8eyY54ZYebaQ
MD5:	34A2082B8E301548A2E90E55D97FC2BB
SHA1:	F4267E4F88BC05F31F3E967D11E08D518D2B26AC
SHA-256:	E622FCE11F3EB957A40C330659211F6442AF80BC44557936FE69703E05AB2C0E
SHA-512:	D5812DCBBF2B433BB3466EFC5735961C750829B726D6AB2D6C096A2F2291D7FE8F83C78D871DE0F66B3941CE696F7228EEBF80B1AE96B95616628E0AF15CDEDC
Malicious:	false
Preview:	2024/08/29-12:09:11.239 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-12:09:11.240 2614 Recovering log #3.2024/08/29-12:09:11.240 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF24348.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.200217969770215
Encrypted:	false
SSDEEP:	6:N5wZ6q2PcNwi23oH+TcwtpIFUt885wZYVSZmw+85wZYVekwOcNwi23oH+Tcwta/o:NeEvLZYebmFUt88eyQ/+8eyY54ZYebaQ
MD5:	34A2082B8E301548A2E90E55D97FC2BB
SHA1:	F4267E4F88BC05F31F3E967D11E08D518D2B26AC
SHA-256:	E622FCE11F3EB957A40C330659211F6442AF80BC44557936FE69703E05AB2C0E
SHA-512:	D5812DCBBF2B433BB3466EFC5735961C750829B726D6AB2D6C096A2F2291D7FE8F83C78D871DE0F66B3941CE696F7228EEBF80B1AE96B95616628E0AF15CDEDC
Malicious:	false
Preview:	2024/08/29-12:09:11.239 2614 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-12:09:11.240 2614 Recovering log #3.2024/08/29-12:09:11.240 2614 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1224500839195235
Encrypted:	false
SSDEEP:	384:KdM2qOB1nxCktSAELyKOMq+8HKkjucswRv8p3:Kvq+n0y9ELyKOMq+8HKkjuczRv89
MD5:	CB766C9B54AAC37661533172E04871C9
SHA1:	7CF2E8C74F93251B97D2920E4C752BD749D4544E
SHA-256:	074B45EE68992A767F27D0BE09267383C85FF59EE1D401C6183F6C3FD096D5F9
SHA-512:	F95A7B8B2809629A4E423821C3FCE8D9C49A3AADEDF303D1ED7CF59366EC6C5FF3991814FC37AD4D2DA16AD1CAE2272AE4FCB8AE68002D556D04D94690679A4A
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\d4cc3ac1-49f4-4802-83be-c8ce5c48ec13.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049853797302745535
Encrypted:	false
SSDEEP:	6:Gd0VmH0Vw/CL9XCChslotGLNl0ml/XoQDeX:zcU66pEjVl/XoQ
MD5:	B887C3B344F41AE8E5D1C87A1E69FE2E
SHA1:	6E825A7C70667BAAB4BADC6497C14B6A7DC60359
SHA-256:	1DF0A503295E7C7643FE77610E74DDB87EC0CB7C660C21716662AC62C67379FA
SHA-512:	8E7E3C572B88059C6F5EA32605712E87F93FEF85FA28AB0F1247C04B279B4DC0D1D338E6050568282915DE3B509CD957B20C065F77D2345206EA229AC6D60D9B
Malicious:	false
Preview:	..-.....................B..".q.43.-......~.~v}..-.....................B..".q.43.-......~.~v}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.228219037590192
Encrypted:	false
SSDEEP:	6:N5wZeEAQL+q2PcNwi23oH+TcwtfrK+IFUt885wZeEAGKWZmw+85wZXjGNAQLVkw4:Neo+L+vLZYeb23FUt88eoXW/+8e1jGjU
MD5:	594A66CF4D4FA730813F28B70537D99E
SHA1:	63F7C659E936F37F087525B6E79A495DE536F33B
SHA-256:	4CE7F8B4DE12F4E245A743EFD57C087A0385A9A24A00BBE5BC693FCF01D0F5D3
SHA-512:	2D01D21BE02EBE714B5B20458C72C4D0DA87F8801A1B3C78E2A3A820D22739EDEE2FC185E18DCFB61566C794DE4392DC8F1BCE16671BBB5A228BB8E20625AD66
Malicious:	false
Preview:	2024/08/29-12:09:11.352 25cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/29-12:09:11.352 25cc Recovering log #3.2024/08/29-12:09:11.353 25cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.228219037590192
Encrypted:	false
SSDEEP:	6:N5wZeEAQL+q2PcNwi23oH+TcwtfrK+IFUt885wZeEAGKWZmw+85wZXjGNAQLVkw4:Neo+L+vLZYeb23FUt88eoXW/+8e1jGjU
MD5:	594A66CF4D4FA730813F28B70537D99E
SHA1:	63F7C659E936F37F087525B6E79A495DE536F33B
SHA-256:	4CE7F8B4DE12F4E245A743EFD57C087A0385A9A24A00BBE5BC693FCF01D0F5D3
SHA-512:	2D01D21BE02EBE714B5B20458C72C4D0DA87F8801A1B3C78E2A3A820D22739EDEE2FC185E18DCFB61566C794DE4392DC8F1BCE16671BBB5A228BB8E20625AD66
Malicious:	false
Preview:	2024/08/29-12:09:11.352 25cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/29-12:09:11.352 25cc Recovering log #3.2024/08/29-12:09:11.353 25cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF243c5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.228219037590192
Encrypted:	false
SSDEEP:	6:N5wZeEAQL+q2PcNwi23oH+TcwtfrK+IFUt885wZeEAGKWZmw+85wZXjGNAQLVkw4:Neo+L+vLZYeb23FUt88eoXW/+8e1jGjU
MD5:	594A66CF4D4FA730813F28B70537D99E
SHA1:	63F7C659E936F37F087525B6E79A495DE536F33B
SHA-256:	4CE7F8B4DE12F4E245A743EFD57C087A0385A9A24A00BBE5BC693FCF01D0F5D3
SHA-512:	2D01D21BE02EBE714B5B20458C72C4D0DA87F8801A1B3C78E2A3A820D22739EDEE2FC185E18DCFB61566C794DE4392DC8F1BCE16671BBB5A228BB8E20625AD66
Malicious:	false
Preview:	2024/08/29-12:09:11.352 25cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/29-12:09:11.352 25cc Recovering log #3.2024/08/29-12:09:11.353 25cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	816
Entropy (8bit):	4.0647916882227655
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z32m5t/yVf9HqlIZfkBA//DtKhKg+rOyBrgxvB1ySxs:G0nYUtypD32m3yWlIZMBA5NgKIvB8Sxs
MD5:	3BE72D8D40752B3A97028FDB2931FABA
SHA1:	A27EA4726857A948F0A4B074062B674469A9A371
SHA-256:	3C18553C8C3F7E801855F3579AC57F3C156D783BBA27FB35C6D2FB6CB89BD902
SHA-512:	8EBD4D6980BB7796615217E72BC65953C920B68B9259341CD52858C1E889EC90339E2A304FE0C971D6C6EF9AFC4A00CFB3E5CC89C7B2DF8737A0C7EC241BDADC
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....X...................20_.....W.J+.................19_......qY.................18_.....'}2..................37_.......c..................38_......i...................39_.....Owa..................20_.....4.9..................20_.....B.I..................19_..........................18_.....2.1..................37_..........................38_......=.%.................39_.....p.j..................9_.....JJ...................9_.....\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... ......................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.236839515843916
Encrypted:	false
SSDEEP:	6:N5wZXRNAQL+q2PcNwi23oH+TcwtfrzAdIFUt885wZXRNAGKWZmw+85wZOAQLVkwJ:NenjL+vLZYeb9FUt88enAW/+8emLV540
MD5:	5BE5DC54BEA7053FF88A8D210F35996D
SHA1:	80CE14B71CEE8573C0B8302418C080AF967AB907
SHA-256:	2A4E9945CB1BE413E9C9DF8D1EE5D3BE91C5D8430E87720DF91861F0F7DBFBF7
SHA-512:	72455455119233055E2331A383E031AB5C0AADA4EF8425BD51937A6C3EE5AFE5D1504952AD64BB3DA3A5C7A8EF75703C64CA95494F3F56F20DF1942C0C0D0E87
Malicious:	false
Preview:	2024/08/29-12:09:11.345 25cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/29-12:09:11.345 25cc Recovering log #3.2024/08/29-12:09:11.346 25cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.236839515843916
Encrypted:	false
SSDEEP:	6:N5wZXRNAQL+q2PcNwi23oH+TcwtfrzAdIFUt885wZXRNAGKWZmw+85wZOAQLVkwJ:NenjL+vLZYeb9FUt88enAW/+8emLV540
MD5:	5BE5DC54BEA7053FF88A8D210F35996D
SHA1:	80CE14B71CEE8573C0B8302418C080AF967AB907
SHA-256:	2A4E9945CB1BE413E9C9DF8D1EE5D3BE91C5D8430E87720DF91861F0F7DBFBF7
SHA-512:	72455455119233055E2331A383E031AB5C0AADA4EF8425BD51937A6C3EE5AFE5D1504952AD64BB3DA3A5C7A8EF75703C64CA95494F3F56F20DF1942C0C0D0E87
Malicious:	false
Preview:	2024/08/29-12:09:11.345 25cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/29-12:09:11.345 25cc Recovering log #3.2024/08/29-12:09:11.346 25cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF243b6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.236839515843916
Encrypted:	false
SSDEEP:	6:N5wZXRNAQL+q2PcNwi23oH+TcwtfrzAdIFUt885wZXRNAGKWZmw+85wZOAQLVkwJ:NenjL+vLZYeb9FUt88enAW/+8emLV540
MD5:	5BE5DC54BEA7053FF88A8D210F35996D
SHA1:	80CE14B71CEE8573C0B8302418C080AF967AB907
SHA-256:	2A4E9945CB1BE413E9C9DF8D1EE5D3BE91C5D8430E87720DF91861F0F7DBFBF7
SHA-512:	72455455119233055E2331A383E031AB5C0AADA4EF8425BD51937A6C3EE5AFE5D1504952AD64BB3DA3A5C7A8EF75703C64CA95494F3F56F20DF1942C0C0D0E87
Malicious:	false
Preview:	2024/08/29-12:09:11.345 25cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/29-12:09:11.345 25cc Recovering log #3.2024/08/29-12:09:11.346 25cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF222d0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF22531.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF226b8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF243c5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF243f4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF244a0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103070773757535
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yn/PGWv/sxtw97VLyMV/YoskFoz:z/0+zI7yn/v/4KNVeZoskG
MD5:	3888F0D4050D2D94ED4CC8E4611DDBED
SHA1:	6AD0E81F65ED9E16633AC3D030748C0D9D26F275
SHA-256:	1BB46FB0838AD459CABE499AC6DFDC9B5F9DD2B04B44B6E43AEDFD0F20A8EEA5
SHA-512:	66DE5B9308C4D967153D260F14BEED5DFBCA6BBFA5D4FE222F3266926416774C475B3A8E8ED6174C71F821097E2A3BD7D9B00A1553A07D33B9F256FFC89E7455
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEflTRVKll:/M/xT02zh
MD5:	2AC043FFC3FB1489EB37C88AD37E8FC9
SHA1:	F630FBEA845C4A7E82D9CF69129185867D9A804C
SHA-256:	7496563BC0997748A353EEAE2387BAE31553E79B298C47D12B6172C11C10AE47
SHA-512:	58EA541FBDE756B3488E0C9FD3740ECB9153B01CDA6DAA98C2DBDA82130A431A673E3B77006DDA8ABB58182600A5931713DA064F2A85793F96DD83E791191DA0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQp:YQ3Kq9X0dMgAEiLIj
MD5:	8549C255650427D618EF18B14DFD2B56
SHA1:	8272585186777B344DB3960DF62B00F570D247F6
SHA-256:	40395D9CA4B65D48DEAC792844A77D4F8051F1CEF30DF561DACFEEED3C3BAE13
SHA-512:	E5BB8A0AD338372635C3629E306604E3DC5A5C26FB5547A3DD7E404E5261630612C07326E7EBF5B47ABAFADE8E555965A1A59A1EECFC496DCDD5003048898A8C
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\afa703c6-c00d-4511-87b6-e92eb919061d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57676
Entropy (8bit):	6.104238365271813
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOYPGWv/sxtwBj7VLyMV/YoskFoz:z/0+zI7yOsv/4KhVeZoskG
MD5:	0DCC3723725E3EDCD554CEF9A27587E3
SHA1:	745B916F9EA8FFC246A81AB53A9174139251671C
SHA-256:	FE5165A044A71733242551D3273FA2CC8A892745FF19C32761C9C215B92FD0C6
SHA-512:	1B63A4A04C5D5D6DF6FA4CF65402DDF7E0C7565735F64174D8D569B06C8EF6763B70949A03F4AC337B9FF0F9C8676AA9F8BE01F0D625BE64E7892916F97D1A0A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b43f7afc-ee8d-47c1-bff4-f45f25ed87f4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57676
Entropy (8bit):	6.104100486548827
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOdPGWv/sxtw+j7VLyMV/YoskFoz:z/0+zI7yO9v/4KoVeZoskG
MD5:	E2B56BF0B54FD841B5869241284829F3
SHA1:	9AFB0F7FB22F9C560CD51381E9B472A7D05E17B3
SHA-256:	37522B7E671BFD03E9B8BC52BF6CF6A62D64079D1FC7F690C826FC0CBCA05129
SHA-512:	A38D6399119A6F98BAB1D8A25392DF2885EECCC330F8BF4828C304DCA4062C55D6B8EA859650E33AB5596AEC1E830459E18400754987011142FE56777BD23E87
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\babeeb5e-93c9-4ead-8b0c-e621a3b12e69.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57675
Entropy (8bit):	6.104116379456048
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOMPGWv/sxtw4j7VLyMV/YoskFoz:z/0+zI7yOIv/4KCVeZoskG
MD5:	F8786EEAD87C84DCFEB24F4894521601
SHA1:	EE92DF5748F9DFAABC2CDEA9297701E734781CE3
SHA-256:	2ADF36BADD0E67DD7BD2E84B90AC2B9214E2F8B5343C5FCD05E41D56B6AB56E4
SHA-512:	B955B99FACCC8F246B59991A99A4AB8C82093A440D21D3EBE2DD9C70E08F0725ADFF3F8B2D997AE2D5AFB1A9A51EBB062CA40DE0C3909987362A5967A931917E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\c7dce329-7202-4bfd-a3ec-e69240d48fd6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57676
Entropy (8bit):	6.104235876352058
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOYPGWv/sxtwGj7VLyMV/YoskFoz:z/0+zI7yOsv/4KwVeZoskG
MD5:	1E52BDD89812D73D794A1B1679BAA08C
SHA1:	493B695954A0BC8A9487F41491D0CC41BA15E8B9
SHA-256:	A6BF5F3821FA7EA71DF587821026233CBD7F6086F457D5255A8AEE79D57739CA
SHA-512:	68816595EED077E6270F12A97C8999C80E206A970BB3F2FB3729A1854B55AF46E3872705E2ADFC1F9CAA6E34D753ECB76F7F314A5E742597C9E30D6F21D27694
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d9b95cc3-f455-4342-b929-18d7844e3d2a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57676
Entropy (8bit):	6.104235876352058
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOYPGWv/sxtwGj7VLyMV/YoskFoz:z/0+zI7yOsv/4KwVeZoskG
MD5:	1E52BDD89812D73D794A1B1679BAA08C
SHA1:	493B695954A0BC8A9487F41491D0CC41BA15E8B9
SHA-256:	A6BF5F3821FA7EA71DF587821026233CBD7F6086F457D5255A8AEE79D57739CA
SHA-512:	68816595EED077E6270F12A97C8999C80E206A970BB3F2FB3729A1854B55AF46E3872705E2ADFC1F9CAA6E34D753ECB76F7F314A5E742597C9E30D6F21D27694
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8473933206759736
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxjOxl9Il8uMXHCW+MqwWpU//SvaCgn+RS/d1rc:m7YaXHCWzqwLCy+h
MD5:	006BC7911FCCDEB7D23231371AADE658
SHA1:	6F359B6F271D6BA73737B393BB9D8FCE1DC02563
SHA-256:	C5CAB365D23B3661F511098D99C4D2F2EB96DA27289D51B5C5D36B1C87EDC5C6
SHA-512:	F96B283B18C572B2F645A8DEBD575FBAE20DBA5202576C81DBDB105A5A8097DEFD1D73FBEE6FB2B4EC24D6815C61243BB4B32F8F2FB341644E547B3345BCC3BE
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.E.k.o.y.y.X.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.y.r.x.B.O.e.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	3.9995064724995406
Encrypted:	false
SSDEEP:	96:BY4l9yYytRvg4b7WOPSk20oylzRgHWGSnPFHKG:BVlQtplbWk7oOdUSnPYG
MD5:	3CDE91EFBCDE78BAB77540BD64C02409
SHA1:	DEC098A98E13BBE00B5F0B4373425065BDF9BF76
SHA-256:	BC8FBA659593190B00AD5DF6004D852CF3315FB2B7D03F22F918683AC957580D
SHA-512:	7FF56DE647158C24C09F0A53D7088B9684761FDCE4FFC59A850A4FA0CF45B6A8F15A855A87579F0E06ABEF5D265E625A4D45035CA7735443CDD25C958647F1AD
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".t.n.A.D.s.R.3.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.y.r.x.B.O.e.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1190
Entropy (8bit):	5.386449566243216
Encrypted:	false
SSDEEP:	24:YK0bl5r75riCe0qW+5Ua02EHP5IKL0jZ5JwbX/B+L0CF1i6e0h:YK0bl5r75riN0qW+5Ua02sP5IKL0jZ5P
MD5:	B2D19AFD9C6B03B6BC9D34487D339D47
SHA1:	5A6F6F5B437867F09616A8C433C3183C9054834C
SHA-256:	ABB4C7E3B092DFE900708D3B9E8BB0BF215CF3874D365002B35912466BDB2536
SHA-512:	66B93507E83AE46917D3E1E68D94099D1E2E99CB397FC1A203F0A1C297215A0C4FCA08826D05BECCF120995964A05E40DF9A893976D0EB4AE624CE0479B37EAF
Malicious:	false
Preview:	{"logTime": "1005/074019", "correlationVector":"Jzai6BfByv5amZ45/NBe5r","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"eO8FwRQNRwFtIUhPNa0yBN","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"DFCC0B139A2547CAA3433B33892C7FE6","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075031", "correlationVector":"bWXPYvVSVVANvrGBV6dHxn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075032", "correlationVector":"4CD8E3A1D096444AAB77DA6A690C4356","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075123", "correlationVector":"t3DmiSvoNTibe+/mLDIMfl","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075124", "correlationVector":"B2B504519464422FA5C6E610072CF270","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075313", "correlationVector":"/q9eTq3f/ZawbQrLDVWKju","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075314", "correlationVector":"138D0C7D

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5114547785582455
Encrypted:	false
SSDEEP:	48:zEvcZ+dOsW8qsJLrMzBdLXuHIkDpR2AR4dOsGqsJLrMzngdLXuHIk+21:vL3uokDG1nIuokz
MD5:	C4F888E49DD4453EF38B99C46B0625C6
SHA1:	65565B3FCA811911FA9DC5296863F91BCE6AF836
SHA-256:	FD6160EA7FC47ECBEE2DFBBB94939CF488E6F7097657DF99D03247A645D6C554
SHA-512:	F31FC7B60AF86840F31E024B08AF37C78B9561539F7B748FC2BBEF85B9E311C72633B005AE3DDF21CCA84E23D734827CE086A8D33E22A90947F49A13F747717C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...d.Pj.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.>..PROGRA~2.........O.IEW.>....................V...../...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y}q..........................w.9.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW98...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y\|q..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y\|q....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............).].....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NZ17T7PEODMWQYSOGGJ7.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.511770758418711
Encrypted:	false
SSDEEP:	48:zER4dOsGqsJLrMzBdLXuHIkDpR2AR4dOsGqsJLrMzngdLXuHIk+21:l3uokDG1nIuokz
MD5:	680F022A4ACA6E9392A4B5D2C3DE3849
SHA1:	C67F88FEE7AF011BF27853F4DC016F864271D7A1
SHA-256:	B35B8260F21D0EB73BE0C8F4D3C0B4DDC8CD73EB89D77087A79F20E587E98B4C
SHA-512:	666FE5F3DCB7E8662AB88EA5A9A0BA7A6F345FC7D34CD48E52822489A8D337F6DA14F2E5075E792BCD26340A973D552AE098541A03BC15D06042E5BEEEB91D6C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...d.Pj.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Yyq..PROGRA~2.........O.I.Yyq....................V......eR.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y}q..........................w.9.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y.q...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y\|q..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y\|q....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............).].....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WTZM9X5V22DTB173P9D1.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5114547785582455
Encrypted:	false
SSDEEP:	48:zEvcZ+dOsW8qsJLrMzBdLXuHIkDpR2AR4dOsGqsJLrMzngdLXuHIk+21:vL3uokDG1nIuokz
MD5:	C4F888E49DD4453EF38B99C46B0625C6
SHA1:	65565B3FCA811911FA9DC5296863F91BCE6AF836
SHA-256:	FD6160EA7FC47ECBEE2DFBBB94939CF488E6F7097657DF99D03247A645D6C554
SHA-512:	F31FC7B60AF86840F31E024B08AF37C78B9561539F7B748FC2BBEF85B9E311C72633B005AE3DDF21CCA84E23D734827CE086A8D33E22A90947F49A13F747717C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...d.Pj.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.>..PROGRA~2.........O.IEW.>....................V...../...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y}q..........................w.9.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW98...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y\|q..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y\|q....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............).].....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.511770758418711
Encrypted:	false
SSDEEP:	48:zER4dOsGqsJLrMzBdLXuHIkDpR2AR4dOsGqsJLrMzngdLXuHIk+21:l3uokDG1nIuokz
MD5:	680F022A4ACA6E9392A4B5D2C3DE3849
SHA1:	C67F88FEE7AF011BF27853F4DC016F864271D7A1
SHA-256:	B35B8260F21D0EB73BE0C8F4D3C0B4DDC8CD73EB89D77087A79F20E587E98B4C
SHA-512:	666FE5F3DCB7E8662AB88EA5A9A0BA7A6F345FC7D34CD48E52822489A8D337F6DA14F2E5075E792BCD26340A973D552AE098541A03BC15D06042E5BEEEB91D6C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...d.Pj.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Yyq..PROGRA~2.........O.I.Yyq....................V......eR.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y}q..........................w.9.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y.q...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y\|q..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y\|q....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............).].....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579762580024858
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	dced9153dcb405dfd6499434ef1d56f2
SHA1:	7bfd2b92028a46e1ee32f52b4ecbd8c6889b9663
SHA256:	74e22f5a723899273ae1cc4e59dd44dc6ab193c05035b297614bdc77a9457411
SHA512:	22990b171e79820892ed1481a76e44df1a972d99b97706f68a32d8d85b2c2deca963c3fcf0a33a2a64e9118ed39cd5af91892f9b13f40ab7541bc0895b2188fe
SSDEEP:	12288:mqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTM:mqDEvCTbMWu7rQYlBQcBiT6rprG8asM
TLSH:	4B159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D07FFD [Thu Aug 29 14:04:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8E78DEDCD3h
jmp 00007F8E78DED5DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8E78DED7BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8E78DED78Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8E78DF037Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8E78DF03C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8E78DF03B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	a8be929d23f5f7358d7d7be62a48b20f	False	0.2869010416666667	data	5.166302236218643	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 16:11:51.960463047 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:11:51.963279009 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:11:52.101134062 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:11:52.257791996 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:11:52.569880962 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:11:53.179363966 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:11:54.382293940 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:11:56.788602114 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:12:00.805913925 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:01.273838997 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:01.584868908 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:01.584888935 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:01.701828003 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:01.701854944 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:12:02.071804047 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:03.021950006 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.021989107 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.022075891 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.022087097 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.022104979 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.022135019 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.022409916 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.022422075 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.022569895 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.022579908 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.259541988 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.259578943 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.259680986 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.260169983 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.260185003 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.261568069 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.261590958 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.261655092 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.262300968 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.262309074 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.262370110 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.263467073 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.263480902 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.263780117 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.263792992 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.264102936 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.264111042 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.264158010 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.264288902 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.264302969 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.421140909 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.421175003 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.421253920 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.421741962 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.421761990 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.585619926 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:03.675501108 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.678617001 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.678642035 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.679781914 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.679861069 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.682554007 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.682626009 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.683228970 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.683235884 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.711502075 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.712085009 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.712096930 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.713176966 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.713246107 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.714000940 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.714063883 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.714952946 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.714958906 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.728473902 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:03.728518009 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:03.728729963 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:03.731097937 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:03.731106043 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:03.740094900 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.740319967 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.740350962 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.741528988 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.741661072 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.743185043 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.743453979 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.744201899 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.744281054 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.744606018 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.744623899 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.744649887 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.744935989 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.744946003 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.745124102 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.745132923 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.745249033 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.745258093 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.745737076 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.745796919 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.746031046 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.746094942 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.746150017 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.746201038 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.748388052 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.748475075 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.749013901 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.749098063 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.749504089 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.749514103 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.749784946 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.749897957 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.750029087 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.750035048 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.750538111 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.750545979 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.768874884 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:03.768903017 CEST	443	49728	51.104.136.2	192.168.2.7
Aug 29, 2024 16:12:03.768990040 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:03.769937038 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:03.769948959 CEST	443	49728	51.104.136.2	192.168.2.7
Aug 29, 2024 16:12:03.773124933 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.780814886 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.799954891 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.799978018 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.799985886 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800019979 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800030947 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.800033092 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800043106 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800064087 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800072908 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.800096035 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.800107002 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.800113916 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800124884 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.800164938 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.802278996 CEST	49718	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.802289963 CEST	443	49718	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.842694998 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.842715979 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.842722893 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.842736006 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.842741966 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.842745066 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.843758106 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.843779087 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.843825102 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.854979038 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.855041981 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.855269909 CEST	49720	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.855288982 CEST	443	49720	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.872967958 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.873378992 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.873404026 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.873495102 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.873549938 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.873842001 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.873855114 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.874440908 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.874517918 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.876403093 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.876497030 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.876791954 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.876806021 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.879858971 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.879923105 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.880168915 CEST	49723	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.880177021 CEST	443	49723	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:03.883274078 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.883328915 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.883553028 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:03.883558989 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:03.928759098 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.928780079 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.928843975 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.928863049 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.928911924 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.928931952 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:03.934989929 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.935004950 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.935067892 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:03.935076952 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:03.935134888 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:04.009484053 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:04.009567022 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:04.009694099 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:04.009804964 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 16:12:04.009823084 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 16:12:04.019532919 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:04.019552946 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:04.019620895 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:04.019639969 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:04.019721985 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:04.020344973 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:04.020414114 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:04.020417929 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:04.020459890 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:04.021030903 CEST	49717	443	192.168.2.7	13.107.253.42
Aug 29, 2024 16:12:04.021044016 CEST	443	49717	13.107.253.42	192.168.2.7
Aug 29, 2024 16:12:04.132354975 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 29, 2024 16:12:04.132473946 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:04.380140066 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.380218029 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.384232044 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.384238005 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.384462118 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.450594902 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.492510080 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.557518005 CEST	443	49728	51.104.136.2	192.168.2.7
Aug 29, 2024 16:12:04.557655096 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:04.562401056 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:04.562407970 CEST	443	49728	51.104.136.2	192.168.2.7
Aug 29, 2024 16:12:04.562661886 CEST	443	49728	51.104.136.2	192.168.2.7
Aug 29, 2024 16:12:04.650998116 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.651056051 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.651226044 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.651247025 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.651259899 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.651259899 CEST	49727	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.651268005 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.651273966 CEST	443	49727	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.666806936 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:04.686747074 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.686779976 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:04.686964989 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.687391996 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:04.687403917 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.325083017 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.325201988 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:05.342466116 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:05.342483997 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.342740059 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.344101906 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:05.364012957 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:05.364121914 CEST	443	49728	51.104.136.2	192.168.2.7
Aug 29, 2024 16:12:05.364196062 CEST	49728	443	192.168.2.7	51.104.136.2
Aug 29, 2024 16:12:05.384497881 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.608109951 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.608179092 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.608242035 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:05.609452009 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:05.609471083 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.609482050 CEST	49734	443	192.168.2.7	184.28.90.27
Aug 29, 2024 16:12:05.609487057 CEST	443	49734	184.28.90.27	192.168.2.7
Aug 29, 2024 16:12:05.893079996 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.893136978 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:05.893256903 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.893429995 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.893462896 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:05.893517017 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.893982887 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.893990993 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:05.894598961 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.894609928 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.060791969 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.060825109 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:06.060900927 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.062114000 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.062127113 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:06.335218906 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.335268974 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.335328102 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.335433006 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.335460901 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.335609913 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.335623980 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.335637093 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.335741997 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.335758924 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.353049040 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.353533030 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.353548050 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.353894949 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.354204893 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.354275942 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.361944914 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.362160921 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.362174988 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.362524986 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.362961054 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.363025904 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.478632927 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.478739023 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.681229115 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:06.769007921 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:06.769052029 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:06.769126892 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:06.769323111 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:06.769339085 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:06.804200888 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.804327011 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.804563046 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.804595947 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.805028915 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.805087090 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.805753946 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.805808067 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.808662891 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.808675051 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.808952093 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.809058905 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.809139013 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.809192896 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.809207916 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.809221029 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.809860945 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.809938908 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.810610056 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.810681105 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.810929060 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.810936928 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.849932909 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:06.850126982 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.869651079 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.869662046 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.901232004 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.901262045 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:06.901622057 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:06.902890921 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.902918100 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:06.902940989 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:06.917601109 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.917726040 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.917823076 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.918462992 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.918463945 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.918488979 CEST	443	49740	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.918790102 CEST	49740	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.921868086 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.921936989 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.922029018 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.922544956 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.922560930 CEST	443	49739	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:06.922602892 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:06.922619104 CEST	49739	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.223664045 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.223776102 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.223920107 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.227555990 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.227586985 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.227602005 CEST	49738	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.227608919 CEST	443	49738	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.229831934 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.229871035 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.229985952 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.230185032 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.230221987 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.230278969 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.230547905 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.230566025 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.230720997 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.230741024 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.236536980 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.236799002 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.236815929 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.237974882 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.238030910 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.239168882 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.239247084 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.239475965 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.239486933 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.334911108 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.334950924 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.334975958 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.335014105 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.335042000 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.335069895 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.335314989 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.337460041 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.365820885 CEST	49741	443	192.168.2.7	172.217.165.132
Aug 29, 2024 16:12:07.365844965 CEST	443	49741	172.217.165.132	192.168.2.7
Aug 29, 2024 16:12:07.370642900 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.370687962 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.370774031 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.370996952 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.371012926 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.690278053 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.710314989 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.746586084 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.746614933 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.747227907 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.747241974 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.747323990 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.747972965 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.748016119 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.773628950 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.773648977 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.774285078 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.774302006 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.774419069 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.775055885 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.775146961 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.779812098 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.779966116 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.781028986 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.781181097 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.826497078 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.826538086 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.826648951 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.827056885 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:07.827069998 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:07.976697922 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.976715088 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.976752043 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.976775885 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:08.076442957 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:08.076646090 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:08.218429089 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.219409943 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.219434977 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.228703022 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.228709936 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.228737116 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.228749990 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.584806919 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.585354090 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.585397005 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.586237907 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.586245060 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.586282969 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.586294889 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.612817049 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.614861965 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.614922047 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.615694046 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.615714073 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:08.615725994 CEST	49744	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:08.615731001 CEST	443	49744	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195368052 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195398092 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195416927 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195458889 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.195472956 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195528030 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.195722103 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195765972 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.195791006 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195833921 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.195887089 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.195905924 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.195916891 CEST	49745	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.195923090 CEST	443	49745	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.304320097 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 16:12:11.443310976 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.443351030 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:11.443505049 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.443686962 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:11.443700075 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:12.209475040 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:12.210880041 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:12.210880041 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:12.210903883 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:12.210913897 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:12.210935116 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:12.210943937 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:12.299613953 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:12.299659967 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:12.299849987 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:12.301187038 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:12.301212072 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:12.643626928 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:12.901081085 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:12.901628017 CEST	49748	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:12.901670933 CEST	443	49748	104.98.116.138	192.168.2.7
Aug 29, 2024 16:12:12.901773930 CEST	49748	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:12.906505108 CEST	49748	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:12.906521082 CEST	443	49748	104.98.116.138	192.168.2.7
Aug 29, 2024 16:12:12.908346891 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 29, 2024 16:12:13.163106918 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.163202047 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.165659904 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.165672064 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.166100979 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.211221933 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.249180079 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.292507887 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.322544098 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.322563887 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.322606087 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.322628975 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.322644949 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.322712898 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.322825909 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.322871923 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.323637962 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.323654890 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.323663950 CEST	49746	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.323671103 CEST	443	49746	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.433866978 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.433916092 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.434107065 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.434295893 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:13.434314013 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:13.481936932 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.481961012 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.481969118 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.481978893 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.482012987 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.482042074 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.482073069 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.482095003 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.482120037 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.483369112 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.483450890 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.483458042 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.483714104 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.483773947 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.496823072 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.496848106 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:13.496886015 CEST	49747	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:13.496891022 CEST	443	49747	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:14.195167065 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.198829889 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.198868036 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.199925900 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.199925900 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.199938059 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.199954987 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.570447922 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.570480108 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.570530891 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.570578098 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.570607901 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.570624113 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.570770979 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.570821047 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.681197882 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.681232929 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:14.681246996 CEST	49749	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:14.681253910 CEST	443	49749	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:15.912246943 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:15.912292004 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:15.912354946 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:15.912803888 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:15.912822008 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:15.946993113 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:15.947025061 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:15.947092056 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:15.947360039 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:15.947375059 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.682873964 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.683475018 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.683511019 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.684405088 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.684410095 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.686952114 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.686964989 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.712954044 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.713021040 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.725044966 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.725059986 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.725275040 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:16.726082087 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.726160049 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:16.726181984 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.097796917 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.097825050 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.097889900 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.097907066 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.097920895 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.097959995 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.098303080 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.098303080 CEST	49751	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.098320961 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.098330021 CEST	443	49751	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.115109921 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.115143061 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.115236998 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.115525961 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.115540981 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121567965 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121588945 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121628046 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121645927 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.121660948 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121673107 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.121872902 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121925116 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.121968985 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.121978998 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.121989965 CEST	49750	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.121994972 CEST	443	49750	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.197173119 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:17.197195053 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:17.197279930 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:17.197535992 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:17.197551012 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:17.991581917 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.992801905 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.992825031 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.993983984 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.993989944 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:17.994097948 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:17.994118929 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.170367002 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.170459986 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.171828985 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.171840906 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.172092915 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.181035042 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.181077957 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.181219101 CEST	443	49753	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.181278944 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.181298971 CEST	49753	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.250000000 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.250036955 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.250732899 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.251002073 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:18.251015902 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:18.774642944 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.774669886 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.774738073 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.774750948 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.774787903 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.774804115 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.774852991 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.774908066 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.775408983 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.775429010 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.775441885 CEST	49752	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.775448084 CEST	443	49752	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.858222008 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.858252048 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:18.858319044 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.858494043 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:18.858505011 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:19.040806055 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.040864944 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.048027992 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.048037052 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.048305035 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.050388098 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.050431013 CEST	443	49754	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.050482035 CEST	49754	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.171922922 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.171946049 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.172008038 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.172317982 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.172331095 CEST	443	49756	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.617522001 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:19.619158983 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:19.619158983 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:19.619185925 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:19.619200945 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:19.619230032 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:19.619240999 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:19.727181911 CEST	49756	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.815063000 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.815119982 CEST	443	49757	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:19.815234900 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.815687895 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:19.815701008 CEST	443	49757	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:20.046399117 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.046423912 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.046466112 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.046562910 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:20.046562910 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:20.046578884 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.046725988 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.047199011 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:20.047413111 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:20.047430038 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.047454119 CEST	49755	443	192.168.2.7	20.190.159.64
Aug 29, 2024 16:12:20.047460079 CEST	443	49755	20.190.159.64	192.168.2.7
Aug 29, 2024 16:12:20.616787910 CEST	443	49757	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:20.616864920 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.618146896 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.618156910 CEST	443	49757	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:20.618448973 CEST	443	49757	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:20.619656086 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.619708061 CEST	443	49757	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:20.619761944 CEST	49757	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.937038898 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.937123060 CEST	443	49758	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:20.937264919 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.937664032 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:20.937696934 CEST	443	49758	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:21.263293982 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:21.263362885 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:21.263420105 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:21.268847942 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:21.268908024 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:21.268954992 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:21.716583967 CEST	443	49758	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:21.716654062 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:21.717957973 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:21.717974901 CEST	443	49758	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:21.718219042 CEST	443	49758	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:21.719376087 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:21.719417095 CEST	443	49758	51.124.78.146	192.168.2.7
Aug 29, 2024 16:12:21.719468117 CEST	49758	443	192.168.2.7	51.124.78.146
Aug 29, 2024 16:12:24.557344913 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 16:12:49.972933054 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:49.972964048 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:49.973047018 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:49.973433971 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:49.973448038 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.675323963 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.675405979 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.676749945 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.676762104 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.677000046 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.678154945 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.720508099 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.952084064 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.952135086 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.952176094 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.952220917 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.952258110 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.952279091 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.952303886 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.953860044 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.953896999 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.953929901 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.953938961 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.953952074 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.953960896 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.954011917 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.954396963 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.954410076 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:50.954421997 CEST	49759	443	192.168.2.7	13.85.23.86
Aug 29, 2024 16:12:50.954427004 CEST	443	49759	13.85.23.86	192.168.2.7
Aug 29, 2024 16:12:52.991612911 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:52.991636038 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:52.991666079 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:52.991694927 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:55.663531065 CEST	443	49748	104.98.116.138	192.168.2.7
Aug 29, 2024 16:12:55.663594961 CEST	49748	443	192.168.2.7	104.98.116.138
Aug 29, 2024 16:12:58.168562889 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.168610096 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.168692112 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.168741941 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.168775082 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.168850899 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.168888092 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.168903112 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.169001102 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.169014931 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.623289108 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.623317003 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.630928040 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.630942106 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.631086111 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.631104946 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.631434917 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.631501913 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.631994009 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.632085085 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.632262945 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.632332087 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.681272984 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.681293964 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462306976 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462337017 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.462397099 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462630033 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462661982 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.462713003 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462841034 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462857008 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.462960005 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462975025 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.941179991 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.949121952 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.991491079 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.993285894 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.002945900 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.002954960 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.003138065 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.003146887 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.003484964 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.003586054 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.017019033 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.017148972 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.017571926 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.017699957 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.069634914 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.073487043 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.266762972 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.266792059 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.266860008 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.267659903 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.267676115 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.753092051 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.753355980 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.753381968 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.754523039 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.754582882 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.756237984 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.756309986 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.757134914 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.757143974 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.803987980 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.922303915 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.922384977 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.922452927 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.930915117 CEST	49768	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.930932999 CEST	443	49768	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.931458950 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.931492090 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:01.931566000 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.931732893 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:01.931747913 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.390996933 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.391314983 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:02.391336918 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.391655922 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.391937971 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:02.392007113 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.392076969 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:02.432502985 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.539771080 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.539858103 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:02.539913893 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:02.542282104 CEST	49769	443	192.168.2.7	23.219.161.132
Aug 29, 2024 16:13:02.542301893 CEST	443	49769	23.219.161.132	192.168.2.7
Aug 29, 2024 16:13:06.351145029 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:06.351162910 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:06.351175070 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:06.351185083 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:13.533943892 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:13.534019947 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:13.534121037 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:13.535629988 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:13.535696030 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:13.535743952 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:15.857034922 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:15.857112885 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:15.857161999 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:15.858741999 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:15.858818054 CEST	443	49766	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:15.858886003 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:38.038513899 CEST	49743	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:13:38.038516998 CEST	49742	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:13:38.038532972 CEST	443	49743	142.250.65.174	192.168.2.7
Aug 29, 2024 16:13:38.038541079 CEST	443	49742	142.250.65.174	192.168.2.7
Aug 29, 2024 16:13:51.351807117 CEST	49736	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:51.351838112 CEST	443	49736	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:51.351880074 CEST	49737	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:51.351912975 CEST	443	49737	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:58.545402050 CEST	49762	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:58.545429945 CEST	49763	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:58.545443058 CEST	443	49762	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:58.545454025 CEST	443	49763	172.64.41.3	192.168.2.7
Aug 29, 2024 16:14:00.976845980 CEST	49767	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:14:00.976883888 CEST	443	49767	172.64.41.3	192.168.2.7
Aug 29, 2024 16:14:00.976912975 CEST	49766	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:14:00.976937056 CEST	443	49766	172.64.41.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 16:11:58.785842896 CEST	53	51404	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:00.460304976 CEST	63998	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:00.460513115 CEST	64796	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:01.699434996 CEST	53	64054	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:01.709561110 CEST	53	62583	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.250667095 CEST	51085	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.251106024 CEST	55168	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.251503944 CEST	58156	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.251684904 CEST	56724	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.252026081 CEST	64970	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.252409935 CEST	51709	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.252811909 CEST	51523	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.253175020 CEST	63895	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.258440971 CEST	53	51085	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.258848906 CEST	53	55168	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.259387016 CEST	53	58156	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.259756088 CEST	53	56724	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.259768963 CEST	53	64970	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.259843111 CEST	53	51709	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.260370970 CEST	53	51523	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.261329889 CEST	53	63895	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.410479069 CEST	49966	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.410695076 CEST	50534	53	192.168.2.7	1.1.1.1
Aug 29, 2024 16:12:03.420510054 CEST	53	49966	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:03.420545101 CEST	53	50534	1.1.1.1	192.168.2.7
Aug 29, 2024 16:12:05.547261000 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:05.892215967 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.008299112 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.008459091 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.008470058 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.008601904 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.008611917 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.024406910 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.024554968 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.026900053 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.032141924 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.032253981 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.032660007 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.032771111 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.129550934 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.129565001 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.130640984 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.130651951 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.130688906 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.131079912 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.132946014 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.132996082 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.134393930 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.225490093 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.237843037 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.237952948 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.332892895 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.334254980 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.334496021 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.334716082 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.671832085 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.672327995 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.766762972 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.767855883 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.768049955 CEST	443	57364	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:06.768513918 CEST	57364	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:06.920269012 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.137049913 CEST	123	123	192.168.2.7	20.101.57.9
Aug 29, 2024 16:12:07.229074001 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.376235008 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.376277924 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.382879019 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.382893085 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.383023977 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.383035898 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.434989929 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.435879946 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.495663881 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.496220112 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.496351957 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.496531010 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.496788979 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.496798038 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.496975899 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.594279051 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.594377041 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.595134020 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.595578909 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.609710932 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.612369061 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.643017054 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.643254995 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.643501043 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.644539118 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.646291971 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.659068108 CEST	123	123	20.101.57.9	192.168.2.7
Aug 29, 2024 16:12:07.739187002 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.767014027 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:07.779417992 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:07.862880945 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:15.348691940 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:15.472393036 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:15.539453030 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:15.580363035 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:15.580440998 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:15.648045063 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:15.720798016 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:15.771801949 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:15.817794085 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:15.834456921 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.326389074 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.326416969 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.425002098 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.461245060 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.493997097 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.493997097 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.532510042 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.532533884 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.532911062 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.536063910 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.536076069 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.742167950 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.799079895 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.799149990 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.799241066 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.799283028 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.799479008 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.799531937 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.799637079 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.799745083 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.799782991 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.836136103 CEST	60874	443	192.168.2.7	142.250.65.174
Aug 29, 2024 16:12:36.911648989 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.912098885 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:36.912934065 CEST	443	60874	142.250.65.174	192.168.2.7
Aug 29, 2024 16:12:58.168339014 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.478423119 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.619858980 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.619920969 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.619935036 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.620038033 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.628736019 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.630254984 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.630587101 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.630693913 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.631328106 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.631434917 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.728358030 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.728388071 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.728399992 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.728404045 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.730675936 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.731153965 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.731230021 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.735707998 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.735780954 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.742940903 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:12:58.834058046 CEST	443	57714	172.64.41.3	192.168.2.7
Aug 29, 2024 16:12:58.869055986 CEST	57714	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.462063074 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.773530006 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:00.925599098 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.925764084 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.925776958 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.925828934 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:00.925842047 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.000880003 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.002315998 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.002640963 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.002752066 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.003376961 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.003472090 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.098510027 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.098659992 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.098865032 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.098874092 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.099484921 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.099903107 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.259270906 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.259393930 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.259520054 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:01.309782982 CEST	138	138	192.168.2.7	192.168.2.255
Aug 29, 2024 16:13:01.353508949 CEST	443	59185	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:01.383151054 CEST	59185	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:07.987375021 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:07.987526894 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:07.987858057 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:07.987962961 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.331056118 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.331686020 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.331815958 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.433907986 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.434665918 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.434678078 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.434685946 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.434695959 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.435234070 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.435606956 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.437339067 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.437505007 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.437582970 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.437627077 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.437802076 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.439385891 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:08.439527035 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:08.533915997 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.535104036 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.535115957 CEST	443	60107	172.64.41.3	192.168.2.7
Aug 29, 2024 16:13:08.536087036 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.541627884 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:08.541757107 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:08.596108913 CEST	60107	443	192.168.2.7	172.64.41.3
Aug 29, 2024 16:13:08.892345905 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:08.893244982 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:08.893289089 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:08.893301964 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:08.893515110 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:08.903558016 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:08.996929884 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:08.998922110 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:08.999658108 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:09.004357100 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.004472971 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.007680893 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.007782936 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.008111000 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.008682013 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.008985043 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.009063005 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.022176027 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.108408928 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.108606100 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.108870983 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.108880997 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.108891010 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.108900070 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.108908892 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.109524965 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:09.110270023 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:09.110538960 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:09.111126900 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.121788979 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.121998072 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.122112989 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.122148037 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.122445107 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.123868942 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.151242971 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.151499033 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.151499987 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:09.151563883 CEST	59787	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:09.179987907 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:09.229372025 CEST	443	59787	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:09.278985977 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.308334112 CEST	443	56721	142.250.31.84	192.168.2.7
Aug 29, 2024 16:13:09.308501005 CEST	56721	443	192.168.2.7	142.250.31.84
Aug 29, 2024 16:13:38.682456017 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:38.682620049 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.140964985 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.141028881 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.141612053 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.141700029 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.141997099 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.142015934 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.155869961 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.238929987 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.238941908 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.238950968 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.254741907 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.266680002 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.266829967 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.518379927 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.824096918 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:39.936453104 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.936495066 CEST	443	61052	142.250.80.110	192.168.2.7
Aug 29, 2024 16:13:39.936839104 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:40.001348972 CEST	61052	443	192.168.2.7	142.250.80.110
Aug 29, 2024 16:13:40.065218925 CEST	443	61052	142.250.80.110	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 16:12:00.460304976 CEST	192.168.2.7	1.1.1.1	0x1d35	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:00.460513115 CEST	192.168.2.7	1.1.1.1	0xeff9	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 29, 2024 16:12:03.250667095 CEST	192.168.2.7	1.1.1.1	0x8fdc	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.251106024 CEST	192.168.2.7	1.1.1.1	0x24c3	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 16:12:03.251503944 CEST	192.168.2.7	1.1.1.1	0xd49a	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.251684904 CEST	192.168.2.7	1.1.1.1	0x8512	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 16:12:03.252026081 CEST	192.168.2.7	1.1.1.1	0xeff0	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.252409935 CEST	192.168.2.7	1.1.1.1	0x3b91	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 16:12:03.252811909 CEST	192.168.2.7	1.1.1.1	0x6229	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.253175020 CEST	192.168.2.7	1.1.1.1	0x91ca	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 16:12:03.410479069 CEST	192.168.2.7	1.1.1.1	0x929	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.410695076 CEST	192.168.2.7	1.1.1.1	0xd9a9	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 16:12:00.467622995 CEST	1.1.1.1	192.168.2.7	0xeff9	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 16:12:00.467797995 CEST	1.1.1.1	192.168.2.7	0x1d35	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 16:12:03.019747972 CEST	1.1.1.1	192.168.2.7	0xef79	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 16:12:03.019747972 CEST	1.1.1.1	192.168.2.7	0xef79	No error (0)	dual.s-part-0014.t-0009.fb-t-msedge.net	s-part-0014.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 16:12:03.019747972 CEST	1.1.1.1	192.168.2.7	0xef79	No error (0)	s-part-0014.t-0009.fb-t-msedge.net		13.107.253.42	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.258440971 CEST	1.1.1.1	192.168.2.7	0x8fdc	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.258440971 CEST	1.1.1.1	192.168.2.7	0x8fdc	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.258848906 CEST	1.1.1.1	192.168.2.7	0x24c3	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 16:12:03.259387016 CEST	1.1.1.1	192.168.2.7	0xd49a	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.259387016 CEST	1.1.1.1	192.168.2.7	0xd49a	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.259756088 CEST	1.1.1.1	192.168.2.7	0x8512	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 16:12:03.259768963 CEST	1.1.1.1	192.168.2.7	0xeff0	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.259768963 CEST	1.1.1.1	192.168.2.7	0xeff0	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.259843111 CEST	1.1.1.1	192.168.2.7	0x3b91	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 16:12:03.260370970 CEST	1.1.1.1	192.168.2.7	0x6229	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.260370970 CEST	1.1.1.1	192.168.2.7	0x6229	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.261329889 CEST	1.1.1.1	192.168.2.7	0x91ca	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 16:12:03.420510054 CEST	1.1.1.1	192.168.2.7	0x929	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.420510054 CEST	1.1.1.1	192.168.2.7	0x929	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 16:12:03.420545101 CEST	1.1.1.1	192.168.2.7	0xd9a9	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

bzib.nelreports.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49718	13.107.253.42	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 14:12:03 UTC	559	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 6ae7d274-b01e-003a-344b-f92ba4000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240829T141203Z-17bfd4cd76ckd9nr0pmuc7dqfc00000000s0000000009zvv Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L2_T2 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2024-08-29 14:12:03 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49717	13.107.253.42	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 14:12:03 UTC	583	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: ea208716-701e-0068-7461-f93656000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240829T141203Z-17bfd4cd76cl7wwt57zx0pkh3n00000000t0000000006yd2 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L2_T2 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2024-08-29 14:12:03 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-29 14:12:03 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-08-29 14:12:03 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-08-29 14:12:04 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-08-29 14:12:04 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49720	172.64.41.3	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 14:12:03 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 14:12:03 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bad2243cda21996-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 14:12:03 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 19 00 04 8e fa 51 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomQ)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49721	172.64.41.3	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 14:12:03 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 14:12:03 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bad2243ffbf1a40-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 14:12:03 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 02 00 04 8e fb 28 83 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49723	162.159.61.3	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 14:12:03 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 14:12:03 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bad2243f9618c17-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 14:12:03 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 91 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49722	172.64.41.3	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 14:12:03 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 14:12:03 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bad2243ed082365-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 14:12:03 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 24 00 04 8e fa 41 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom$A)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49724	162.159.61.3	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:03 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 14:12:03 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 14:12:04 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 14:12:03 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bad2244c91a4316-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 14:12:04 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1b 00 04 8e fb 23 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49727	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:04 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-29 14:12:04 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=156289 Date: Thu, 29 Aug 2024 14:12:04 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49734	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:05 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-29 14:12:05 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=156241 Date: Thu, 29 Aug 2024 14:12:05 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-29 14:12:05 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49739	142.250.65.174	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:06 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 14:12:06 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 29 Aug 2024 14:12:06 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49740	142.250.65.174	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:06 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 14:12:06 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 29 Aug 2024 14:12:06 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49738	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:06 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 14:12:06 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:07 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:07 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: 5471cbff-9e9f-4392-97e5-5f0cda53dd3b PPServer: PPV: 30 H: PH1PEPF00011FC7 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:06 GMT Connection: close Content-Length: 1276
2024-08-29 14:12:07 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49741	172.217.165.132	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:07 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 14:12:07 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 29 Aug 2024 13:38:30 GMT Expires: Fri, 06 Sep 2024 13:38:30 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 2017 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-29 14:12:07 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-29 14:12:07 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-29 14:12:07 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-29 14:12:07 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-29 14:12:07 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49744	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:08 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 14:12:08 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:08 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:08 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: 38b13630-050d-4587-b30a-6b561f0fc6b6 PPServer: PPV: 30 H: PH1PEPF0001201B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:07 GMT Connection: close Content-Length: 1276
2024-08-29 14:12:08 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49745	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:08 UTC	446	OUT	POST /ppsecure/deviceaddcredential.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 7642 Host: login.live.com
2024-08-29 14:12:08 UTC	7642	OUT	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 69 66 78 75 6c 70 6b 65 6f 70 76 6e 7a 74 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 54 25 2b 56 72 3a 75 46 2c 43 76 2c 32 55 7a 72 49 71 65 6e 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 71 74 6c 74 6e 74 63 62 72 65 71 75 61 6a 3c 2f 4f 6c 64 4d Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02ifxulpkeopvnzt</Membername><Password>T%+Vr:uF,Cv,2UzrIqen</Password></Authentication><OldMembername>02qtltntcbrequaj</OldM
2024-08-29 14:12:11 UTC	542	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/xml Expires: Thu, 29 Aug 2024 14:11:08 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C526_BAY x-ms-request-id: 900ff642-dfc3-46cc-aa6d-0585a063aae7 PPServer: PPV: 30 H: PH1PEPF00011DE6 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:10 GMT Connection: close Content-Length: 17166
2024-08-29 14:12:11 UTC	15842	IN	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 38 30 30 46 33 39 30 46 46 42 42 35 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 63 62 64 38 32 33 64 38 2d 30 66 30 33 2d 34 62 62 33 2d 61 62 36 63 2d 61 61 38 36 37 63 30 34 62 62 62 64 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>0018800F390FFBB5</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="cbd823d8-0f03-4bb3-ab6c-aa867c04bbbd" LicenseID="3252b20c-d425-4711
2024-08-29 14:12:11 UTC	1324	IN	Data Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66 Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49746	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:12 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 14:12:12 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:13 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:12 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C522_BAY x-ms-request-id: 6a05077f-41c3-4f78-b60a-366d89efad73 PPServer: PPV: 30 H: PH1PEPF00011F17 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:12 GMT Connection: close Content-Length: 11389
2024-08-29 14:12:13 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49747	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:13 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dFcZVSNauNPZHTY&MD=nc6V4FUn HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-29 14:12:13 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: bd04023a-e610-4f45-a751-989b7686e8dc MS-RequestId: 4b745cf6-e857-4610-9234-5162628df9a2 MS-CV: fwlqTo5olkKlNKhU.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 29 Aug 2024 14:12:12 GMT Connection: close Content-Length: 24490
2024-08-29 14:12:13 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-29 14:12:13 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49749	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:14 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 14:12:14 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:14 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:14 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C522_BAY x-ms-request-id: 760d6a31-48e9-425c-bc2d-76e39bd8ead1 PPServer: PPV: 30 H: PH1PEPF0001201C V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:13 GMT Connection: close Content-Length: 11389
2024-08-29 14:12:14 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49750	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:16 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4710 Host: login.live.com
2024-08-29 14:12:16 UTC	4710	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:17 UTC	656	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:16 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=5&213=292991&215=0&315=1&215=0&315=1&214=30&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C522_BAY x-ms-request-id: 163b5d41-561f-4a48-b561-448090123079 PPServer: PPV: 30 H: PH1PEPF00011DEF V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:16 GMT Connection: close Content-Length: 10173
2024-08-29 14:12:17 UTC	10173	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49751	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:16 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-29 14:12:16 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:17 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:16 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_SN1 x-ms-request-id: cead0146-ac4a-480a-b383-d1737cdcfdbf PPServer: PPV: 30 H: SN1PEPF0002F8DE V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:16 GMT Connection: close Content-Length: 1918
2024-08-29 14:12:17 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49752	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:17 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-29 14:12:17 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:18 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:18 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C522_BAY x-ms-request-id: 76e7282b-b843-4322-b78b-8ad6b611570b PPServer: PPV: 30 H: PH1PEPF00011DEC V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:18 GMT Connection: close Content-Length: 11409
2024-08-29 14:12:18 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49755	20.190.159.64	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:19 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-29 14:12:19 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 14:12:20 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 14:11:19 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C522_BAY x-ms-request-id: 8b5bb033-0fa8-44e0-95f9-0e38bad9ba7d PPServer: PPV: 30 H: PH1PEPF00011DE9 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 14:12:19 GMT Connection: close Content-Length: 11409
2024-08-29 14:12:20 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49759	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:12:50 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dFcZVSNauNPZHTY&MD=nc6V4FUn HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-29 14:12:50 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 6858b0de-eb02-4afb-83ae-36dbdeec1159 MS-RequestId: b4800869-f99a-4c71-8467-2786095aea6d MS-CV: PvZmaAruEkSX+Zav.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 29 Aug 2024 14:12:50 GMT Connection: close Content-Length: 30005
2024-08-29 14:12:50 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-29 14:12:50 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49768	23.219.161.132	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:13:01 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 14:13:01 UTC	360	IN	HTTP/1.1 200 OK Content-Length: 0 Access-Control-Allow-Headers: content-type Date: Thu, 29 Aug 2024 14:13:01 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.84112317.1724940781.6f8b373 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49769	23.219.161.132	443	7548	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 14:13:02 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 466 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 14:13:02 UTC	466	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 35 39 35 37 34 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 31 34 35 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e Data Ascii: [{"age":59574,"body":{"elapsed_time":1452,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bin
2024-08-29 14:13:02 UTC	358	IN	HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Date: Thu, 29 Aug 2024 14:13:02 GMT Content-Length: 21 Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.84112317.1724940782.6f8b832 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *
2024-08-29 14:13:02 UTC	21	IN	Data Raw: 50 72 6f 63 65 73 73 65 64 20 74 68 65 20 72 65 71 75 65 73 74 Data Ascii: Processed the request

Target ID:	0
Start time:	10:11:54
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe30000
File size:	917'504 bytes
MD5 hash:	DCED9153DCB405DFD6499434EF1D56F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	10:11:54
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:11:55
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2032,i,16988494494668534220,2822882406971420008,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:11:55
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:11:55
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	10:12:00
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3416 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:12:00
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7396 --field-trial-handle=2024,i,3079803802264908455,4492745023157749298,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:12:13
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:12:13
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2336 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:12:14
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2560 --field-trial-handle=2128,i,8679173974918420017,15842253815154917753,262144 /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:09:10
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:09:11
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1236 --field-trial-handle=2576,i,11118179262118238298,6927410186781767715,262144 /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	1400
Total number of Limit Nodes:	54

Executed Functions

Function 00E342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E3430D

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

GetCurrentProcess.KERNEL32(?,00ECCB64,00000000,?,?), ref: 00E34422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00E34429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00E34454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E34466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00E34474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00E3447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00E344A0

Strings

|O, xrefs: 00E736F8
GetNativeSystemInfo, xrefs: 00E34460
kernel32.dll, xrefs: 00E3444F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: af93d59bd1fe26f516c864465754c24b4ba35315859c810ef0830a5cde6ef1d8
Instruction ID: 5451d6f3ec6a144b20ce3d5080327de9754e5d0141ac697deba5e5514165cc0f
Opcode Fuzzy Hash: af93d59bd1fe26f516c864465754c24b4ba35315859c810ef0830a5cde6ef1d8
Instruction Fuzzy Hash: F7A1C7B290A3CCDFC715C7B97C855D57FE47B26304F58A8A9E085B3A62D2305909FB22

Function 00E342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E350AA,?,?,00000000,00000000), ref: 00E342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E350AA,?,?,00000000,00000000), ref: 00E342C9
LoadResource.KERNEL32(?,00000000,?,?,00E350AA,?,?,00000000,00000000,?,?,?,?,?,?,00E34F20), ref: 00E735BE
SizeofResource.KERNEL32(?,00000000,?,?,00E350AA,?,?,00000000,00000000,?,?,?,?,?,?,00E34F20), ref: 00E735D3
LockResource.KERNEL32(00E350AA,?,?,00E350AA,?,?,00000000,00000000,?,?,?,?,?,?,00E34F20,?), ref: 00E735E6

Strings

SCRIPT, xrefs: 00E342BF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: df67f0af05fc5b909bda587a1b350ecc939197c7b3ba9770308b70bc6f82fb06
Instruction ID: 023ae680c8105431de7dea77177df59efe60064233e01d197e527507d15d093b
Opcode Fuzzy Hash: df67f0af05fc5b909bda587a1b350ecc939197c7b3ba9770308b70bc6f82fb06
Instruction Fuzzy Hash: 88119E70200700AFD7259B66DC48F277BFDEBC5B51F244169F416A62A0DB72E805CA20

Function 00E9DBBE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,"R), ref: 00E9DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00E9DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00E9DBEE
FindClose.KERNEL32(00000000), ref: 00E9DBFA

Strings

"R, xrefs: 00E9DBCA

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID: "R
API String ID: 2695905019-1746183819
Opcode ID: bee5bb5f03cc6b7bee2d54bdf5bf7e1bf7cfb7ed9b2a6eafb249f76ff6f332dc
Instruction ID: ab37177fe052ef144b93175d76fe25b811edd98db0dc58f66466e7bfe3d6d094
Opcode Fuzzy Hash: bee5bb5f03cc6b7bee2d54bdf5bf7e1bf7cfb7ed9b2a6eafb249f76ff6f332dc
Instruction Fuzzy Hash: A9F0EC704149245B8B246F7DDC0DCAAB76C9F01334B244712F439E20F0EBB15D5AC5D5

Function 00E72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00E32B6B

Part of subcall function 00E33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F01418,?,00E32E7F,?,?,?,00000000), ref: 00E33A78

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00EF2224), ref: 00E72C10
ShellExecuteW.SHELL32(00000000,?,?,00EF2224), ref: 00E72C17

Strings

runas, xrefs: 00E72C0B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 3e8ead4ffd597c5bb677c29863ba87d57650e7a0bdca56103c5abbc9c4f96bda
Instruction ID: 4a635627fb76f0097e960a6e663dd2c807dea595950028adfab900753ecd8271
Opcode Fuzzy Hash: 3e8ead4ffd597c5bb677c29863ba87d57650e7a0bdca56103c5abbc9c4f96bda
Instruction Fuzzy Hash: D311AC312083456AC708FF70D85ADBEBFE4AB91304F54742DF296720A3CF618A0AD712

Function 00EBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00EBB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB1D4
_wcslen.LIBCMT ref: 00EBB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EBB236
_wcslen.LIBCMT ref: 00EBB332

Part of subcall function 00EA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00EA05C6

_wcslen.LIBCMT ref: 00EBB34B
_wcslen.LIBCMT ref: 00EBB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EBB3B6
GetLastError.KERNEL32(00000000), ref: 00EBB407
CloseHandle.KERNEL32(?), ref: 00EBB439
CloseHandle.KERNEL32(00000000), ref: 00EBB44A
CloseHandle.KERNEL32(00000000), ref: 00EBB45C
CloseHandle.KERNEL32(00000000), ref: 00EBB46E
CloseHandle.KERNEL32(?), ref: 00EBB4E3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 764ca222d2d90645993c9daf91835ee024c8c7a9313a187a9c8a30c5c2da26da
Instruction ID: 75bdeafe496d90f943920e6dea17726974e56082258a200b630d87485b630e85
Opcode Fuzzy Hash: 764ca222d2d90645993c9daf91835ee024c8c7a9313a187a9c8a30c5c2da26da
Instruction Fuzzy Hash: 62F1AD715043009FC724EF24C895BAFBBE5AF85314F14A45DF899AB2A2DB71EC44CB52

Function 00E3D730 Relevance: 21.6, APIs: 14, Instructions: 623sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E3D807
timeGetTime.WINMM ref: 00E3DA07
Sleep.KERNELBASE(0000000A), ref: 00E3DBB1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: cced7975aec20763c12d8c680285b5231ed125964f10ae8e59c0bc8edad122b6
Instruction ID: afb038934db3a71c00a7d9e5667bf94bdde0a90a0188deabf4b8d2b1995e04cc
Opcode Fuzzy Hash: cced7975aec20763c12d8c680285b5231ed125964f10ae8e59c0bc8edad122b6
Instruction Fuzzy Hash: 4042F230608341DFD729DF24DC48BAABBE0BF85308F14A55DE56AA7291D771E844CB92

Function 00E32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E32D07
RegisterClassExW.USER32(00000030), ref: 00E32D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E32D42
InitCommonControlsEx.COMCTL32(?), ref: 00E32D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E32D6F
LoadIconW.USER32(000000A9), ref: 00E32D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E32D94

Strings

+, xrefs: 00E32CF0
TaskbarCreated, xrefs: 00E32D37
AutoIt v3 GUI, xrefs: 00E32D23
0, xrefs: 00E32CE9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9b3de31a242a2e8e2f5e95ac605f7142b51bc464e4b84018d15f95674d1c8fd8
Instruction ID: 24f62efc2144c8b0015bb3accea9a616d4e516d86973a5f9bf9b716f87cb6c22
Opcode Fuzzy Hash: 9b3de31a242a2e8e2f5e95ac605f7142b51bc464e4b84018d15f95674d1c8fd8
Instruction Fuzzy Hash: 2F21A0B5901318AFDB009FA5ED49B9DBBB4FB08700F10412AE615B62A0D7B245569F91

Function 00E7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00E70704,?,?,00000000,?,00E70704,00000000,0000000C), ref: 00E703B7

GetLastError.KERNEL32 ref: 00E7076F
__dosmaperr.LIBCMT ref: 00E70776
GetFileType.KERNELBASE(00000000), ref: 00E70782
GetLastError.KERNEL32 ref: 00E7078C
__dosmaperr.LIBCMT ref: 00E70795
CloseHandle.KERNEL32(00000000), ref: 00E707B5
CloseHandle.KERNEL32(?), ref: 00E708FF
GetLastError.KERNEL32 ref: 00E70931
__dosmaperr.LIBCMT ref: 00E70938

Strings

H, xrefs: 00E708BD

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8a522522add1e76a1bfab34d66de03d2ceafc9712bddbc67e029e9170328353c
Instruction ID: 43eb7208c9d2a99d9ff96493280706b28443cdde7ef59bb8410730ffc8e24cec
Opcode Fuzzy Hash: 8a522522add1e76a1bfab34d66de03d2ceafc9712bddbc67e029e9170328353c
Instruction Fuzzy Hash: 51A13632A001498FDF19EF68D851BAE3BE1EB46324F14915DF819BB3A1CB319817DB91

Function 00E3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F01418,?,00E32E7F,?,?,?,00000000), ref: 00E33A78

Part of subcall function 00E33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E33379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E3356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E7318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E731CE
RegCloseKey.ADVAPI32(?), ref: 00E73210
_wcslen.LIBCMT ref: 00E73277
_wcslen.LIBCMT ref: 00E73286

Strings

Include, xrefs: 00E73184, 00E731C5
\, xrefs: 00E7328C
\Include\, xrefs: 00E33527
Software\AutoIt v3\AutoIt, xrefs: 00E33560

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ef5a5a726ed5828af316725d3a1e67dbc47b35deb75d7a3cb2bcdb5e0e5a0fa8
Instruction ID: f775466c18d6affbbe1ae7313836f964a4a120d39efa63b125322c88da5d05bc
Opcode Fuzzy Hash: ef5a5a726ed5828af316725d3a1e67dbc47b35deb75d7a3cb2bcdb5e0e5a0fa8
Instruction Fuzzy Hash: 8571E4714043049EC344DF69EC8ADABBBE8FF84340F50682EF589A31B1DB749A49DB61

Function 00E32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E32B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00E32B9D
LoadIconW.USER32(00000063), ref: 00E32BB3
LoadIconW.USER32(000000A4), ref: 00E32BC5
LoadIconW.USER32(000000A2), ref: 00E32BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E32BEF
RegisterClassExW.USER32(?), ref: 00E32C40

Part of subcall function 00E32CD4: GetSysColorBrush.USER32(0000000F), ref: 00E32D07
Part of subcall function 00E32CD4: RegisterClassExW.USER32(00000030), ref: 00E32D31
Part of subcall function 00E32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E32D42
Part of subcall function 00E32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00E32D5F
Part of subcall function 00E32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E32D6F
Part of subcall function 00E32CD4: LoadIconW.USER32(000000A9), ref: 00E32D85
Part of subcall function 00E32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E32D94

Strings

0, xrefs: 00E32C0F
#, xrefs: 00E32C16
AutoIt v3, xrefs: 00E32C2F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0ec59d6ef4e6d37d6c076ef5bf996af3b5d66a28d72b77db009884ef64b8f425
Instruction ID: 4f26902a68b631852a0db10fa0fae4e1acbbd742f97189c2185bf8b0d7f3bbf1
Opcode Fuzzy Hash: 0ec59d6ef4e6d37d6c076ef5bf996af3b5d66a28d72b77db009884ef64b8f425
Instruction Fuzzy Hash: E5211A70E00318AFDB109FA6EC59AAA7FF5FB48B50F14002AF504B67A0D7B14555EF90

Function 00E33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00E3316A,?,?), ref: 00E331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00E3316A,?,?), ref: 00E33204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E33227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00E3316A,?,?), ref: 00E33232
CreatePopupMenu.USER32 ref: 00E33246
PostQuitMessage.USER32(00000000), ref: 00E33267

Strings

TaskbarCreated, xrefs: 00E3322D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 74afe7b4eaa61cc3f18ed9ab9fbe95799cba448879b280cacc74e4978e9042b0
Instruction ID: c44e2ca65a258e0d6253abcb2a0c4a8db98934938697a591c013adcf86d4dfc5
Opcode Fuzzy Hash: 74afe7b4eaa61cc3f18ed9ab9fbe95799cba448879b280cacc74e4978e9042b0
Instruction Fuzzy Hash: EA413B35600204ABDB141B789D0DFBA3E99F705348F14712AFA0AB61F2C7718E41E761

Function 00E32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E32C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E32CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E31CAD,?), ref: 00E32CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00E31CAD,?), ref: 00E32CCF

Strings

edit, xrefs: 00E32CAC
AutoIt v3, xrefs: 00E32C89, 00E32C8E, 00E32C8F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ac28bc46c7f0ad97c52f2643819f8830825e15a3f52f4c69ad8e0fa351f442f7
Instruction ID: 3a42c09c4b68fda2bc1821765cb25e45bf7190b66d6eca71938d2003a65e3036
Opcode Fuzzy Hash: ac28bc46c7f0ad97c52f2643819f8830825e15a3f52f4c69ad8e0fa351f442f7
Instruction Fuzzy Hash: 15F0DA755403987AEB311727AC09E773EBDF7C6F50B10106EF904A25A0C6721855EAB0

Function 00E9E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00E9E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00E9E9A5
Sleep.KERNEL32(00000000), ref: 00E9E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00E9E9B7
Sleep.KERNELBASE ref: 00E9E9F3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: a61d8b740700840114de7cf20cfc53e283d831cb95ce22fe034becf5a4da51dd
Instruction ID: 1583b9fc404f42b5e7343243e6ba45e43e33f13e1b47ecd05a1efcb553cb0101
Opcode Fuzzy Hash: a61d8b740700840114de7cf20cfc53e283d831cb95ce22fe034becf5a4da51dd
Instruction Fuzzy Hash: F5015B31C01529DBCF04DBE6DC59ADDBB78FB48300F150596E602B2241CB31999587A1

Function 00E33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00E33B0F,SwapMouseButtons,00000004,?), ref: 00E33B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00E33B0F,SwapMouseButtons,00000004,?), ref: 00E33B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00E33B0F,SwapMouseButtons,00000004,?), ref: 00E33B83

Strings

Control Panel\Mouse, xrefs: 00E33B3E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6f62645042fef81cf88f349385afdeb01e827d8175e5c58300968d3bb3828a36
Instruction ID: 4c958ef63c8fd51a11b97ab6266fb044bf22f6c06ffcf3074815e314cd049ac8
Opcode Fuzzy Hash: 6f62645042fef81cf88f349385afdeb01e827d8175e5c58300968d3bb3828a36
Instruction Fuzzy Hash: 651127B5610208FFDB208FA5DC89EEEBBB9EF04744F10946AF805E7110E2319E45DBA0

Function 00E33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E733A2

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E33A04

Strings

Line: , xrefs: 00E733EB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 95c25f15b8db62bb32f2dea178c3f4412a37b57360fa251131de740ecd1bf5e4
Instruction ID: 02239cfbc4f377713418315f272240cee5dacae34a722a99cd6d83b71b3d0846
Opcode Fuzzy Hash: 95c25f15b8db62bb32f2dea178c3f4412a37b57360fa251131de740ecd1bf5e4
Instruction Fuzzy Hash: 3031A371508304ABD725EB30DC49FEBBBE8BB84714F10A92EF599A20D1DB709649D7C2

Function 00E32DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00E72C8C

Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2

Part of subcall function 00E32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E32DC4

Strings

`e, xrefs: 00E72C85
X, xrefs: 00E72C5A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e
API String ID: 779396738-4036142377
Opcode ID: ac438954e9fe67170de76f96060fc081b5e360ecb08e03b9fbc65e2809cffaad
Instruction ID: 007e15086def16c1667be0199ef8570d80c98d4fe7a9e23bb19b41cc17a781d6
Opcode Fuzzy Hash: ac438954e9fe67170de76f96060fc081b5e360ecb08e03b9fbc65e2809cffaad
Instruction Fuzzy Hash: 3521A571A0025C9FDB01EF94C84ABEEBBF8AF49304F009059E649B7241DBB45A49CFA1

Function 00E4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E50668

Part of subcall function 00E532A4: RaiseException.KERNEL32(?,?,?,00E5068A,?,00F01444,?,?,?,?,?,?,00E5068A,00E31129,00EF8738,00E31129), ref: 00E53304

__CxxThrowException@8.LIBVCRUNTIME ref: 00E50685

Strings

Unknown exception, xrefs: 00E50692

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0017fb9efa5d64f1a946c15cf05a39a2a0e721516655645b26f6dcf143aac419
Instruction ID: 384043b9b05d9277f44fdd4d252c128d89441c94e80afe573df04d62da25c612
Opcode Fuzzy Hash: 0017fb9efa5d64f1a946c15cf05a39a2a0e721516655645b26f6dcf143aac419
Instruction Fuzzy Hash: D3F0FF3490020D638B00BAB4E846EAE7BAC5E00345B606931FD14F69E2EFB1DA6DC580

Function 00E310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E31BF4
Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E31BFC
Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E31C07
Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E31C12
Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E31C1A
Part of subcall function 00E31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E31C22

Part of subcall function 00E31B4A: RegisterWindowMessageW.USER32(00000004,?,00E312C4), ref: 00E31BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E3136A
OleInitialize.OLE32 ref: 00E31388
CloseHandle.KERNEL32(00000000,00000000), ref: 00E724AB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 68b3c63cc69dcc971998a574c034a026e22f798ae4977c36466ec911aab9f9e2
Instruction ID: b9522a073e9df935f42b489f43975a7f88ff79bf152d2e53e701f93a5e5cabcc
Opcode Fuzzy Hash: 68b3c63cc69dcc971998a574c034a026e22f798ae4977c36466ec911aab9f9e2
Instruction Fuzzy Hash: 7571CDB89013088FC794DF79AD49A657AE0FBC9344758922EE44AEB3B2EB304545FF41

Function 00E9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E33A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E9C259
KillTimer.USER32(?,00000001,?,?), ref: 00E9C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E9C270

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 817f08eaa996c34f8842f09c3f51b06b8c228044b0711df427d845e550fae009
Instruction ID: c577b633ec5e3751a81df3871380fdceae17cbebc0d46d0ba068aec274423cd1
Opcode Fuzzy Hash: 817f08eaa996c34f8842f09c3f51b06b8c228044b0711df427d845e550fae009
Instruction Fuzzy Hash: A331B470904744AFEF229B748855BEABBECAB06308F10549AD59EB3251C3745A89CB51

Function 00E686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00E685CC,?,00EF8CC8,0000000C), ref: 00E68704
GetLastError.KERNEL32(?,00E685CC,?,00EF8CC8,0000000C), ref: 00E6870E
__dosmaperr.LIBCMT ref: 00E68739

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: f009efbf99cffe208b4f7ebc18eed31fcad030f26b328c3b5ba19eba0e72b6be
Instruction ID: e29b01c60ed46ea80a8ffed698468a6251cc46e09d20e5bd1d90f4a5b653264f
Opcode Fuzzy Hash: f009efbf99cffe208b4f7ebc18eed31fcad030f26b328c3b5ba19eba0e72b6be
Instruction Fuzzy Hash: BC016B337C42601AC2306234FA45B7E27894B81BFCF383329F918FB2D2DEA18C819150

Function 00E3DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00E3DB7B
DispatchMessageW.USER32(?), ref: 00E3DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E3DB9F
Sleep.KERNELBASE(0000000A), ref: 00E3DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00E81CC9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: f645a0b7adcb810438de7f0aa9500c3cae219554b5e0c0b02b7e94e31d11c7bb
Instruction ID: 815816812aa7990523cf2a848ecb100789125ce2cf0a2021aa242c927b1ae96a
Opcode Fuzzy Hash: f645a0b7adcb810438de7f0aa9500c3cae219554b5e0c0b02b7e94e31d11c7bb
Instruction Fuzzy Hash: 1FF05E306483849BE734DB71DC89FEAB7ACFB44314F105929E60EA30C0DB30A449DB15

Function 00E41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E417F6

Strings

CALL, xrefs: 00E417C6

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: ee7d4cb55ad94859c12e47ae8c519e85e3931e7c6a3249e800900d9d10a7ba30
Instruction ID: f3fa0457b3f69b485de779c835fe5d8c4400bb38e743587597e5ca6168b0bbab
Opcode Fuzzy Hash: ee7d4cb55ad94859c12e47ae8c519e85e3931e7c6a3249e800900d9d10a7ba30
Instruction Fuzzy Hash: CC22BE706083419FCB14DF14D484B6ABBF1BF89314F18999DF49AAB361D731E885CB52

Function 00E33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E33908

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 9dc8b6541d7eec58777a64ae739f108bb9febbe9930086e7ea89fda8ba5dd4dc
Instruction ID: da4810f8779eeedfa0c8707a881079e9247ceb1e0ae86782cbff775102afbce1
Opcode Fuzzy Hash: 9dc8b6541d7eec58777a64ae739f108bb9febbe9930086e7ea89fda8ba5dd4dc
Instruction Fuzzy Hash: C0319370504301DFD720DF34D889B97BBE4FB49709F00192EF599A3290E771AA44DB52

Function 00E4F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E4F661

Part of subcall function 00E3D730: GetInputState.USER32 ref: 00E3D807

Sleep.KERNEL32(00000000), ref: 00E8F2DE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 83cd4432935e704f21f36530282e37916754871987f669c4887e3255acc34b53
Instruction ID: b1d9ff18b6c4205a66daeb85df0b0ae3167a2c85e98c3ca538f17caa524d0f08
Opcode Fuzzy Hash: 83cd4432935e704f21f36530282e37916754871987f669c4887e3255acc34b53
Instruction Fuzzy Hash: C6F08C31240205AFD310EF7AE849F6ABBE9EF45760F01102AE85EE7260DB70A800CB91

Function 00E3B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00E3BB4E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 15cef2bcb2d48ffbdec6894021598fd067238bbe44e561745eaa959e6681d579
Instruction ID: 4c242e254955f00376e7cef407c5fbdfd1c659261c2420b842555f9d94fe10dd
Opcode Fuzzy Hash: 15cef2bcb2d48ffbdec6894021598fd067238bbe44e561745eaa959e6681d579
Instruction Fuzzy Hash: 1B32BE30A002099FDB24DF54C898BBABBF9FF44318F14A059EA0ABB261C775AD45DB51

Function 00EC2598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 00EC2649

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 976989fd479cbd7990ffd9656a74e5e148349a846ceca7f95ac3b21eaa3ffb4b
Instruction ID: 329e2d440431b7405319c6012305f85ad5b0794af2e4dc190088ad74fba98e38
Opcode Fuzzy Hash: 976989fd479cbd7990ffd9656a74e5e148349a846ceca7f95ac3b21eaa3ffb4b
Instruction Fuzzy Hash: 0621C574200215AFD710DF14C9D0E77B799EF4436CB24906CEA96AB392CB72ED42CB90

Function 00EC13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00EC1420

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 13dbe5066691e6ecbcdb4972bd83c1d25aebb52fdbd4be9cf7976392fff50d80
Instruction ID: 22a2971113adab9f164b2516b7eb9f2de85b72920e3dbbb07e88de73f15b59fc
Opcode Fuzzy Hash: 13dbe5066691e6ecbcdb4972bd83c1d25aebb52fdbd4be9cf7976392fff50d80
Instruction Fuzzy Hash: 20316130604202AFD714DF25C495F69B7E1FF45318F1491ACE8666B352DB32EC52CB90

Function 00E34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E9C
Part of subcall function 00E34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E34EAE
Part of subcall function 00E34E90: FreeLibrary.KERNEL32(00000000,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34EFD

Part of subcall function 00E34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E62
Part of subcall function 00E34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E34E74
Part of subcall function 00E34E59: FreeLibrary.KERNEL32(00000000,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E87

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: def55a2ee248b78819cc5f0f8380ae92547fee7c08396a4217937dad195b1204
Instruction ID: a712a76a91b4259e5e6511e7cd5e167538e04925b5c7523bcbd7d10beb4aad37
Opcode Fuzzy Hash: def55a2ee248b78819cc5f0f8380ae92547fee7c08396a4217937dad195b1204
Instruction Fuzzy Hash: C5112372700305AACB14AB74DC0AFAD7BE5AF40710F24A42DF542BA1C1EE71AA05DB50

Function 00E68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E68440

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 7b8806e17f9cfbc46a75aca3990342bf82d64a976402e9f0bc60d702e95fe9f4
Instruction ID: dffbdfb222b10cf233dfbf5baa81535d9f9506e29ec12893dec5f3da36f4fd0c
Opcode Fuzzy Hash: 7b8806e17f9cfbc46a75aca3990342bf82d64a976402e9f0bc60d702e95fe9f4
Instruction Fuzzy Hash: EF11187590410AAFCB15DF58E941A9E7BF5EF48314F104199F818AB312DA31DA11CBA5

Function 00E65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E64C7D: RtlAllocateHeap.NTDLL(00000008,00E31129,00000000,?,00E62E29,00000001,00000364,?,?,?,00E5F2DE,00E63863,00F01444,?,00E4FDF5,?), ref: 00E64CBE

_free.LIBCMT ref: 00E6506C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 526ad4d52110a9cc6820b080a7b8ec1547eb433042fd129ef99394e1a5cea33d
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 710126732447056BE3218F65E881A9AFBE8FB893B0F25051DE194A32C0EA30A905C7B4

Function 00EC29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,00EC14B5,?), ref: 00EC2A01

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 72bc2d6c2ff53a5a0be488bc0d79fa49276874755125190c90aa08ff2b58b6ae
Instruction ID: 682b95e98c2c8c85e3946f4903ddfc414423cf85384b3f4ae3db6677065c3347
Opcode Fuzzy Hash: 72bc2d6c2ff53a5a0be488bc0d79fa49276874755125190c90aa08ff2b58b6ae
Instruction Fuzzy Hash: 79018C36300A41AFD324CA2DC654F223792EBC5318F29A46DD24BAB251DA33EC43C7A0

Function 00E5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 72e9a84d15763991118e91917e8f85604ba65785ddba7df9149ae6342ea518dc
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 51F04932500A109AC7353A259C05B5A33C98F923F7F101F15FC21B22D1CBB0D90986A5

Function 00EC149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 00EC14EB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 2351bd5cccb2720e25c06b6e6277bb2105c596ba01c0f03264008a569a06eebd
Instruction ID: 5ba20277bdf4483c2c7c2d59d02681524792a8505619dd7198fe9b7779ed1c1e
Opcode Fuzzy Hash: 2351bd5cccb2720e25c06b6e6277bb2105c596ba01c0f03264008a569a06eebd
Instruction Fuzzy Hash: 0E01D4353086419F9324DF6AC540E26BB95FF8632875490ADE85A9B743D633DD83CB80

Function 00E64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00E31129,00000000,?,00E62E29,00000001,00000364,?,?,?,00E5F2DE,00E63863,00F01444,?,00E4FDF5,?), ref: 00E64CBE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce673951a691e7f193b3f6acc1b3692a16c5e652ac2e05a4a40d4678a148615a
Instruction ID: 2ca98a6b115300911138d5eca740ac1ee28ea2eff5d1d29f49f17d69d82ad73e
Opcode Fuzzy Hash: ce673951a691e7f193b3f6acc1b3692a16c5e652ac2e05a4a40d4678a148615a
Instruction Fuzzy Hash: 90F0BBB168212466FB215F66BC05F56B7C8BF817E5B186111FC15B63D0CA30D80156E0

Function 00E63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d0fe4dd26b03e0c28b22c73e6f558402a4627ba50540cf400afaaca826ed33fc
Instruction ID: 99abefcf7840c056d7f264c555b3756a126d9ad912f536247f31a5153dd38dce
Opcode Fuzzy Hash: d0fe4dd26b03e0c28b22c73e6f558402a4627ba50540cf400afaaca826ed33fc
Instruction Fuzzy Hash: 46E0E5311812245AE6292677BC05BDA36C9AB427F9F193220FC05B74D2CB11DD0282E0

Function 00E34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34F6D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1f35e08d95be230739613567cf081909c49611afff5c07cabf07db9a70969e95
Instruction ID: 8e524cb45dbae1bb8c8a89f8d6535b4307c46f43e5b0349043f8a07ff99ef368
Opcode Fuzzy Hash: 1f35e08d95be230739613567cf081909c49611afff5c07cabf07db9a70969e95
Instruction Fuzzy Hash: C1F0A0B0205701CFCB348F21D498812BBF0FF00319728A9BEE1DAA2650C731A848DF00

Function 00EC2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EC2A66

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e55513c01801c01363e75d56daeab1cb4136ebbf24d3e52b801286667593da38
Instruction ID: b7c24d00abafa0c6e85bff4ceb82699ae33c79833355d2e0e599538b5ea26e85
Opcode Fuzzy Hash: e55513c01801c01363e75d56daeab1cb4136ebbf24d3e52b801286667593da38
Instruction Fuzzy Hash: 05E0DF32350116AACB10EB34DC80EFA738CEB50394B10503EED1AE2100DB319A8682A0

Function 00E32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E32DC4

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fcb319d1d073d975e7e6d5a645f6391e6bb59905bcac2a4643139d893afdfc0a
Instruction ID: f08674dff77a0b609edc44c1210419cbf66389ef109c1b314176de299c6ea41f
Opcode Fuzzy Hash: fcb319d1d073d975e7e6d5a645f6391e6bb59905bcac2a4643139d893afdfc0a
Instruction Fuzzy Hash: 10E0CD72A002245BC71092589C09FDA77EDDFC8790F0440B1FD0DF7258D960AD84C650

Function 00E32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E33908

Part of subcall function 00E3D730: GetInputState.USER32 ref: 00E3D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00E32B6B

Part of subcall function 00E330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00E3314E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: a985dcfdfd3f62590f97c13252c25ff308089538755a45a6ffc0668594fa99db
Instruction ID: 436cf4c8a28993bd19577fdf0545320a9693bd22f3a22e77e17a83c2428793c8
Opcode Fuzzy Hash: a985dcfdfd3f62590f97c13252c25ff308089538755a45a6ffc0668594fa99db
Instruction Fuzzy Hash: D9E0262530424406C608BB34A81A87DFFD9ABD2311F40343EF142A31A3CF244549C211

Function 00E93D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E93D18

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 20b102e8fbba42898ad94b859028f996ad4dd03327168bc6db130effea0f25ec
Instruction ID: 384a46df1052ff53cf5674e8c5337ae0a888ca32f931267d682fb8366ba3e6c1
Opcode Fuzzy Hash: 20b102e8fbba42898ad94b859028f996ad4dd03327168bc6db130effea0f25ec
Instruction Fuzzy Hash: B7D012E0AA03087EFB0083728D0BEBB329CC316E85F104BA4BA02E64C1D9A1DE090230

Function 00E7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00E70704,?,?,00000000,?,00E70704,00000000,0000000C), ref: 00E703B7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7b316b5e6c4bbb450312487ba8ea5369983ab508649c3278cfa5d14ec17317a5
Instruction ID: 852ceba70778a00176d13a258da35ec0015d3ff2c773d1c2e27d139d8d0fac15
Opcode Fuzzy Hash: 7b316b5e6c4bbb450312487ba8ea5369983ab508649c3278cfa5d14ec17317a5
Instruction Fuzzy Hash: 55D06C3204010DBFDF028F86DD06EDA3BAAFB48714F114010FE5866020C732E822AB90

Function 00E31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00E31CBC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 352f9ea3a8117fe84ba00f6ade44a34e98e0a064819751fdd714ec02b7cde021
Instruction ID: f80e52c7758901027598ad82594221b43c5ee1b7ffcdeec559c2d75e598c4bef
Opcode Fuzzy Hash: 352f9ea3a8117fe84ba00f6ade44a34e98e0a064819751fdd714ec02b7cde021
Instruction Fuzzy Hash: 56C09236280308AFF7148B80BC4EF207764B34CB00F188001FA0DA95E3C3A22822FA64

Non-executed Functions

Function 00EC9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EC961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EC965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EC969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EC96C9
SendMessageW.USER32 ref: 00EC96F2
GetKeyState.USER32(00000011), ref: 00EC978B
GetKeyState.USER32(00000009), ref: 00EC9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EC97AE
GetKeyState.USER32(00000010), ref: 00EC97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EC97E9
SendMessageW.USER32 ref: 00EC9810
SendMessageW.USER32(?,00001030,?,00EC7E95), ref: 00EC9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EC992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EC9941
SetCapture.USER32(?), ref: 00EC994A
ClientToScreen.USER32(?,?), ref: 00EC99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EC99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EC99D6
ReleaseCapture.USER32 ref: 00EC99E1
GetCursorPos.USER32(?), ref: 00EC9A19
ScreenToClient.USER32(?,?), ref: 00EC9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EC9A80
SendMessageW.USER32 ref: 00EC9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EC9AEB
SendMessageW.USER32 ref: 00EC9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EC9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EC9B4A
GetCursorPos.USER32(?), ref: 00EC9B68
ScreenToClient.USER32(?,?), ref: 00EC9B75
GetParent.USER32(?), ref: 00EC9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EC9BFA
SendMessageW.USER32 ref: 00EC9C2B
ClientToScreen.USER32(?,?), ref: 00EC9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EC9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EC9CDE
SendMessageW.USER32 ref: 00EC9D01
ClientToScreen.USER32(?,?), ref: 00EC9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EC9D82

Part of subcall function 00E49944: GetWindowLongW.USER32(?,000000EB), ref: 00E49952

GetWindowLongW.USER32(?,000000F0), ref: 00EC9E05

Strings

@GUI_DRAGID, xrefs: 00EC997D
F, xrefs: 00EC9D07

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 6ff1bc1182b9094619ca012cf43cc4782700229d6b9039b53e80144201f13e13
Instruction ID: f5651bdf4cd7692cd303dec93a8983d0d574c9e455307edfc4fbe2879f5abea1
Opcode Fuzzy Hash: 6ff1bc1182b9094619ca012cf43cc4782700229d6b9039b53e80144201f13e13
Instruction Fuzzy Hash: 3C428B34204200AFD724CF24CE48FAABBE5FF48714F14161DF699A72A2D732E956DB52

Function 00EC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00EC48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00EC4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00EC4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00EC494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00EC495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00EC497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00EC49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00EC49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00EC4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EC4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00EC4A7E
IsMenu.USER32(?), ref: 00EC4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EC4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EC4B20
GetWindowLongW.USER32(?,000000F0), ref: 00EC4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00EC4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00EC4C82
wsprintfW.USER32 ref: 00EC4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EC4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00EC4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EC4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EC4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00EC4D5A

Strings

%d/%02d/%02d, xrefs: 00EC4CA8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 3433e3adac7ae544e54f9da2bada8f1ab40559007f19b57c1d702fdb1bb43e81
Instruction ID: 12811925069181bb2702f7afeb97af6f93e7ea0c7fb17bb481e9bb2de7583eca
Opcode Fuzzy Hash: 3433e3adac7ae544e54f9da2bada8f1ab40559007f19b57c1d702fdb1bb43e81
Instruction Fuzzy Hash: 151211B1600254AFEB248F24CE59FAE7BF8AF44714F10612DF41AFA2E0D7769942CB50

Function 00E4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00E4F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E8F474
IsIconic.USER32(00000000), ref: 00E8F47D
ShowWindow.USER32(00000000,00000009), ref: 00E8F48A
SetForegroundWindow.USER32(00000000), ref: 00E8F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E8F4AA
GetCurrentThreadId.KERNEL32 ref: 00E8F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E8F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E8F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E8F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00E8F4DE
SetForegroundWindow.USER32(00000000), ref: 00E8F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F4F6
keybd_event.USER32(00000012,00000000), ref: 00E8F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F50B
keybd_event.USER32(00000012,00000000), ref: 00E8F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F519
keybd_event.USER32(00000012,00000000), ref: 00E8F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E8F528
keybd_event.USER32(00000012,00000000), ref: 00E8F52D
SetForegroundWindow.USER32(00000000), ref: 00E8F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00E8F557

Strings

Shell_TrayWnd, xrefs: 00E8F46F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 45d7dca222aa76e814c5dbab729ecc75a8b5ecdc539fc8abef026a8e50a5220b
Instruction ID: 0eea81e461974eec740a100d6ba36ca6a7876bca8531e162b13a54ffbd0b8f52
Opcode Fuzzy Hash: 45d7dca222aa76e814c5dbab729ecc75a8b5ecdc539fc8abef026a8e50a5220b
Instruction Fuzzy Hash: 63314371A40218BFEB206BB65C4AFBF7E6CEB44B50F201076FA09F61D1C6B55D01AB61

Function 00E91201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00E916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9170D
Part of subcall function 00E916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E9173A
Part of subcall function 00E916C3: GetLastError.KERNEL32 ref: 00E9174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00E91286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00E912A8
CloseHandle.KERNEL32(?), ref: 00E912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E912D1
GetProcessWindowStation.USER32 ref: 00E912EA
SetProcessWindowStation.USER32(00000000), ref: 00E912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E91310

Part of subcall function 00E910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E911FC), ref: 00E910D4
Part of subcall function 00E910BF: CloseHandle.KERNEL32(?,?,00E911FC), ref: 00E910E9

Strings

default, xrefs: 00E9130B
winsta0, xrefs: 00E912CC
Z, xrefs: 00E91392
, xrefs: 00E9125A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z
API String ID: 22674027-1808616255
Opcode ID: 9fff41811e53895b0fed305d204283e560a25056e107b2f82cf7e0e1a500137b
Instruction ID: 896bd15f31c4fddcc1c92283a85ecca6fc2b1f00e9e5ff851ec4e26124394f7d
Opcode Fuzzy Hash: 9fff41811e53895b0fed305d204283e560a25056e107b2f82cf7e0e1a500137b
Instruction Fuzzy Hash: 1F81A27190020AAFEF119FA5DC49FEE7BB9EF08708F1451A9F925F62A0D7318955CB20

Function 00E90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91114
Part of subcall function 00E910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91120
Part of subcall function 00E910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E9112F
Part of subcall function 00E910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91136
Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E90BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E90C00
GetLengthSid.ADVAPI32(?), ref: 00E90C17
GetAce.ADVAPI32(?,00000000,?), ref: 00E90C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E90C6D
GetLengthSid.ADVAPI32(?), ref: 00E90C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E90C8C
HeapAlloc.KERNEL32(00000000), ref: 00E90C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E90CB4
CopySid.ADVAPI32(00000000), ref: 00E90CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E90CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E90D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E90D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90D45
HeapFree.KERNEL32(00000000), ref: 00E90D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90D55
HeapFree.KERNEL32(00000000), ref: 00E90D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90D65
HeapFree.KERNEL32(00000000), ref: 00E90D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00E90D78
HeapFree.KERNEL32(00000000), ref: 00E90D7F

Part of subcall function 00E91193: GetProcessHeap.KERNEL32(00000008,00E90BB1,?,00000000,?,00E90BB1,?), ref: 00E911A1
Part of subcall function 00E91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E90BB1,?), ref: 00E911A8
Part of subcall function 00E91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E90BB1,?), ref: 00E911B7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cc4ca4d85de614b14835851f91a0f8facbf9fe6e70f25f140ff0b96f8cd43e1e
Instruction ID: 61f8fb7f234382c35ad11eac2e324a3bb353e9e0c11da42c22745c89a652dcef
Opcode Fuzzy Hash: cc4ca4d85de614b14835851f91a0f8facbf9fe6e70f25f140ff0b96f8cd43e1e
Instruction Fuzzy Hash: 75716B7290020AAFDF10DFA6DC45FEEBBBCBF04318F544525E918B6291D771AA46CB60

Function 00EAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00ECCC08), ref: 00EAEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00EAEB37
GetClipboardData.USER32(0000000D), ref: 00EAEB43
CloseClipboard.USER32 ref: 00EAEB4F
GlobalLock.KERNEL32(00000000), ref: 00EAEB87
CloseClipboard.USER32 ref: 00EAEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00EAEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00EAEBC9
GetClipboardData.USER32(00000001), ref: 00EAEBD1
GlobalLock.KERNEL32(00000000), ref: 00EAEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00EAEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00EAEC38
GetClipboardData.USER32(0000000F), ref: 00EAEC44
GlobalLock.KERNEL32(00000000), ref: 00EAEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00EAEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EAEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00EAECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00EAECF3
CountClipboardFormats.USER32 ref: 00EAED14
CloseClipboard.USER32 ref: 00EAED59

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ffbee777ffb58e36c028d40664576b99d2c0598b5a6d79852b77977ca6229a41
Instruction ID: 304f640174e9564914b038379856ce93b45e3e82c08f3de9b2b6f212e6131401
Opcode Fuzzy Hash: ffbee777ffb58e36c028d40664576b99d2c0598b5a6d79852b77977ca6229a41
Instruction Fuzzy Hash: 8E61B3341042019FD310DF24D889F6ABBE4AF89718F14656DF456BB2A1CB31ED0ACB62

Function 00EA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EA69BE
FindClose.KERNEL32(00000000), ref: 00EA6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EA6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EA6A75

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00EA6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EA6ADF

Strings

%4d, xrefs: 00EA6BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00EA6B6A
%02d, xrefs: 00EA6C00, 00EA6C0A, 00EA6C5A, 00EA6CAA, 00EA6CFA, 00EA6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00EA6B32
%03d, xrefs: 00EA6DA2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 688b6bfe1187ba354594b133c8f52d4e55e095928cb8d6760aa45fdff9b86377
Instruction ID: 649cb6e686de9ad661934edb40b5fcb130ae3caddc7dab74c691da020d7dbab0
Opcode Fuzzy Hash: 688b6bfe1187ba354594b133c8f52d4e55e095928cb8d6760aa45fdff9b86377
Instruction Fuzzy Hash: ECD173B2508300AFC714EBA4C995EBBBBECAF89704F04591DF585E7191EB74DA04CB62

Function 00EA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00EA9663
GetFileAttributesW.KERNEL32(?), ref: 00EA96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00EA96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00EA96D3
FindClose.KERNEL32(00000000), ref: 00EA96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00EA96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA974A
SetCurrentDirectoryW.KERNEL32(00EF6B7C), ref: 00EA9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EA9772
FindClose.KERNEL32(00000000), ref: 00EA977F
FindClose.KERNEL32(00000000), ref: 00EA978F

Strings

*.*, xrefs: 00EA96F5

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 80bb72946fad32d9db166ca7920a41377ab3a8d74f3c4c28ffd9f10df0bde1ba
Instruction ID: c5e29b6a27d5c00f95d66f557299edbb5f0504ba1ed382c8dafef19e361fc355
Opcode Fuzzy Hash: 80bb72946fad32d9db166ca7920a41377ab3a8d74f3c4c28ffd9f10df0bde1ba
Instruction Fuzzy Hash: E031E3325006096FDB14EFB5DC08EEE77BC9F4E324F1050A6F914F60A1DB31E9458A20

Function 00EA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00EA97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00EA9819
FindClose.KERNEL32(00000000), ref: 00EA9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00EA9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA9890
SetCurrentDirectoryW.KERNEL32(00EF6B7C), ref: 00EA98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EA98B8
FindClose.KERNEL32(00000000), ref: 00EA98C5
FindClose.KERNEL32(00000000), ref: 00EA98D5

Part of subcall function 00E9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E9DB00

Strings

*.*, xrefs: 00EA983B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 86946056829065bc77d3f6aaf0ebb25dee96e84e3763772581abf7975d74c536
Instruction ID: 7f7884ca8a80b3f6450a5eb1c470792bf40e3977921b5da1514d60bbe2837993
Opcode Fuzzy Hash: 86946056829065bc77d3f6aaf0ebb25dee96e84e3763772581abf7975d74c536
Instruction Fuzzy Hash: 0D31D4325006196EDF18EFB5EC48EEE77BC9F0B324F2051A5E914B60A1DB35E949CB20

Function 00EBBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00EBBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00EBBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EBC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EBC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EBC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EBC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00EBC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EBC382
RegCloseKey.ADVAPI32(00000000), ref: 00EBC38F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2e0a7960c74f36c94bc78ab6fe956297d743bd31d4b025d1801a77e7126d0a01
Instruction ID: a084ed9cb2f64fee8855bcec977473af27a93791385db05d69c33cc7a6cafb49
Opcode Fuzzy Hash: 2e0a7960c74f36c94bc78ab6fe956297d743bd31d4b025d1801a77e7126d0a01
Instruction Fuzzy Hash: 75027271604200AFC714DF24C895E6ABBE5EF89318F58D49DF84AEB2A2D731EC46CB51

Function 00EA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EA8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00EA8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00EA8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EA838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8395

Strings

*.*, xrefs: 00EA839B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 25e2283b6fa1029d8a36b054f3e10967c2b7e8aa45eec1cca7fe2e42fdc6d110
Instruction ID: 437d438f9c3f5b59ac15d22964e84d56798cec212a5a493bfcf9ae37d6f88c76
Opcode Fuzzy Hash: 25e2283b6fa1029d8a36b054f3e10967c2b7e8aa45eec1cca7fe2e42fdc6d110
Instruction Fuzzy Hash: 25619D725043059FCB10EF60C8449AEB7E8FF89314F04582EF989A7251EB31F949CB92

Function 00E9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2

Part of subcall function 00E9E199: GetFileAttributesW.KERNEL32(?,00E9CF95), ref: 00E9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00E9D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00E9D1DD
MoveFileW.KERNEL32(?,?), ref: 00E9D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9D237

Part of subcall function 00E9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00E9D21C,?,?), ref: 00E9D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00E9D253
FindClose.KERNEL32(00000000), ref: 00E9D264

Strings

\*.*, xrefs: 00E9D0CD, 00E9D0D6, 00E9D0EB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7e2be05718a206cb69eed8e7834525b07ffabd2caa0bba72740c3481ce4f44a7
Instruction ID: d94f386219935351aebdf9b29f681cf9cc8ec70d28c4faaa5f0c287ce8384d90
Opcode Fuzzy Hash: 7e2be05718a206cb69eed8e7834525b07ffabd2caa0bba72740c3481ce4f44a7
Instruction Fuzzy Hash: 96617A3180911DAECF05EBE0DE969FDBBB5AF54304F246065E442771A2EB31AF09CB60

Function 00EAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00EAED91
EmptyClipboard.USER32 ref: 00EAED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00EAEDAC
CloseClipboard.USER32 ref: 00EAEEA3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e0be149f6c4662e9ee9cd50ddbce867052a1721ba43cde29d3cb6193fb9563a2
Instruction ID: 9aa2c1278d1f44069e28c43cd4f42a0619174085dc27632687828ae78ed57534
Opcode Fuzzy Hash: e0be149f6c4662e9ee9cd50ddbce867052a1721ba43cde29d3cb6193fb9563a2
Instruction Fuzzy Hash: EE418B35204611AFD720CF26D888F59BBE1AF49319F24D0A9E419AF762C736FC42CB90

Function 00E9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9170D
Part of subcall function 00E916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E9173A
Part of subcall function 00E916C3: GetLastError.KERNEL32 ref: 00E9174A

ExitWindowsEx.USER32(?,00000000), ref: 00E9E932

Strings

, xrefs: 00E9E920
@, xrefs: 00E9E925
SeShutdownPrivilege, xrefs: 00E9E902
, xrefs: 00E9E95C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: aca35fc8b38c2684144de454c4a8663696de6a1643423f9999dca343875c3be5
Instruction ID: 5ca94b90195d7ae3e6f5a624a91080f4739617390760f86b6f75c64940812625
Opcode Fuzzy Hash: aca35fc8b38c2684144de454c4a8663696de6a1643423f9999dca343875c3be5
Instruction Fuzzy Hash: 8D014932A10311AFEF14A2B59C86FFF72ACA744754F242461FE03F22D2D9A15C448190

Function 00EB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00EB1276
WSAGetLastError.WSOCK32 ref: 00EB1283
bind.WSOCK32(00000000,?,00000010), ref: 00EB12BA
WSAGetLastError.WSOCK32 ref: 00EB12C5
closesocket.WSOCK32(00000000), ref: 00EB12F4
listen.WSOCK32(00000000,00000005), ref: 00EB1303
WSAGetLastError.WSOCK32 ref: 00EB130D
closesocket.WSOCK32(00000000), ref: 00EB133C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: af779e249f53ad0eaf8df257916f6ad27578d9ed587a1e0531b5773904b33a2f
Instruction ID: 4c203d65a34314422ef598bf8fbba81b29366b695cacbdfec08b103e95f38c56
Opcode Fuzzy Hash: af779e249f53ad0eaf8df257916f6ad27578d9ed587a1e0531b5773904b33a2f
Instruction Fuzzy Hash: 6C4196316001409FD714DF24C498B6ABBE5AF46328F6891D8D856AF2A2C771ED86CBE1

Function 00E6B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E6B9D4
_free.LIBCMT ref: 00E6B9F8
_free.LIBCMT ref: 00E6BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00ED3700), ref: 00E6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F01270,000000FF,?,0000003F,00000000,?), ref: 00E6BC36
_free.LIBCMT ref: 00E6BD4B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: f10315632ff17765f2257c555ff9ab75712cebbeca7121ec1e739e25f8f59c01
Instruction ID: ef272e22f5382494105387d6412b6b8f20df0c33814a95a02cc242bc4e0db3ab
Opcode Fuzzy Hash: f10315632ff17765f2257c555ff9ab75712cebbeca7121ec1e739e25f8f59c01
Instruction Fuzzy Hash: B7C12A71A842089FDB20DF79AC41AAABBF9EF41394F14619AE594F7252E7308E81C750

Function 00E9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2

Part of subcall function 00E9E199: GetFileAttributesW.KERNEL32(?,00E9CF95), ref: 00E9E19A

FindFirstFileW.KERNEL32(?,?), ref: 00E9D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E9D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E9D481
FindClose.KERNEL32(00000000), ref: 00E9D498
FindClose.KERNEL32(00000000), ref: 00E9D4A1

Strings

\*.*, xrefs: 00E9D3F2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bfce7f2a8f155dd2c5535d6be41146a6d36b2fb03bff3eb6081c7828166759e6
Instruction ID: bc2935559dcecd9f58315832a5eec5a38a9c1ecd1a84ac077efda5b49673bb11
Opcode Fuzzy Hash: bfce7f2a8f155dd2c5535d6be41146a6d36b2fb03bff3eb6081c7828166759e6
Instruction Fuzzy Hash: 3531707100C3559FC704EF64D8558AFBBE8AE91314F446A2DF4E5731A1EB21AA09CB63

Function 00E6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E6E645

Strings

1#INF, xrefs: 00E6F852
1#IND, xrefs: 00E6F83D
1#SNAN, xrefs: 00E6F844
1#QNAN, xrefs: 00E6F84B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 54e9296a078322a9e8991ba9fd9ada940e5023c5eb1ba9af3e7b5fddf793a82c
Instruction ID: a83b344b2b4eda44b03b1d0501f212a0f77c5043f72db34d53b1ad645d1c1818
Opcode Fuzzy Hash: 54e9296a078322a9e8991ba9fd9ada940e5023c5eb1ba9af3e7b5fddf793a82c
Instruction Fuzzy Hash: 8FC25B71E486288FDB25CE28ED407EAB7B5EB44345F1451EAD80EF7281E774AE858F40

Function 00EA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EA64DC
CoInitialize.OLE32(00000000), ref: 00EA6639
CoCreateInstance.OLE32(00ECFCF8,00000000,00000001,00ECFB68,?), ref: 00EA6650
CoUninitialize.OLE32 ref: 00EA68D4

Strings

.lnk, xrefs: 00EA64BA, 00EA6524, 00EA65E0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 84a18123fb0d5be2008610dabe51a024e134c916c07718c2c66092a147700979
Instruction ID: 92012fdafc706899d19b504c162a9a38b88337cc58bcb88b86e66b2b7e38cfd3
Opcode Fuzzy Hash: 84a18123fb0d5be2008610dabe51a024e134c916c07718c2c66092a147700979
Instruction Fuzzy Hash: 01D16971608301AFC314EF24C885E6BBBE8FF99304F14596DF595AB291EB70E905CB92

Function 00EB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00EB22E8

Part of subcall function 00EAE4EC: GetWindowRect.USER32(?,?), ref: 00EAE504

GetDesktopWindow.USER32 ref: 00EB2312
GetWindowRect.USER32(00000000), ref: 00EB2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00EB2355
GetCursorPos.USER32(?), ref: 00EB2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EB23DF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 529ddba14ddfa396e5585c3aabe34e53589a56ad3c852fabd149c5704bccd18b
Instruction ID: 382b2f9f89286223963bdef3fd8c16a8e178598233995b5bd5abc42fcf5eb5d4
Opcode Fuzzy Hash: 529ddba14ddfa396e5585c3aabe34e53589a56ad3c852fabd149c5704bccd18b
Instruction Fuzzy Hash: 3731DE72104306AFCB20DF55C848E9BB7E9FF88314F10192DFA89A7191DB35E909CB92

Function 00EA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00EA9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00EA9C8B

Part of subcall function 00EA3874: GetInputState.USER32 ref: 00EA38CB
Part of subcall function 00EA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00EA9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00EA9C75

Strings

*.*, xrefs: 00EA9B5D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c027cedb083b07ed095f408947747dc09e7845ec463fdf0249e70a6e223f9b98
Instruction ID: 93f28f0c69b507148abf75c3cde116d967e0a46a3e35265396bbb66b5274e88d
Opcode Fuzzy Hash: c027cedb083b07ed095f408947747dc09e7845ec463fdf0249e70a6e223f9b98
Instruction Fuzzy Hash: E34172719046099FCF14DFA4C949AEEBBF4EF0A314F245065E815B6192DB31AE45CF60

Function 00E4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E49A4E
GetSysColor.USER32(0000000F), ref: 00E49B23
SetBkColor.GDI32(?,00000000), ref: 00E49B36

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: f088425575d14ef03fea7cd952319659deb8d6965f3339caaaad1ed02c49623d
Instruction ID: ad8b209df580c503cbea699f9fd7bcaf1dd37d2fdcbabb6d0f13936151c409a8
Opcode Fuzzy Hash: f088425575d14ef03fea7cd952319659deb8d6965f3339caaaad1ed02c49623d
Instruction Fuzzy Hash: 8CA12C70108444AEE724AB3DAD48EBB36DDEB42358B242219F54AF6593CA26DD01E375

Function 00EB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB307A
Part of subcall function 00EB304E: _wcslen.LIBCMT ref: 00EB309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00EB185D
WSAGetLastError.WSOCK32 ref: 00EB1884
bind.WSOCK32(00000000,?,00000010), ref: 00EB18DB
WSAGetLastError.WSOCK32 ref: 00EB18E6
closesocket.WSOCK32(00000000), ref: 00EB1915

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: cc4eebd6d05f28b9c47f054df620d9a8c557dc463be7eede7cc11ca964b2ec03
Instruction ID: b8c815fa86943f20da11e1462800f93ae93254f57562f366c52663d6f1b50aaa
Opcode Fuzzy Hash: cc4eebd6d05f28b9c47f054df620d9a8c557dc463be7eede7cc11ca964b2ec03
Instruction Fuzzy Hash: A351E571A002006FDB14AF24C89AF6A7BE5AB44718F589098FA197F3D3C771AD41CBA1

Function 00EC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EC1CC0
IsWindowEnabled.USER32 ref: 00EC1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00EC1CDB
IsIconic.USER32 ref: 00EC1CE9
IsZoomed.USER32 ref: 00EC1CF7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 68e1a6f4dc99a8133c04d2f372d7b71e8dac766dfb9bff8399db49279b63eb4d
Instruction ID: 308b9dadb65b4bed9d7d076cc010572650cedc2d4d0eaa14c0ee70e266ee61dc
Opcode Fuzzy Hash: 68e1a6f4dc99a8133c04d2f372d7b71e8dac766dfb9bff8399db49279b63eb4d
Instruction Fuzzy Hash: D32182317402105FD7248F1AC944F66BBE5AF96319F29A0ACE84AAB352C772DC43CB90

Function 00E38060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E383FA
VUUU, xrefs: 00E3843C
VUUU, xrefs: 00E75DF0
ERCP, xrefs: 00E3813C
VUUU, xrefs: 00E383E8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 49682511f2ddce2fa60389ebaa2f4f630d68afb80b95cbdb9d708d5d6957ffc9
Instruction ID: 46f675ff8022bf35b6604cfe9e25462df0200d6532983852ce8a68a61c324216
Opcode Fuzzy Hash: 49682511f2ddce2fa60389ebaa2f4f630d68afb80b95cbdb9d708d5d6957ffc9
Instruction Fuzzy Hash: F8A27F71A0061ACBDF24CF58C9457EEBBB1FF54318F2491AAE819B7285DB709D81CB90

Function 00E54CE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00E628E9,(,00E54CBE,00000000,00EF88B8,0000000C,00E54E15,(,00000002,00000000,?,00E628E9,00000003,00E62DF7,?,?), ref: 00E54D09
TerminateProcess.KERNEL32(00000000,?,00E628E9,00000003,00E62DF7,?,?,?,00E5E6D1,?,00EF8A48,00000010,00E34F4A,?,?,00000000), ref: 00E54D10
ExitProcess.KERNEL32 ref: 00E54D22

Strings

(, xrefs: 00E54CEA

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID: (
API String ID: 1703294689-2063206799
Opcode ID: 01053c5b28704dc88558ae406840442f9a4fb2eee10cdaf2ccb5a8b9052e24df
Instruction ID: b372235ee7a0d356928925ab6e10ff34fbd53c063341e3cc23c45f2a23e435d4
Opcode Fuzzy Hash: 01053c5b28704dc88558ae406840442f9a4fb2eee10cdaf2ccb5a8b9052e24df
Instruction Fuzzy Hash: FFE0BFB1400148AFCF11AF55ED09E583B79FB4178AB145464FC09AB162CB36DD86CB50

Function 00E98298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E982AA

Strings

|, xrefs: 00E982DA
tb, xrefs: 00E984F4
(, xrefs: 00E982F0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb$|
API String ID: 1659193697-1968160224
Opcode ID: ec668287a181932812e4fa1aff751be668eae2401a20010d92dd92fe80c845e1
Instruction ID: ef8cbc5838d8a7055253382d8d912daeb683a5fbc3206a82648df7064b57ed37
Opcode Fuzzy Hash: ec668287a181932812e4fa1aff751be668eae2401a20010d92dd92fe80c845e1
Instruction Fuzzy Hash: FF324775A007059FCB28CF59C5819AAB7F0FF48714B15D46EE49AEB3A1EB70E941CB40

Function 00EBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EBA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00EBA6BA

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Process32NextW.KERNEL32(00000000,?), ref: 00EBA79C
CloseHandle.KERNEL32(00000000), ref: 00EBA7AB

Part of subcall function 00E4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E73303,?), ref: 00E4CE8A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: ddb0e31cb43ffb52e82512a4ab8609764308eaa0dd2ce775c0a69f59d1aa5bbc
Instruction ID: 2430166acebc65686ae053435e089a6164763502142e21392b079033a3bf6010
Opcode Fuzzy Hash: ddb0e31cb43ffb52e82512a4ab8609764308eaa0dd2ce775c0a69f59d1aa5bbc
Instruction Fuzzy Hash: F9517D71508300AFC714DF25D886A6BBBF8FF89714F04992DF589A7262EB70D904CB92

Function 00E9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00E9AAAC
SetKeyboardState.USER32(00000080), ref: 00E9AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00E9AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00E9AB88

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5a54987e35d6673abd568a532b8d2a7140b4d8f145538d7af669410755dc050a
Instruction ID: 4f9d7d23f481e0fa7e542af5da14e6f0bcd84d5a98473705e2032001518b3d9d
Opcode Fuzzy Hash: 5a54987e35d6673abd568a532b8d2a7140b4d8f145538d7af669410755dc050a
Instruction Fuzzy Hash: 9B312A30A40208AFFF348B698C05BFA77A6AF44314F1C623AF585721D1E7758985C7D2

Function 00EACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00EACE89
GetLastError.KERNEL32(?,00000000), ref: 00EACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00EACEFE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: b75f06ebc5e69a54b1e69227ed4d0a35864c1d85ff6bbd39ad29a30312532e64
Instruction ID: 563d51b798ad23e324265a80d8321132212c3f3e80e54d7b6ef6559dba75485d
Opcode Fuzzy Hash: b75f06ebc5e69a54b1e69227ed4d0a35864c1d85ff6bbd39ad29a30312532e64
Instruction Fuzzy Hash: 1F21BD75600705AFEB20CF65C948BA677F8EB05358F20982EE646B6151E770FE09CB90

Function 00EA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EA5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00EA5D17
FindClose.KERNEL32(?), ref: 00EA5D5F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: a5d2eb2dbc15d23cbb6ad5852230873eba92bdc3c3de1df997aa2ec0244e145d
Instruction ID: e5735a5ffe8812f3d2844156dc3928f2dd14b722690805762ca581e99f9da071
Opcode Fuzzy Hash: a5d2eb2dbc15d23cbb6ad5852230873eba92bdc3c3de1df997aa2ec0244e145d
Instruction Fuzzy Hash: BF518A75604A019FC714CF28C498E96BBE4FF4A324F14955DE99AAB3A1CB30F905CF91

Function 00E62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00E6271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E62724
UnhandledExceptionFilter.KERNEL32(?), ref: 00E62731

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 81daa1be27fd1bb93a5c735745b89ff0b6b918ce6f61bc485608805c250ba65b
Instruction ID: d32081bf2d5c497b955aec752d387f5b7f7b2498b8dd99bc7285aab0c9930160
Opcode Fuzzy Hash: 81daa1be27fd1bb93a5c735745b89ff0b6b918ce6f61bc485608805c250ba65b
Instruction Fuzzy Hash: 1131C274D4121CABCB21DF68DC88B9CBBB8AF08310F5051EAE91CA6261E7309F858F44

Function 00EA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EA51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EA5238
SetErrorMode.KERNEL32(00000000), ref: 00EA52A1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 24df6a3eae324ae343ac3ca797faa04d1ed07a9595ea35cd2cee836a58647abb
Instruction ID: 443b5a7e9e439f32000d24b36a9559417f21d38d60591538de270755b7046816
Opcode Fuzzy Hash: 24df6a3eae324ae343ac3ca797faa04d1ed07a9595ea35cd2cee836a58647abb
Instruction Fuzzy Hash: BC312D75A00518DFDB00DF55D888EADBBF5FF49318F189099E805AB362DB31E856CBA0

Function 00E916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E50668
Part of subcall function 00E4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00E50685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E9170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E9173A
GetLastError.KERNEL32 ref: 00E9174A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f4c425b281c6e45e4289b3278b1aadb43ecb96f0f19837a6de4b95e56c0ada84
Instruction ID: 333e20e9674104f3781f338b15352365df713a93c8a3b1df54e1ceedaf7ef8de
Opcode Fuzzy Hash: f4c425b281c6e45e4289b3278b1aadb43ecb96f0f19837a6de4b95e56c0ada84
Instruction Fuzzy Hash: 6E11C1B2800305AFE7189F54EC86E6AB7F9EF04B14B24856EE05663241EB70BC428A20

Function 00E9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00E9D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00E9D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00E9D650

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: bb5d31935200aa51a969deb2516ca40f013e59a8dcd330bbce40ce2a1945704d
Instruction ID: 6dec14edddae778af463505e6faee279ac21b798a3e532fe84f41eaec5f50dc5
Opcode Fuzzy Hash: bb5d31935200aa51a969deb2516ca40f013e59a8dcd330bbce40ce2a1945704d
Instruction Fuzzy Hash: AF115EB5E05228BFDB108F99EC45FAFBBBCEB45B50F108165F908F7290D6704A058BA1

Function 00E91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00E9168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E916A1
FreeSid.ADVAPI32(?), ref: 00E916B1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e333af14bc5a24edeb3662f8f6dfc34ec6f50183314511e3214de84ec7cd04cd
Instruction ID: cd40c0fd588b0030916f960c1936572deb200e81004d47497dd84e7cda5a0a2c
Opcode Fuzzy Hash: e333af14bc5a24edeb3662f8f6dfc34ec6f50183314511e3214de84ec7cd04cd
Instruction Fuzzy Hash: 64F04471940309FFDF00CFE08C8AEAEBBBCFB08204F1044A1E900E2181E331AA088A54

Function 00E6C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00E6C36C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3c1e541af4b398501acd9fd29dece0799bca67dd8825652c69b0dddfac3bdf0e
Instruction ID: ea0da00db158db34c2791c98ae9d1ba615b6da95ab1316d0f281d99632d378e8
Opcode Fuzzy Hash: 3c1e541af4b398501acd9fd29dece0799bca67dd8825652c69b0dddfac3bdf0e
Instruction Fuzzy Hash: FC415C725806196FCB20DFB9EC48DBB77B8EB84398F2051ADF955E7280E6309D41CB50

Function 00E8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E8D28C

Strings

X64, xrefs: 00E8D2A8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: c84acdd286e0a0b5b921e4496ee55e87de7f9d6b8e2f76f750126c523d805e03
Instruction ID: aa8e49ca5e39078adde7b06e5836aeebda7af5ecfec7742c9a6b3daa3d4b564d
Opcode Fuzzy Hash: c84acdd286e0a0b5b921e4496ee55e87de7f9d6b8e2f76f750126c523d805e03
Instruction Fuzzy Hash: 42D0C9B480511DEECB90DB90EC88DD9B37CBB04305F100151F10AB2040D73095498F10

Function 00E5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: c1874d658ac0d9dda6a11af30a53103bd3aeeb56b094e744fbb2cb89c122bb9b
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F1022A71E002199FDF14CFA9C8906ADFBF1EF88315F25956AD919FB280D730AA45CB90

Function 00EA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EA6918
FindClose.KERNEL32(00000000), ref: 00EA6961

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c9261fea17f6c7135fb9e67db454e8387c08886c73915906ff223c1574c90e49
Instruction ID: 4d6a9d943bbae09075352ae9a8de4f49d5850100d24b3758dc503bf54269b140
Opcode Fuzzy Hash: c9261fea17f6c7135fb9e67db454e8387c08886c73915906ff223c1574c90e49
Instruction Fuzzy Hash: DB1196756046009FC714DF29D488A16BBE5FF89328F18D599E4699F6A2C730EC05CB91

Function 00EA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00EB4891,?,?,00000035,?), ref: 00EA37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00EB4891,?,?,00000035,?), ref: 00EA37F4

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: aad1051585e264b1cc385942948af2e8956a6fbf2d5593ad53006947898059be
Instruction ID: 3ce2a2a612ba7b796b8316b69c7545665f36f4ee7336243c4036a3d08943d25f
Opcode Fuzzy Hash: aad1051585e264b1cc385942948af2e8956a6fbf2d5593ad53006947898059be
Instruction Fuzzy Hash: FCF0EC717043142AD71057765C4DFDB7A9DEFC5761F100176F509F2291D5605905C6B0

Function 00E9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00E9B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00E9B270

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 9677cb9c6b4d39f5624fc2ec1a485d6f020e75a62e12f6229225be5d5a8f6fcf
Instruction ID: 70b1f92d5c16ae632ec111b91ab624861ba192529eb2f60f905e7abd251c2950
Opcode Fuzzy Hash: 9677cb9c6b4d39f5624fc2ec1a485d6f020e75a62e12f6229225be5d5a8f6fcf
Instruction Fuzzy Hash: F6F01D7180424DAFDF059FA1D805BEE7BB4FF08309F10901AF955A51A1C37996169F94

Function 00E910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E911FC), ref: 00E910D4
CloseHandle.KERNEL32(?,?,00E911FC), ref: 00E910E9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 8cc792a79445897e940bd771b787f077500d8aa2f82d5dcb8d4b7f1a918b4165
Instruction ID: 0e021b50cd15a5cecac510ff610930b6faf440c3b47f4003123937ff3ceb92b6
Opcode Fuzzy Hash: 8cc792a79445897e940bd771b787f077500d8aa2f82d5dcb8d4b7f1a918b4165
Instruction Fuzzy Hash: 7CE04F32008600AEE7252B11FC05E7777E9EB04720F24882DF4A6904B1DB636C91DB10

Function 00E3CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00E80C40

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 2e565392eeb6cba3be8e6823d730671e31f1d9b5e1c692cfbc45425d4fb1c463
Instruction ID: a5d9306785590095d1f1e765a5a26687c89a38ae72f8fbd74f8ab809f126f5df
Opcode Fuzzy Hash: 2e565392eeb6cba3be8e6823d730671e31f1d9b5e1c692cfbc45425d4fb1c463
Instruction Fuzzy Hash: 29329F74900218DBCF14EF94D889AEDBBF5BF04308F646069E80ABB292D775ED49CB51

Function 00E6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00E66766,?,?,00000008,?,?,00E6FEFE,00000000), ref: 00E66998

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3bf1ae17a7caa4ff370419d964f9700d5600c62c5d5990520873bcf5bf24afe7
Instruction ID: 73be308a30880355c202bf621fba3bf9fb8c0ae563fe4c9f584a78706b703531
Opcode Fuzzy Hash: 3bf1ae17a7caa4ff370419d964f9700d5600c62c5d5990520873bcf5bf24afe7
Instruction Fuzzy Hash: 26B16E31560608DFD719CF28D48ABA57BE0FF453A8F259658E899DF2A2C335E981CB40

Function 00E4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00E8851F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 008cb27450e38e22f15055814f30c7fdf815a270e42096c219761e6771469a12
Instruction ID: 05d00074234ecc99f76f7fb8fa24fa5129eee8d9e749c06751cf2dea042da927
Opcode Fuzzy Hash: 008cb27450e38e22f15055814f30c7fdf815a270e42096c219761e6771469a12
Instruction Fuzzy Hash: D2125F719002299FCB24DF58D9806EEB7F5FF48710F5491AAE849FB251EB709E81CB90

Function 00EAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00EAEABD

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 16725cf9014a9d0d8866b705607b3000758233e8a02823dc160ba0425827c5e3
Instruction ID: 0d247b0a0b30e313c26f18b92e4e6d24d154cc08b757b2c065bcb815619f4bfd
Opcode Fuzzy Hash: 16725cf9014a9d0d8866b705607b3000758233e8a02823dc160ba0425827c5e3
Instruction Fuzzy Hash: 01E012352002049FC710DF59D404E9ABBD9AF59760F109416FD49EB351D670EC418B90

Function 00E509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00E503EE), ref: 00E509DA

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 86fe1c3e0f0b7bf790350a715f195a6702a3642eae9ebee422842275214cda0c
Instruction ID: b4ec4ff6f28eddde3e3e909f139636d113dd4bfa62f7250af2c33b634aec37d9
Opcode Fuzzy Hash: 86fe1c3e0f0b7bf790350a715f195a6702a3642eae9ebee422842275214cda0c
Instruction Fuzzy Hash:

Function 00E5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00E5798B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: e3d5b76fa2b3bd5e2eff3a4d4e1166a5bc26dc9b78f066f624302f0638a85bdf
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: EC51776160C7155ADB3C8528B95E7FE63C99B9230AF183D09DCC2F7282C611DE6DC362

Function 00E66DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d648cfac7ebd6f8c8843a297d3f387a799a2ed1160a6833a27097169fc7078ce
Instruction ID: 6353dd8109ceec1b2748214cb22d32ed64515624eee867d6073ac26ee1807efd
Opcode Fuzzy Hash: d648cfac7ebd6f8c8843a297d3f387a799a2ed1160a6833a27097169fc7078ce
Instruction Fuzzy Hash: 8E324622D6AF414DD7239635EC22335A349EFB73C9F14E737E86AB59A5EB29C4834100

Function 00E4CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c5dbb41147dfb86377ab2dc1cdfb1ed121d2e1c2302af5888c96d1c860fd91
Instruction ID: 4c17e8e880066095e10e7fd4443e15fd5be25f33613dc757921c402de1099c75
Opcode Fuzzy Hash: e0c5dbb41147dfb86377ab2dc1cdfb1ed121d2e1c2302af5888c96d1c860fd91
Instruction Fuzzy Hash: DD322632A001058FCF28EF29D4D46BDB7A1EB46308F38A56AD55EFB291D230DD81DB61

Function 00E37920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e74913b73ac5fe2990b02f1f3fe1320e5fa344793335e62b9491b82b2252b02
Instruction ID: fe16a021edad24a27d6972b579c70d6dafa0f1452ed24fb044ec3b1da98b4b11
Opcode Fuzzy Hash: 9e74913b73ac5fe2990b02f1f3fe1320e5fa344793335e62b9491b82b2252b02
Instruction Fuzzy Hash: ED22CFB1A00609DFDF14CF64D885AEEB7F2FF44304F20A629E856B7291EB75A914CB50

Function 00E391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885b0403316e762b5ee468c87f495467c541ad02b4bd8007214904d3f591b8f9
Instruction ID: bd88bd1fdfaf7da6f63810f43d4087bb5437e2ffb856c852a543b853cd3bb109
Opcode Fuzzy Hash: 885b0403316e762b5ee468c87f495467c541ad02b4bd8007214904d3f591b8f9
Instruction Fuzzy Hash: F802B6B0A00105EFDB05DF64D845AAEBBF5FF48304F109169E81ABB391EB71AA14CB91

Function 00E69EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f13fb03b3fc77799c19151dfcc9f3aa669dc2ae1ef346f1b5cc58ccee892ecbd
Instruction ID: 86866973ca769650a6c319974b648eb764fd247f5266560ff15a00d6a32215a1
Opcode Fuzzy Hash: f13fb03b3fc77799c19151dfcc9f3aa669dc2ae1ef346f1b5cc58ccee892ecbd
Instruction Fuzzy Hash: BAB11320D2AF414DC323963A9931336B75CAFBB6D5F91E31BFC2674D22EB2286874141

Function 00E51C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: fdb1c67421c4cf47f8d07e539912d827c6246fc03cdb917d7d1132e935552be1
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: CA9166322080A349DB2D4639853567DFFE15A923A771A1FDDDCF2DA1C1EE20895CD720

Function 00E519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 0a8798b3ab0e80dcfbc64b488fcc6dd6e91990aa02e1a6d295c62f79a5412695
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8E91A4722090A34ADB6E427A847427DFFE15A923A731A1FDDD8F2EA1C1FE14C55CD620

Function 00E57A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c18080636a68af2db7780b48e7c5124031e0e8c371cbb3df6318a64d0d4067
Instruction ID: 42e1342be64425ee072a1ddb320ab718ce44535be0965b7fb4e69591f0ed6511
Opcode Fuzzy Hash: f1c18080636a68af2db7780b48e7c5124031e0e8c371cbb3df6318a64d0d4067
Instruction Fuzzy Hash: 0161663060830957EA749A28B995BFE63D6DF4130BF143D19ECC2FB282DA119E6EC315

Function 00E57CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c346bf402b29cbc82e47e8ed4f69c7b470be5cee6f2db77197435aaec857c14
Instruction ID: e32cd272879c5ec6a08e843e15b75a87411b2b8f930b2fc30230c211fb2981df
Opcode Fuzzy Hash: 3c346bf402b29cbc82e47e8ed4f69c7b470be5cee6f2db77197435aaec857c14
Instruction Fuzzy Hash: 9E615A7120870956DA3849287956BBE23E49F4370BF103D5DEDC3FB281EA129D6EC355

Function 00E51706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 92061ca5dac57287115db95e60263203abd6f691434c7e0d4a7eec06be9b501f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 358176725080A30ADB2D423D853467EFFE15A923A771A1FDED8F2DA1C1EE14995CD620

Function 00E4D063 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67cdcaf3a8c69488fc5e2fceb3e6c6ec5ec84cdb2aa70237e87cf7386358c60
Instruction ID: 5d7e1b5f7592a173ec85d6af60ab413f82b0beb5c396a591944234990083ff29
Opcode Fuzzy Hash: f67cdcaf3a8c69488fc5e2fceb3e6c6ec5ec84cdb2aa70237e87cf7386358c60
Instruction Fuzzy Hash: 61513CC285EBC91BCB53A7745C6A08CBF618C570703684BDFC0F1455E7FA89454AC7A6

Function 00EA2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128f524c6d7dfc226b0c5af6138b7d7ef588f99b528623219d7e2693b26b861f
Instruction ID: 72481ab4020c1651d5c320416d5336a3b8461b2c9f233bb8606f4ca34418ae89
Opcode Fuzzy Hash: 128f524c6d7dfc226b0c5af6138b7d7ef588f99b528623219d7e2693b26b861f
Instruction Fuzzy Hash: 0121D8323205158BD728CE79C86267A73E5B754310F15862EE4A7D73D1DE36A904D750

Function 00EB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EB2B30
DeleteObject.GDI32(00000000), ref: 00EB2B43
DestroyWindow.USER32 ref: 00EB2B52
GetDesktopWindow.USER32 ref: 00EB2B6D
GetWindowRect.USER32(00000000), ref: 00EB2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00EB2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00EB2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2CF8
GetClientRect.USER32(00000000,?), ref: 00EB2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00EB2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2DA8
GlobalFree.KERNEL32(00000000), ref: 00EB2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00ECFC38,00000000), ref: 00EB2DDB
GlobalFree.KERNEL32(00000000), ref: 00EB2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00EB2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00EB2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00EB303F

Strings

DISPLAY, xrefs: 00EB2EA2
, xrefs: 00EB2FC5
static, xrefs: 00EB2D3A, 00EB2E91
AutoIt v3, xrefs: 00EB2CF2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a874a78002138684f1229dcc16412cea85bd7ab0a6c6fb9e8e387ae622525ea7
Instruction ID: 33e44792a1cf2623a12e70de77feca9749b4919074bba12b8cc6815afe5d613d
Opcode Fuzzy Hash: a874a78002138684f1229dcc16412cea85bd7ab0a6c6fb9e8e387ae622525ea7
Instruction Fuzzy Hash: D0028D71900208AFDB14DF65CD89EAE7BB9FF48714F149118F919BB2A1CB71AD06CB60

Function 00EC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EC712F
GetSysColorBrush.USER32(0000000F), ref: 00EC7160
GetSysColor.USER32(0000000F), ref: 00EC716C
SetBkColor.GDI32(?,000000FF), ref: 00EC7186
SelectObject.GDI32(?,?), ref: 00EC7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00EC71C0
GetSysColor.USER32(00000010), ref: 00EC71C8
CreateSolidBrush.GDI32(00000000), ref: 00EC71CF
FrameRect.USER32(?,?,00000000), ref: 00EC71DE
DeleteObject.GDI32(00000000), ref: 00EC71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00EC7230
FillRect.USER32(?,?,?), ref: 00EC7262
GetWindowLongW.USER32(?,000000F0), ref: 00EC7284

Part of subcall function 00EC73E8: GetSysColor.USER32(00000012), ref: 00EC7421
Part of subcall function 00EC73E8: SetTextColor.GDI32(?,?), ref: 00EC7425
Part of subcall function 00EC73E8: GetSysColorBrush.USER32(0000000F), ref: 00EC743B
Part of subcall function 00EC73E8: GetSysColor.USER32(0000000F), ref: 00EC7446
Part of subcall function 00EC73E8: GetSysColor.USER32(00000011), ref: 00EC7463
Part of subcall function 00EC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EC7471
Part of subcall function 00EC73E8: SelectObject.GDI32(?,00000000), ref: 00EC7482
Part of subcall function 00EC73E8: SetBkColor.GDI32(?,00000000), ref: 00EC748B
Part of subcall function 00EC73E8: SelectObject.GDI32(?,?), ref: 00EC7498
Part of subcall function 00EC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00EC74B7
Part of subcall function 00EC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EC74CE
Part of subcall function 00EC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00EC74DB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 1b9256b7c7f440422168a51626e910f639e86997e4c9a098a44680cd6da5e4aa
Instruction ID: 38c792fb519c35a041698acbbd3b6e8a61c149f72b6fb01677414a1d3608d261
Opcode Fuzzy Hash: 1b9256b7c7f440422168a51626e910f639e86997e4c9a098a44680cd6da5e4aa
Instruction Fuzzy Hash: EEA1A072009301AFD7009F65DD48E5B7BA9FB48320F241A2DF9A6B61E1D732E94ACF51

Function 00E48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00E48E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E86AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E86AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E86F43

Part of subcall function 00E48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E48BE8,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E48FC5

SendMessageW.USER32(?,00001053), ref: 00E86F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E86F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E86FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E86FB7

Strings

0, xrefs: 00E86DCF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 1eee157afca01c7f978c7c76670b191e4fcdef506cd564cf99461f3a65fa9e0f
Instruction ID: 7f22cc321d3798afc9e7da8bfff69d10f2a471bb8ac519ed473b858292d43dc2
Opcode Fuzzy Hash: 1eee157afca01c7f978c7c76670b191e4fcdef506cd564cf99461f3a65fa9e0f
Instruction Fuzzy Hash: 78129D30600201DFDB25EF24DA54BAAB7E5FB44308F146469F58DAB661CB32EC92DB51

Function 00EB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00EB273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EB286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00EB28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00EB28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00EB2900
GetClientRect.USER32(00000000,?), ref: 00EB290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00EB2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EB2964
GetStockObject.GDI32(00000011), ref: 00EB2974
SelectObject.GDI32(00000000,00000000), ref: 00EB2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00EB2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EB2991
DeleteDC.GDI32(00000000), ref: 00EB299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EB29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00EB29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00EB2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EB2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00EB2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00EB2A77
GetStockObject.GDI32(00000011), ref: 00EB2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EB2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00EB2A97

Strings

msctls_progress32, xrefs: 00EB2A13
DISPLAY, xrefs: 00EB295A
static, xrefs: 00EB294F, 00EB2A71
AutoIt v3, xrefs: 00EB28F8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c2d67ad96ed82a55be8e1451e685b99517830db25fda5e2a80af739796f1874a
Instruction ID: 3d921be10ea618138f284817a4d0b5345a535bdd579b8b10464424677c93f267
Opcode Fuzzy Hash: c2d67ad96ed82a55be8e1451e685b99517830db25fda5e2a80af739796f1874a
Instruction Fuzzy Hash: A0B14BB1A00219AFEB24DFA9CC49FAB7BA9FB08710F105119FA15E7290D770AD45CB94

Function 00EA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EA4AED
GetDriveTypeW.KERNEL32(?,00ECCB68,?,\\.\,00ECCC08), ref: 00EA4BCA
SetErrorMode.KERNEL32(00000000,00ECCB68,?,\\.\,00ECCC08), ref: 00EA4D36

Strings

SSD, xrefs: 00EA4C4A
PhysicalDrive, xrefs: 00EA4B76
SATA, xrefs: 00EA4CD0
Fibre, xrefs: 00EA4CAD
\\.\, xrefs: 00EA4B3F
Network, xrefs: 00EA4C02
ATAPI, xrefs: 00EA4C91
Removable, xrefs: 00EA4C10, 00EA4C15
iSCSI, xrefs: 00EA4CC2
Unknown, xrefs: 00EA4BED, 00EA4C83
CDROM, xrefs: 00EA4BFB
SSA, xrefs: 00EA4CA6
FileBackedVirtual, xrefs: 00EA4CEC
Virtual, xrefs: 00EA4CE5
SCSI, xrefs: 00EA4C8A
RAID, xrefs: 00EA4CBB
Fixed, xrefs: 00EA4C09
USB, xrefs: 00EA4CB4
1394, xrefs: 00EA4C9F
ATA, xrefs: 00EA4C98
RAMDisk, xrefs: 00EA4BF4
SAS, xrefs: 00EA4CC9
MMC, xrefs: 00EA4CDE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: aeaa11bb8a68efcddcc3564804079ee6d6d75bf1f894ddea43b5db3533ddf847
Instruction ID: b397de8addaba1499f6f2a845134c3b218cbabaa2a89d3aa608c44d8da7061f2
Opcode Fuzzy Hash: aeaa11bb8a68efcddcc3564804079ee6d6d75bf1f894ddea43b5db3533ddf847
Instruction Fuzzy Hash: 6C61D3B12052099BDB04EF24C982AB8B7F0AB8A314B247415E50ABF2D1DBB2FD41DB51

Function 00EC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EC7421
SetTextColor.GDI32(?,?), ref: 00EC7425
GetSysColorBrush.USER32(0000000F), ref: 00EC743B
GetSysColor.USER32(0000000F), ref: 00EC7446
CreateSolidBrush.GDI32(?), ref: 00EC744B
GetSysColor.USER32(00000011), ref: 00EC7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EC7471
SelectObject.GDI32(?,00000000), ref: 00EC7482
SetBkColor.GDI32(?,00000000), ref: 00EC748B
SelectObject.GDI32(?,?), ref: 00EC7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00EC74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EC74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00EC74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EC752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EC7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00EC7572
DrawFocusRect.USER32(?,?), ref: 00EC757D
GetSysColor.USER32(00000011), ref: 00EC758E
SetTextColor.GDI32(?,00000000), ref: 00EC7596
DrawTextW.USER32(?,00EC70F5,000000FF,?,00000000), ref: 00EC75A8
SelectObject.GDI32(?,?), ref: 00EC75BF
DeleteObject.GDI32(?), ref: 00EC75CA
SelectObject.GDI32(?,?), ref: 00EC75D0
DeleteObject.GDI32(?), ref: 00EC75D5
SetTextColor.GDI32(?,?), ref: 00EC75DB
SetBkColor.GDI32(?,?), ref: 00EC75E5

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 5fd8ebf98941bd7ecb15c252f821b678584eace340255a26a98be60c598b8076
Instruction ID: 0fb65737a5ce81d4977c6a79916589c1b24b677b1b73cabed3d41a0c8966c939
Opcode Fuzzy Hash: 5fd8ebf98941bd7ecb15c252f821b678584eace340255a26a98be60c598b8076
Instruction Fuzzy Hash: C5616072900218AFDB019FA5DC49EEE7FB9FB08320F244125F915BB2A1D7729942CF90

Function 00EC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EC1128
GetDesktopWindow.USER32 ref: 00EC113D
GetWindowRect.USER32(00000000), ref: 00EC1144
GetWindowLongW.USER32(?,000000F0), ref: 00EC1199
DestroyWindow.USER32(?), ref: 00EC11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EC11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EC121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00EC1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00EC1245
IsWindowVisible.USER32(00000000), ref: 00EC12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00EC12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00EC12D0
GetWindowRect.USER32(00000000,?), ref: 00EC12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00EC130E
GetMonitorInfoW.USER32(00000000,?), ref: 00EC1328
CopyRect.USER32(?,?), ref: 00EC133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00EC13AA

Strings

(, xrefs: 00EC131B
0, xrefs: 00EC10D3
tooltips_class32, xrefs: 00EC11E6

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 205c39532a19e628475b9b75d9639b5732d4a1fc3a2320f8dec30c47d8867f00
Instruction ID: 57b8213629eb31627d985a7fc4c1ead2900da539cf321b210a6bdfc56fb04a77
Opcode Fuzzy Hash: 205c39532a19e628475b9b75d9639b5732d4a1fc3a2320f8dec30c47d8867f00
Instruction Fuzzy Hash: 3BB1AC71604340AFD704DF65C989F6ABBE4FF85344F00995CF999AB262C732E846CB92

Function 00EC0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EC02E5
_wcslen.LIBCMT ref: 00EC031F
_wcslen.LIBCMT ref: 00EC0389
_wcslen.LIBCMT ref: 00EC03F1
_wcslen.LIBCMT ref: 00EC0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EC04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EC0504

Part of subcall function 00E4F9F2: _wcslen.LIBCMT ref: 00E4F9FD

Part of subcall function 00E9223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E92258
Part of subcall function 00E9223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E9228A

Strings

GETTEXT, xrefs: 00EC03EC, 00EC0407
SELECT, xrefs: 00EC0548
SELECTINVERT, xrefs: 00EC057E
GETSELECTED, xrefs: 00EC05E1
FINDITEM, xrefs: 00EC0627
ISSELECTED, xrefs: 00EC04DD
GETSELECTEDCOUNT, xrefs: 00EC0470, 00EC048B
SELECTALL, xrefs: 00EC0515
SELECTCLEAR, xrefs: 00EC052D
VIEWCHANGE, xrefs: 00EC0675
DESELECT, xrefs: 00EC059C
GETITEMCOUNT, xrefs: 00EC0316, 00EC0337
GETSUBITEMCOUNT, xrefs: 00EC0384, 00EC039F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 18b0a4b3c22e667f5b3bc688e3b7fc617a7ff48ddead56847810bfa4bc817a1f
Instruction ID: fb3b6c0be4cd267add65f52ab04c58e6aa22728adc5271539488bc0777f556ad
Opcode Fuzzy Hash: 18b0a4b3c22e667f5b3bc688e3b7fc617a7ff48ddead56847810bfa4bc817a1f
Instruction Fuzzy Hash: 74E19E31208301DB8B18DF28C651E6AB7E6BFC8718F14695CF996BB2A1D731ED46CB41

Function 00E48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E48968
GetSystemMetrics.USER32(00000007), ref: 00E48970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E4899B
GetSystemMetrics.USER32(00000008), ref: 00E489A3
GetSystemMetrics.USER32(00000004), ref: 00E489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E48A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E48A3C
GetClientRect.USER32(00000000,000000FF), ref: 00E48A5A
GetStockObject.GDI32(00000011), ref: 00E48A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E48A81

Part of subcall function 00E4912D: GetCursorPos.USER32(?), ref: 00E49141
Part of subcall function 00E4912D: ScreenToClient.USER32(00000000,?), ref: 00E4915E
Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000001), ref: 00E49183
Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000002), ref: 00E4919D

SetTimer.USER32(00000000,00000000,00000028,00E490FC), ref: 00E48AA8

Strings

AutoIt v3 GUI, xrefs: 00E48A20

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: e24df25aca2c920aa654259e3e6bea8ed28c61ddadca54dbfade2ff5333ea938
Instruction ID: 050ed91910b5b37bf6bd79d8fc1e1c8f14fa5c0ec71d0170a9e6b96c8b349e16
Opcode Fuzzy Hash: e24df25aca2c920aa654259e3e6bea8ed28c61ddadca54dbfade2ff5333ea938
Instruction Fuzzy Hash: 27B18A31A00209AFDB14DFA8DD45FAE3BB5FB48714F10522AFA19BB290DB71E941CB51

Function 00E90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91114
Part of subcall function 00E910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91120
Part of subcall function 00E910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E9112F
Part of subcall function 00E910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91136
Part of subcall function 00E910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E9114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E90DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E90E29
GetLengthSid.ADVAPI32(?), ref: 00E90E40
GetAce.ADVAPI32(?,00000000,?), ref: 00E90E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E90E96
GetLengthSid.ADVAPI32(?), ref: 00E90EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E90EB5
HeapAlloc.KERNEL32(00000000), ref: 00E90EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E90EDD
CopySid.ADVAPI32(00000000), ref: 00E90EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E90F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E90F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E90F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90F6E
HeapFree.KERNEL32(00000000), ref: 00E90F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90F7E
HeapFree.KERNEL32(00000000), ref: 00E90F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E90F8E
HeapFree.KERNEL32(00000000), ref: 00E90F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00E90FA1
HeapFree.KERNEL32(00000000), ref: 00E90FA8

Part of subcall function 00E91193: GetProcessHeap.KERNEL32(00000008,00E90BB1,?,00000000,?,00E90BB1,?), ref: 00E911A1
Part of subcall function 00E91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E90BB1,?), ref: 00E911A8
Part of subcall function 00E91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E90BB1,?), ref: 00E911B7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f33580f66be9014db90d3e3fce2d86974832829c54575487d3e3d0e298099b52
Instruction ID: fbf41cd71e6864d022d9530df68e8c2b68e98fdc4bce43945d9bc8489015c9d0
Opcode Fuzzy Hash: f33580f66be9014db90d3e3fce2d86974832829c54575487d3e3d0e298099b52
Instruction Fuzzy Hash: 05715C72A0020AAFDF20DFA6DC45FAEBBB8FF04304F545125F919B6191D7319A4ACB60

Function 00EBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00ECCC08,00000000,?,00000000,?,?), ref: 00EBC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00EBC5A4
_wcslen.LIBCMT ref: 00EBC5F4
_wcslen.LIBCMT ref: 00EBC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00EBC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00EBC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00EBC84D
RegCloseKey.ADVAPI32(?), ref: 00EBC881
RegCloseKey.ADVAPI32(00000000), ref: 00EBC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00EBC960

Strings

REG_BINARY, xrefs: 00EBC913
REG_SZ, xrefs: 00EBC644
REG_MULTI_SZ, xrefs: 00EBC6F5
REG_QWORD, xrefs: 00EBC8C3
REG_EXPAND_SZ, xrefs: 00EBC5CD
REG_DWORD, xrefs: 00EBC804

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: fb756ffa9f36af1a36f634b327d5de918abc522c76522e787e2818c39b674670
Instruction ID: 6cd584e0fa9cc07b41ee2b16ef0f236fa7411fbdb2d2e0909057fd8e74c3474f
Opcode Fuzzy Hash: fb756ffa9f36af1a36f634b327d5de918abc522c76522e787e2818c39b674670
Instruction Fuzzy Hash: 2E127D756082019FCB14DF14C885E6ABBE5EF88714F14985DF88AAB3A2DB31FD41CB81

Function 00EC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EC09C6
_wcslen.LIBCMT ref: 00EC0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC0A54
_wcslen.LIBCMT ref: 00EC0A8A
_wcslen.LIBCMT ref: 00EC0B06
_wcslen.LIBCMT ref: 00EC0B81

Part of subcall function 00E4F9F2: _wcslen.LIBCMT ref: 00E4F9FD

Part of subcall function 00E92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E92BFA

Strings

SELECT, xrefs: 00EC0D11
GETTEXT, xrefs: 00EC0C97
CHECK, xrefs: 00EC0A85, 00EC0AA0
GETTOTALCOUNT, xrefs: 00EC09F2, 00EC0A17
GETSELECTED, xrefs: 00EC0C4E
GETITEMCOUNT, xrefs: 00EC0C1E
EXPAND, xrefs: 00EC0BF8
UNCHECK, xrefs: 00EC0D3E
EXISTS, xrefs: 00EC0B7C, 00EC0B97
COLLAPSE, xrefs: 00EC0B01, 00EC0B1C
ISCHECKED, xrefs: 00EC0CE1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 857caca77c7fe60a91b287b8932d44561f93f92de21bab1f5e97a5533dc586a3
Instruction ID: 70a128a318e7efc9bf082ee447164d0339537356ffdde19c441f950543ede1e2
Opcode Fuzzy Hash: 857caca77c7fe60a91b287b8932d44561f93f92de21bab1f5e97a5533dc586a3
Instruction Fuzzy Hash: 26E16B35208301DFCB14DF24C551A6AB7E2BF98718F14A95CF8967B262D732ED46CB81

Function 00EBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
_wcslen.LIBCMT ref: 00EBC9F1
_wcslen.LIBCMT ref: 00EBCA68
_wcslen.LIBCMT ref: 00EBCA9E
_wcslen.LIBCMT ref: 00EBCAF9
_wcslen.LIBCMT ref: 00EBCB2F
_wcslen.LIBCMT ref: 00EBCB7F

Strings

HKCU, xrefs: 00EBCBCE
HKEY_LOCAL_MACHINE, xrefs: 00EBCA62, 00EBCA67
HKEY_CURRENT_USER, xrefs: 00EBCBBD
HKU, xrefs: 00EBCBF0
HKCR, xrefs: 00EBCB29, 00EBCB2E
HKEY_CURRENT_CONFIG, xrefs: 00EBCB79, 00EBCB7E
HKCC, xrefs: 00EBCBAC
HKLM, xrefs: 00EBCA98, 00EBCA9D
HKEY_CLASSES_ROOT, xrefs: 00EBCAF3, 00EBCAF8
HKEY_USERS, xrefs: 00EBCBDF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 5fd64020fc03b0826ac31cf9d8e5d2f0ca6b040ff73377c16e8cefbb125ced96
Instruction ID: 12f90850be6c1adcbf1d2305f66dc7fc9ab42d9caadfc4955f712bf2794f28a1
Opcode Fuzzy Hash: 5fd64020fc03b0826ac31cf9d8e5d2f0ca6b040ff73377c16e8cefbb125ced96
Instruction Fuzzy Hash: 1071E73261812A8BCB10DE7CCD525FF7791ABA0758F352529FC96B7284E631CD85C7A0

Function 00EC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EC835A
_wcslen.LIBCMT ref: 00EC836E
_wcslen.LIBCMT ref: 00EC8391
_wcslen.LIBCMT ref: 00EC83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EC83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EC5BF2), ref: 00EC844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EC8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EC84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EC8501
FreeLibrary.KERNEL32(?), ref: 00EC850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EC851D
DestroyIcon.USER32(?,?,?,?,?,00EC5BF2), ref: 00EC852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EC8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EC8555

Strings

.dll, xrefs: 00EC83AB
.exe, xrefs: 00EC8388
.icl, xrefs: 00EC8368

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 44cc33ec8f6041beb6d30765661810f29551d03cbe06c29e41ffd0dba3bb9e1c
Instruction ID: 4539bc7ac40e49e5d83d909e2322a819f141f902e6b1fe1fc8f814b3b0868705
Opcode Fuzzy Hash: 44cc33ec8f6041beb6d30765661810f29551d03cbe06c29e41ffd0dba3bb9e1c
Instruction Fuzzy Hash: 20611171500219BEEB18DF64CE41FFE77A8BB04711F10651AF815F60D1DBB2AA96CBA0

Function 00E37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 00E377FF
#include-once, xrefs: 00E3782F
#notrayicon, xrefs: 00E377E7
#comments-end, xrefs: 00E378D9
', xrefs: 00E75169
#include, xrefs: 00E37847
#pragma compile, xrefs: 00E377D3
Cannot parse #include, xrefs: 00E75279
", xrefs: 00E75153
#comments-start, xrefs: 00E3785F, 00E378B1
Unterminated group of comments, xrefs: 00E7528C
#ce, xrefs: 00E378ED
#OnAutoItStartRegister, xrefs: 00E37817
#cs, xrefs: 00E37873, 00E378C5
Bad directive syntax error, xrefs: 00E7519A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 13bbd85c04f766f345926122d822bc552ba9e099d92906029e09da3d5b0c7117
Instruction ID: 0e73392de3e08a7fb13f8d3d090ba6d6eab4a31a2a82c3b9064dd7d62c8c0a3d
Opcode Fuzzy Hash: 13bbd85c04f766f345926122d822bc552ba9e099d92906029e09da3d5b0c7117
Instruction Fuzzy Hash: 528105B1A04605BBDB20AF60DD47FAE7BF8AF14301F046425FD48BA292EBB1D915C791

Function 00EA3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EA3EF8
_wcslen.LIBCMT ref: 00EA3F03
_wcslen.LIBCMT ref: 00EA3F5A
_wcslen.LIBCMT ref: 00EA3F98
GetDriveTypeW.KERNEL32(?), ref: 00EA3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EA4087

Strings

close cd wait, xrefs: 00EA4072
set cd door , xrefs: 00EA4028
wait, xrefs: 00EA4044
close, xrefs: 00EA3EFE, 00EA3F18
type cdaudio alias cd wait, xrefs: 00EA4001
open, xrefs: 00EA3F54, 00EA3F59
open , xrefs: 00EA3FE5
closed, xrefs: 00EA3F08, 00EA3F2D, 00EA3F46, 00EA3F7E, 00EA3F97

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: a27c8cc75905d6120b3bea5d3e109f1ec80ac27e3b63f474698424abf3f000a6
Instruction ID: ea887cc14e06c4136b714e2b9350ce62a47567c4129e1572f5610eb0d5a18736
Opcode Fuzzy Hash: a27c8cc75905d6120b3bea5d3e109f1ec80ac27e3b63f474698424abf3f000a6
Instruction Fuzzy Hash: 3E71D1726042019FC710EF34C8818AABBF4EF99758F10692DF995BB291EB31ED45CB51

Function 00E95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E95A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E95A40
SetWindowTextW.USER32(?,?), ref: 00E95A57
GetDlgItem.USER32(?,000003EA), ref: 00E95A6C
SetWindowTextW.USER32(00000000,?), ref: 00E95A72
GetDlgItem.USER32(?,000003E9), ref: 00E95A82
SetWindowTextW.USER32(00000000,?), ref: 00E95A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E95AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E95AC3
GetWindowRect.USER32(?,?), ref: 00E95ACC
_wcslen.LIBCMT ref: 00E95B33
SetWindowTextW.USER32(?,?), ref: 00E95B6F
GetDesktopWindow.USER32 ref: 00E95B75
GetWindowRect.USER32(00000000), ref: 00E95B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00E95BD3
GetClientRect.USER32(?,?), ref: 00E95BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00E95C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E95C2F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6bf89664de7711720181112e02ea5f309b340f20b6205603324263280c91f9ff
Instruction ID: 39215ee6d4f758e7f02cdde90bedcf3452d0d47cbea915b1f1cddb8eb016a7b3
Opcode Fuzzy Hash: 6bf89664de7711720181112e02ea5f309b340f20b6205603324263280c91f9ff
Instruction Fuzzy Hash: C7717C32900B09AFDB21DFA9CE85EAEBBF5FF48704F105528E586B25A0D771E945CB10

Function 00EAFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00EAFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00EAFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00EAFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00EAFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00EAFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00EAFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00EAFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00EAFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00EAFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00EAFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00EAFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00EAFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00EAFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00EAFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00EAFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00EAFECC
GetCursorInfo.USER32(?), ref: 00EAFEDC
GetLastError.KERNEL32 ref: 00EAFF1E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2759be16d115b8ad700ecd46add56a198526b220b360f3f4d5054453cc831cbd
Instruction ID: e5017d66b769408b397bd8ccf9ecbce5dd8368216b5a1f416cf63c0e59aac1ec
Opcode Fuzzy Hash: 2759be16d115b8ad700ecd46add56a198526b220b360f3f4d5054453cc831cbd
Instruction Fuzzy Hash: 67414370E043196EDB109FBA8C8985EBFE8FF09754B54452AE11DEB281DB78E901CE91

Function 00E930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E9318D
_wcslen.LIBCMT ref: 00E931F8

Strings

REGEXPCLASS, xrefs: 00E93255, 00E93266
CLASS, xrefs: 00E93188, 00E931A5
CLASSNN, xrefs: 00E931F3, 00E93204
INSTANCE, xrefs: 00E93453
[, xrefs: 00E9339A
TEXT, xrefs: 00E9347C
NAME, xrefs: 00E93335, 00E93346

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
API String ID: 176396367-1901692981
Opcode ID: 7130fb47551bb32e1180c195bb41c98b7df38b0240cb24c0be0688515ec7fdcc
Instruction ID: 92bdf52335005916f4dc3de45ad7711f490382b04c9a0fe371ab81016dd04f5f
Opcode Fuzzy Hash: 7130fb47551bb32e1180c195bb41c98b7df38b0240cb24c0be0688515ec7fdcc
Instruction Fuzzy Hash: 31E1E532A00616ABCF18DFB8C4416FDFBB0BF54714F55A129E966B7250DB30AE85C790

Function 00E500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00E500C6

Part of subcall function 00E500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00F0070C,00000FA0,6255E8CC,?,?,?,?,00E723B3,000000FF), ref: 00E5011C
Part of subcall function 00E500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E723B3,000000FF), ref: 00E50127
Part of subcall function 00E500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E723B3,000000FF), ref: 00E50138
Part of subcall function 00E500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00E5014E
Part of subcall function 00E500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00E5015C
Part of subcall function 00E500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00E5016A
Part of subcall function 00E500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E50195
Part of subcall function 00E500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E501A0

___scrt_fastfail.LIBCMT ref: 00E500E7

Part of subcall function 00E500A3: __onexit.LIBCMT ref: 00E500A9

Strings

kernel32.dll, xrefs: 00E50133
SleepConditionVariableCS, xrefs: 00E50154
InitializeConditionVariable, xrefs: 00E50148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00E50122
WakeAllConditionVariable, xrefs: 00E50162

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 0f3a2de34a3d90437e6621b4e7d1b386e49ec54ccf7e697b9367d7f397252c2e
Instruction ID: 110117aa52646143e0cf3df790033edbc9d56ac3a41aa263dffea3ccdc3834be
Opcode Fuzzy Hash: 0f3a2de34a3d90437e6621b4e7d1b386e49ec54ccf7e697b9367d7f397252c2e
Instruction Fuzzy Hash: 22216B32A427016FD7105B65AE05F6A37E4EB04F62F141939FC05F32D1DF759C098A92

Function 00EA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00ECCC08), ref: 00EA4527
_wcslen.LIBCMT ref: 00EA453B
_wcslen.LIBCMT ref: 00EA4599
_wcslen.LIBCMT ref: 00EA45F4
_wcslen.LIBCMT ref: 00EA463F
_wcslen.LIBCMT ref: 00EA46A7

Part of subcall function 00E4F9F2: _wcslen.LIBCMT ref: 00E4F9FD

GetDriveTypeW.KERNEL32(?,00EF6BF0,00000061), ref: 00EA4743

Strings

unknown, xrefs: 00EA4708
network, xrefs: 00EA469D, 00EA46A2
removable, xrefs: 00EA45EA, 00EA45EF
all, xrefs: 00EA4531, 00EA4536
ramdisk, xrefs: 00EA46F1
fixed, xrefs: 00EA4635, 00EA463A
cdrom, xrefs: 00EA458F, 00EA4594

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 6302fc685cc258ab6b29d21536f13ff870e7129dfbbf2b74fcda1d7662521a78
Instruction ID: ad6f6ad3020149fa2341df4b2d31180288bf16216d9505749a63875972e998ac
Opcode Fuzzy Hash: 6302fc685cc258ab6b29d21536f13ff870e7129dfbbf2b74fcda1d7662521a78
Instruction Fuzzy Hash: DDB125B16083029FC714DF28C891A7AB7E4AFDA714F10691DF496EB2D1D7B0E944CB52

Function 00EB3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00ECCC08), ref: 00EB40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EB40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00ECCC08), ref: 00EB40F2
FreeLibrary.KERNEL32(00000000,?,00ECCC08), ref: 00EB413E
StringFromGUID2.OLE32(?,?,00000028,?,00ECCC08), ref: 00EB41A8
SysFreeString.OLEAUT32(00000009), ref: 00EB4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EB42C8
SysFreeString.OLEAUT32(?), ref: 00EB42F2

Strings

kernel32.dll, xrefs: 00EB40B6
GetModuleHandleExW, xrefs: 00EB40C7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e875bfb95174a1bb47af27091950399663aec933843df9b5aeb1682e7c760a9d
Instruction ID: 84ef145da451aaedbcc23f653dc3d36a3aa6a42acb2afb08a4a728bf04053703
Opcode Fuzzy Hash: e875bfb95174a1bb47af27091950399663aec933843df9b5aeb1682e7c760a9d
Instruction Fuzzy Hash: 63125DB1A00115EFDB14DF94C884EEEBBB5FF45318F249098E915AB292D731ED46CBA0

Function 00E3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00F01990), ref: 00E72F8D
GetMenuItemCount.USER32(00F01990), ref: 00E7303D
GetCursorPos.USER32(?), ref: 00E73081
SetForegroundWindow.USER32(00000000), ref: 00E7308A
TrackPopupMenuEx.USER32(00F01990,00000000,?,00000000,00000000,00000000), ref: 00E7309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E730A9

Strings

0, xrefs: 00E3327D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 924a00127d5bad7307750ac7f40fab9a3bc1468c995be5798b812d58d50be07f
Instruction ID: c701f89652d27bbbaf83e597de90b2afe7e8e1cba04b8ddd0002c5dc4eb4c0c1
Opcode Fuzzy Hash: 924a00127d5bad7307750ac7f40fab9a3bc1468c995be5798b812d58d50be07f
Instruction Fuzzy Hash: 64711930644205BFEB258F35DC49F9ABF68FF04328F20921AF6187A1E0C7B1A914D750

Function 00EC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00EC6DEB

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EC6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EC6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC6E94
DestroyWindow.USER32(?), ref: 00EC6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E30000,00000000), ref: 00EC6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EC6EFD
GetDesktopWindow.USER32 ref: 00EC6F16
GetWindowRect.USER32(00000000), ref: 00EC6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EC6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EC6F4D

Part of subcall function 00E49944: GetWindowLongW.USER32(?,000000EB), ref: 00E49952

Strings

0, xrefs: 00EC6D98
tooltips_class32, xrefs: 00EC6E58, 00EC6EDD

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 703c5c0303f7c7171af5fd4326a6c55148ce3dc34f2cd673e95a5e5203356d46
Instruction ID: 76628da7e72dd17a4391b3ed97074e8c335bb41a1788b73164f250f71e7b2616
Opcode Fuzzy Hash: 703c5c0303f7c7171af5fd4326a6c55148ce3dc34f2cd673e95a5e5203356d46
Instruction Fuzzy Hash: 39715B74104244AFDB21CF18DD44FABBBE9FF89708F14141EF999A7261C772A906DB12

Function 00EC911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

DragQueryPoint.SHELL32(?,?), ref: 00EC9147

Part of subcall function 00EC7674: ClientToScreen.USER32(?,?), ref: 00EC769A
Part of subcall function 00EC7674: GetWindowRect.USER32(?,?), ref: 00EC7710
Part of subcall function 00EC7674: PtInRect.USER32(?,?,00EC8B89), ref: 00EC7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00EC91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EC91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EC91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EC9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00EC923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00EC9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00EC9277
DragFinish.SHELL32(?), ref: 00EC927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EC9371

Strings

@GUI_DRAGFILE, xrefs: 00EC9320
@GUI_DRAGID, xrefs: 00EC92E9
@GUI_DROPID, xrefs: 00EC929E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 17bf074b640c937a951174a8f0b483fd8e486b3ccbe5902aec4a912348d741d6
Instruction ID: 98a37ea2fc822ba7b8a74d738937db3ce4ad3af119f7ff53b5752f58d0948c57
Opcode Fuzzy Hash: 17bf074b640c937a951174a8f0b483fd8e486b3ccbe5902aec4a912348d741d6
Instruction Fuzzy Hash: BF618B71108300AFC705DF64DD89EAFBBE8FF88750F10192EF595A21A1DB719A4ACB52

Function 00EAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EAC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EAC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EAC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00EAC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00EAC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00EAC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EAC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EAC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00EAC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00EAC5F0
InternetCloseHandle.WININET(00000000), ref: 00EAC5FB

Strings

, xrefs: 00EAC575

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: e8f0c253058cc2ecf11b24d2d763b69620d94418dd1b42ccc23616c7dde0c3b7
Instruction ID: 2973e8e3564c8e56726025f48bb29cea13f974d3d6bfad4e4f21b2d264f6026a
Opcode Fuzzy Hash: e8f0c253058cc2ecf11b24d2d763b69620d94418dd1b42ccc23616c7dde0c3b7
Instruction Fuzzy Hash: C5515EB0500604BFDB218F65C948EAB7BFCFF09748F20542AF949AA610DB31F949DB60

Function 00EC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00EC8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00EC85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00ECFC38,?), ref: 00EC8611
GlobalFree.KERNEL32(00000000), ref: 00EC8621
GetObjectW.GDI32(?,00000018,?), ref: 00EC8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00EC8671
DeleteObject.GDI32(?), ref: 00EC8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EC86AF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ae03f00d7650e9f65eee414fb1b0bb99a5dcba32023a214e472a2e240beea427
Instruction ID: d8b645de5724727815aef7333466f3dbc7f0dc96267551ca2df2aa7d420aa384
Opcode Fuzzy Hash: ae03f00d7650e9f65eee414fb1b0bb99a5dcba32023a214e472a2e240beea427
Instruction Fuzzy Hash: 1A411D75600204AFDB11DF66DE48EAE7BB8FF89715F144068F909E7260DB729D06CB60

Function 00EA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00EA1502
VariantCopy.OLEAUT32(?,?), ref: 00EA150B
VariantClear.OLEAUT32(?), ref: 00EA1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00EA15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00EA1657
VariantInit.OLEAUT32(?), ref: 00EA1708
SysFreeString.OLEAUT32(?), ref: 00EA178C
VariantClear.OLEAUT32(?), ref: 00EA17D8
VariantClear.OLEAUT32(?), ref: 00EA17E7
VariantInit.OLEAUT32(00000000), ref: 00EA1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00EA1625
Default, xrefs: 00EA16AF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: c80b3bbb097de9ea301969f27cebd47077c363ac4da8f35fe7a4c80031ac0f29
Instruction ID: eaba044dacad2482a0c0a803f979125acc1ba1c9a331ab2c366639f8bca4d78a
Opcode Fuzzy Hash: c80b3bbb097de9ea301969f27cebd47077c363ac4da8f35fe7a4c80031ac0f29
Instruction Fuzzy Hash: C9D1EF31A00605DBDB049FA5E895BB9B7F5BF4A700F24A0AAF446BF180DB30EC45DB61

Function 00EBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00EBB80A
RegCloseKey.ADVAPI32(?), ref: 00EBB87E
RegCloseKey.ADVAPI32(?), ref: 00EBB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00EBB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EBB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00EBB922
FreeLibrary.KERNEL32(00000000), ref: 00EBB983
RegCloseKey.ADVAPI32(00000000), ref: 00EBB994

Strings

advapi32.dll, xrefs: 00EBB8ED
RegDeleteKeyExW, xrefs: 00EBB8FE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 79fe1065a8979e9d145eb492077449f93ce11e87cb20fd09265dccb93fba9139
Instruction ID: d09a5283000303f3b363c1de921949f908ac62aa1587e980440e1a42db0caaf0
Opcode Fuzzy Hash: 79fe1065a8979e9d145eb492077449f93ce11e87cb20fd09265dccb93fba9139
Instruction Fuzzy Hash: 56C1A134208201AFD714DF14C495F6ABBE5FF84318F18A55CF59A6B2A2CBB1EC46CB91

Function 00EB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EB25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00EB25E8
CreateCompatibleDC.GDI32(?), ref: 00EB25F4
SelectObject.GDI32(00000000,?), ref: 00EB2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00EB266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00EB26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00EB26D0
SelectObject.GDI32(?,?), ref: 00EB26D8
DeleteObject.GDI32(?), ref: 00EB26E1
DeleteDC.GDI32(?), ref: 00EB26E8
ReleaseDC.USER32(00000000,?), ref: 00EB26F3

Strings

(, xrefs: 00EB268D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5702fa6bb0d60ba9b3fa40d722b5e51649a4573b57647c05886884f0173d7580
Instruction ID: 06ea45b831bf64c6390d281d18e0ce335821523b2e71cf4134a4f36c102771a0
Opcode Fuzzy Hash: 5702fa6bb0d60ba9b3fa40d722b5e51649a4573b57647c05886884f0173d7580
Instruction Fuzzy Hash: 7061D075D00219EFCB04CFA9D984EAEBBF5FF48310F248529EA59B7250D771A9418F90

Function 00E6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E6DAA1

Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D659
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D66B
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D67D
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D68F
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6A1
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6B3
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6C5
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6D7
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6E9
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D6FB
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D70D
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D71F
Part of subcall function 00E6D63C: _free.LIBCMT ref: 00E6D731

_free.LIBCMT ref: 00E6DA96

Part of subcall function 00E629C8: HeapFree.KERNEL32(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0

_free.LIBCMT ref: 00E6DAB8
_free.LIBCMT ref: 00E6DACD
_free.LIBCMT ref: 00E6DAD8
_free.LIBCMT ref: 00E6DAFA
_free.LIBCMT ref: 00E6DB0D
_free.LIBCMT ref: 00E6DB1B
_free.LIBCMT ref: 00E6DB26
_free.LIBCMT ref: 00E6DB5E
_free.LIBCMT ref: 00E6DB65
_free.LIBCMT ref: 00E6DB82
_free.LIBCMT ref: 00E6DB9A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8bf63b56cd5670e9be68ef076ece6c1d37506ab2001b2b5960f9e2b8a69b67cc
Instruction ID: fdbae7f44e6001d0ebaaab3685497ee6e5ccdcfdf36f7eaf4d17e787bc934f9e
Opcode Fuzzy Hash: 8bf63b56cd5670e9be68ef076ece6c1d37506ab2001b2b5960f9e2b8a69b67cc
Instruction Fuzzy Hash: 9C317A31B88A049FEB25AA78FC41B6A77E9FF803E4F95641DE148F7191DA30AC408720

Function 00E9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E9369C
_wcslen.LIBCMT ref: 00E936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E93797
GetClassNameW.USER32(?,?,00000400), ref: 00E9380C
GetDlgCtrlID.USER32(?), ref: 00E9385D
GetWindowRect.USER32(?,?), ref: 00E93882
GetParent.USER32(?), ref: 00E938A0
ScreenToClient.USER32(00000000), ref: 00E938A7
GetClassNameW.USER32(?,?,00000100), ref: 00E93921
GetWindowTextW.USER32(?,?,00000400), ref: 00E9395D

Strings

%s%u, xrefs: 00E93734

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e391e20df74ad27f299f56989184e299fe5af64e91e91af8760a4942e4afd3ad
Instruction ID: 22e2241c34628278ebc522d0a6b9a464ac53ad7e35d81ab38e6da9f51dbbb49c
Opcode Fuzzy Hash: e391e20df74ad27f299f56989184e299fe5af64e91e91af8760a4942e4afd3ad
Instruction Fuzzy Hash: 7391C171204706AFDB18DF74C885FAAB7E8FF44354F109529F999E2190DB30EA4ACB91

Function 00E94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00E94994
GetWindowTextW.USER32(?,?,00000400), ref: 00E949DA
_wcslen.LIBCMT ref: 00E949EB
CharUpperBuffW.USER32(?,00000000), ref: 00E949F7
_wcsstr.LIBVCRUNTIME ref: 00E94A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00E94A64
GetWindowTextW.USER32(?,?,00000400), ref: 00E94A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00E94AE6
GetClassNameW.USER32(?,?,00000400), ref: 00E94B20
GetWindowRect.USER32(?,?), ref: 00E94B8B

Strings

ThumbnailClass, xrefs: 00E94A6F, 00E94AF1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 7e7dc80ea244e72a468e1449e760baa96df6c2fe5106eaf1e7c96d9d29260ca9
Instruction ID: 99d7d088cb8bc5f09e804017685f5fa7361b79978bc0384d5712888712812a62
Opcode Fuzzy Hash: 7e7dc80ea244e72a468e1449e760baa96df6c2fe5106eaf1e7c96d9d29260ca9
Instruction Fuzzy Hash: 3D91A0B11042059FDF04DF14C985FAA77E8FF84718F046469FD85AA196EB30ED46CBA1

Function 00EC8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EC8D5A
GetFocus.USER32 ref: 00EC8D6A
GetDlgCtrlID.USER32(00000000), ref: 00EC8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00EC8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EC8ECF
GetMenuItemCount.USER32(?), ref: 00EC8EEC
GetMenuItemID.USER32(?,00000000), ref: 00EC8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EC8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EC8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EC8FA1

Strings

0, xrefs: 00EC8E9F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: fa0f8bace288bd9473f746a4fc6c168dd27c2488c0c412270cd23efa7db78287
Instruction ID: bcf287653a2b683d4b202f3dbdba01c4032b60ced41473c5810bf78ff14dee4f
Opcode Fuzzy Hash: fa0f8bace288bd9473f746a4fc6c168dd27c2488c0c412270cd23efa7db78287
Instruction Fuzzy Hash: E181BC716083459FD710CF14CB84EAB7BE9FB88318F14192DF985A7291DB32D906CB62

Function 00E9DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E9DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E9DC46
_wcslen.LIBCMT ref: 00E9DC50
_wcsstr.LIBVCRUNTIME ref: 00E9DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E9DCBC

Strings

04090000, xrefs: 00E9DCF2
%u.%u.%u.%u, xrefs: 00E9DD9A
\VarFileInfo\Translation, xrefs: 00E9DCB4
StringFileInfo\, xrefs: 00E9DC8F
DefaultLangCodepage, xrefs: 00E9DD1F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 149c4c729a8143dbae00b9cc8cf80929c74868317771378640048302f6a94519
Instruction ID: 845fecf741f11204a2ebd34baa7d3ffdc6bfde6f6ea5bee072a64f35aec934d7
Opcode Fuzzy Hash: 149c4c729a8143dbae00b9cc8cf80929c74868317771378640048302f6a94519
Instruction Fuzzy Hash: DD4143329043147ADB14AB749C07EFF77ACEF41B61F102869F904B6182EB75A90587A1

Function 00EBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00EBCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EBCD48

Part of subcall function 00EBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00EBCCAA
Part of subcall function 00EBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00EBCCBD
Part of subcall function 00EBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EBCCCF
Part of subcall function 00EBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00EBCD05
Part of subcall function 00EBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00EBCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EBCCF3

Strings

advapi32.dll, xrefs: 00EBCCB8
RegDeleteKeyExW, xrefs: 00EBCCC9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e751e2e97f23ad33f4997820329479ee1e379fafe609c3146fbd925888be7042
Instruction ID: 287ce62aba34e70552b4718ebe9a4b92ed923cb6f5e5d2d9fcb9ed75df928808
Opcode Fuzzy Hash: e751e2e97f23ad33f4997820329479ee1e379fafe609c3146fbd925888be7042
Instruction Fuzzy Hash: 8D318E75901129BFDB208B52DC88EFFBB7CEF55754F200165F909F2250DA309A4ADAA0

Function 00EA3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EA3D40
_wcslen.LIBCMT ref: 00EA3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EA3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EA3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00EA3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EA3E55
CloseHandle.KERNEL32(00000000), ref: 00EA3E60
CloseHandle.KERNEL32(00000000), ref: 00EA3E6B

Strings

\??\%s, xrefs: 00EA3D5B
\, xrefs: 00EA3D77
:, xrefs: 00EA3D82

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: bed79e107e72e3b0a8361ae29ec2ec65b321c0fb88d4ad5695fff889ac66a7f7
Instruction ID: 8981bba96303bd42cd934fb3cc2349fcf67b0ec34b17d73999c11c91a6cc70e5
Opcode Fuzzy Hash: bed79e107e72e3b0a8361ae29ec2ec65b321c0fb88d4ad5695fff889ac66a7f7
Instruction Fuzzy Hash: 7D31D472900209ABDB209BA1DC49FEF37BCEF89745F2050B5F909F6060E77497498B24

Function 00E9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E9E6B4

Part of subcall function 00E4E551: timeGetTime.WINMM(?,?,00E9E6D4), ref: 00E4E555

Sleep.KERNEL32(0000000A), ref: 00E9E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00E9E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E9E727
SetActiveWindow.USER32 ref: 00E9E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E9E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E9E773
Sleep.KERNEL32(000000FA), ref: 00E9E77E
IsWindow.USER32 ref: 00E9E78A
EndDialog.USER32(00000000), ref: 00E9E79B

Strings

BUTTON, xrefs: 00E9E719

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 6481c794484eedf60e6b49a835e1f4657cc67ea3d731f667f93ddc49d92eb5e1
Instruction ID: 21a4f093915a2657a4c158028945ae40c475f9bb2bb4c008aac5d6668581f0cf
Opcode Fuzzy Hash: 6481c794484eedf60e6b49a835e1f4657cc67ea3d731f667f93ddc49d92eb5e1
Instruction Fuzzy Hash: B72151B0200209BFEF009F61ED8DE253B69F75474DB242435FA19B16A1DB73AC45AB25

Function 00E9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E9EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E9EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E9EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E9EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E9EAA7

Strings

play PlayMe, xrefs: 00E9EAA2
status PlayMe mode, xrefs: 00E9EA58
close PlayMe, xrefs: 00E9EA6E, 00E9EA9B
play PlayMe wait, xrefs: 00E9EA91
alias PlayMe, xrefs: 00E9EA36
open , xrefs: 00E9EA0C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: efdabf2b8c9912c889314b8522507f025239d107d4b8f26f2ae81236fc783782
Instruction ID: c158b1506bc718ad4045d0d8d086dfe213d4f61d644da97fb990740e9119d5fe
Opcode Fuzzy Hash: efdabf2b8c9912c889314b8522507f025239d107d4b8f26f2ae81236fc783782
Instruction Fuzzy Hash: 13115131A9025D7ADB20E7A2DC4AEFF6BBCEBD1B04F406429B511B20D1EAF05905C6B0

Function 00E95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E95CE2
GetWindowRect.USER32(00000000,?), ref: 00E95CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00E95D59
GetDlgItem.USER32(?,00000002), ref: 00E95D69
GetWindowRect.USER32(00000000,?), ref: 00E95D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00E95DCF
GetDlgItem.USER32(?,000003E9), ref: 00E95DDD
GetWindowRect.USER32(00000000,?), ref: 00E95DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00E95E31
GetDlgItem.USER32(?,000003EA), ref: 00E95E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E95E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00E95E67

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7adaddc032b5fc15e64b97e11009fb72eab1ceb340418517ac5d871a068e3aa1
Instruction ID: c165b9da099cc1f31b8da638bd043393153f2acd145270cde9cda3b400f48177
Opcode Fuzzy Hash: 7adaddc032b5fc15e64b97e11009fb72eab1ceb340418517ac5d871a068e3aa1
Instruction Fuzzy Hash: DA511CB1A00605AFDF18CF69CD89EAEBBB5EB48700F209129F919F6290D7719E05CB50

Function 00E48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E48BE8,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E48FC5

DestroyWindow.USER32(?), ref: 00E48C81
KillTimer.USER32(00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E48D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00E86973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00E48BBA,00000000,?), ref: 00E869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00E48BBA,00000000), ref: 00E869D4
DeleteObject.GDI32(00000000), ref: 00E869E6

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 75d2c05e9f11c865515a5375af9d909154eec39e860d037f2925a518f53c5a94
Instruction ID: 08516c06bf31c5139fc7849763d56b49c8cb90b3ef30b14749785dbd2a72808b
Opcode Fuzzy Hash: 75d2c05e9f11c865515a5375af9d909154eec39e860d037f2925a518f53c5a94
Instruction Fuzzy Hash: 7561CE30502714DFDB259F15EA88B29B7F1FB4031AF10652DE04ABB5A0CB31AD85DF91

Function 00E49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00E49944: GetWindowLongW.USER32(?,000000EB), ref: 00E49952

GetSysColor.USER32(0000000F), ref: 00E49862

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 669bbf60b9bfe15c5991578ec13d6b6cd11bd6d2ce2bd169e90c3781a0dc28f6
Instruction ID: e85447308351a390839f63ac436ec3fadb6ac13834be34d5990e09fa5a14c11f
Opcode Fuzzy Hash: 669bbf60b9bfe15c5991578ec13d6b6cd11bd6d2ce2bd169e90c3781a0dc28f6
Instruction Fuzzy Hash: 7541A5311056449FDB245F3DAC44FBA3B65AB4A334F285615FAAAB71E2C7319C42DB10

Function 00E68D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

., xrefs: 00E6903A, 00E68FD0, 00E68FF2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-3963672497
Opcode ID: f5b28752ad84b801b90e0ef6847c3dc6e0d63acafa7cc239579aed9923612c32
Instruction ID: a26a3266e46a388cc04d9181954d4205c224c68a36c3cde65990e9811381da8f
Opcode Fuzzy Hash: f5b28752ad84b801b90e0ef6847c3dc6e0d63acafa7cc239579aed9923612c32
Instruction Fuzzy Hash: 9DC10274A44249AFCF11DFA8E840BADBBF5BF49390F186199F915B7392CB308941CB60

Function 00E996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00E7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00E99717
LoadStringW.USER32(00000000,?,00E7F7F8,00000001), ref: 00E99720

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00E99742
LoadStringW.USER32(00000000,?,00E7F7F8,00000001), ref: 00E99745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00E99866

Strings

Line %d:, xrefs: 00E997A0
Line %d (File "%s"):, xrefs: 00E9978F
%s (%d) : ==> %s: %s %s, xrefs: 00E9984A
^ ERROR, xrefs: 00E997FB
Error: , xrefs: 00E9981D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 745afc66c8b4a0020583e2574a5c815eff9a8a79edb16b2bbf0ae8582bc9da17
Instruction ID: 2e1267e47da1ca59be7466cfbeb26e5d47e098539b23c965385485e104bd8eca
Opcode Fuzzy Hash: 745afc66c8b4a0020583e2574a5c815eff9a8a79edb16b2bbf0ae8582bc9da17
Instruction Fuzzy Hash: 5A414172800209ABCF14FBE4DD4ADEEB7B8AF55340F206069F60572092EB755F49CB61

Function 00E906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E90804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00E9082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E90837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E9083C

Strings

SOFTWARE\Classes\, xrefs: 00E9070E
\CLSID, xrefs: 00E90724
\IPC$, xrefs: 00E90784

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 5a3a9469b94d6b58f5b708c46806e2b41751fb4e8abba2e7a2a5120eb2f46965
Instruction ID: b2898536d03a1b64ac3be8ea6212d0c61f4c60f257f15026dc359a23f981f9e3
Opcode Fuzzy Hash: 5a3a9469b94d6b58f5b708c46806e2b41751fb4e8abba2e7a2a5120eb2f46965
Instruction Fuzzy Hash: EF411772C10229AFCF25EBA4DC89CEDBBB8BF44350F545129E915B3161EB709E44CBA0

Function 00EB3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB3C5C
CoInitialize.OLE32(00000000), ref: 00EB3C8A
CoUninitialize.OLE32 ref: 00EB3C94
_wcslen.LIBCMT ref: 00EB3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00EB3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00EB3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00EB3F0E
CoGetObject.OLE32(?,00000000,00ECFB98,?), ref: 00EB3F2D
SetErrorMode.KERNEL32(00000000), ref: 00EB3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EB3FC4
VariantClear.OLEAUT32(?), ref: 00EB3FD8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 2036cc201609a5d35388da905be3670dc88567e7c4715358244833fdc655386a
Instruction ID: b1fa1e492a66598e3a9fc8f4fa19311d41ae8952ffc94c97e62067052126c32e
Opcode Fuzzy Hash: 2036cc201609a5d35388da905be3670dc88567e7c4715358244833fdc655386a
Instruction Fuzzy Hash: 71C169716083019FC700DF68C8859ABBBE9FF89748F10591DF989AB251DB31ED06CB52

Function 00EA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EA7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EA7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00EA7BA3
CoCreateInstance.OLE32(00ECFD08,00000000,00000001,00EF6E6C,?), ref: 00EA7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EA7C74
CoTaskMemFree.OLE32(?,?), ref: 00EA7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00EA7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EA7D7A
CoTaskMemFree.OLE32(00000000), ref: 00EA7D81
CoTaskMemFree.OLE32(00000000), ref: 00EA7DD6
CoUninitialize.OLE32 ref: 00EA7DDC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a07d21a5c55913afae6892dd82295ea3838795b08c21352a10627409f5060407
Instruction ID: 522dc9c672fa1f0a66530bc5485c73599e661e5d892cd2beed2090c5c8e1cc5b
Opcode Fuzzy Hash: a07d21a5c55913afae6892dd82295ea3838795b08c21352a10627409f5060407
Instruction Fuzzy Hash: 32C13B75A04109AFCB14DF64C888DAEBBF9FF49304F1494A8E45AEB261C731ED46CB90

Function 00EC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EC5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC5515
CharNextW.USER32(00000158), ref: 00EC5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EC5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EC559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC55AC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5023f2d70e08f9888d67ef71474f915073e4976dd129bd42c7a34f5403f2c8c9
Instruction ID: 4e674e28c349409561426675fc7469d6cce725f9e627adc4e0064991ed6964e8
Opcode Fuzzy Hash: 5023f2d70e08f9888d67ef71474f915073e4976dd129bd42c7a34f5403f2c8c9
Instruction Fuzzy Hash: 3B618B32900608EFDF108F54CE84EFE7BB9FB09724F105159F925B6290D772AA82DB61

Function 00E8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E8FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00E8FB08
VariantInit.OLEAUT32(?), ref: 00E8FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E8FB3A
VariantCopy.OLEAUT32(?,?), ref: 00E8FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E8FBA1
VariantClear.OLEAUT32(?), ref: 00E8FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E8FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E8FBCC
VariantClear.OLEAUT32(?), ref: 00E8FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E8FBE9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1bd38bf9d64d95716f71787c5786df324b074132e52caa0c7580de4eb0bee653
Instruction ID: 32dbaa75055a567cb57b8bf1cb5257d4718f8ed7ac1dfb0ca1f294cb79e84d33
Opcode Fuzzy Hash: 1bd38bf9d64d95716f71787c5786df324b074132e52caa0c7580de4eb0bee653
Instruction Fuzzy Hash: A4417135A002199FCB04EF64C858DADBBB9FF08354F109075E85DB7261D731A946CF90

Function 00E99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E99CA1
GetAsyncKeyState.USER32(000000A0), ref: 00E99D22
GetKeyState.USER32(000000A0), ref: 00E99D3D
GetAsyncKeyState.USER32(000000A1), ref: 00E99D57
GetKeyState.USER32(000000A1), ref: 00E99D6C
GetAsyncKeyState.USER32(00000011), ref: 00E99D84
GetKeyState.USER32(00000011), ref: 00E99D96
GetAsyncKeyState.USER32(00000012), ref: 00E99DAE
GetKeyState.USER32(00000012), ref: 00E99DC0
GetAsyncKeyState.USER32(0000005B), ref: 00E99DD8
GetKeyState.USER32(0000005B), ref: 00E99DEA

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 48ce5893ee94d7d3c371ce5a4fde33cb93e313ddce8e19819e5975d24d2befee
Instruction ID: 384e80dc2e23a72990fdad91a8a169dcc6bb2bac209981a492f44945bd593f49
Opcode Fuzzy Hash: 48ce5893ee94d7d3c371ce5a4fde33cb93e313ddce8e19819e5975d24d2befee
Instruction Fuzzy Hash: 1141D8745047C96EFF30866988447B5FEE06F12348F08905EDAC67B5C3EBA599C8C792

Function 00EB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EB05BC
inet_addr.WSOCK32(?), ref: 00EB061C
gethostbyname.WSOCK32(?), ref: 00EB0628
IcmpCreateFile.IPHLPAPI ref: 00EB0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EB06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00EB07B9
WSACleanup.WSOCK32 ref: 00EB07BF

Strings

Ping, xrefs: 00EB0676

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 42c5b709b21dfff5092bd698527bd037ceed17f70f70dec5fac2fd2df0e7f595
Instruction ID: 875c53e1c229d5b26edcb3d51763fda4d940807c20275baacd284f96528ff97c
Opcode Fuzzy Hash: 42c5b709b21dfff5092bd698527bd037ceed17f70f70dec5fac2fd2df0e7f595
Instruction Fuzzy Hash: 47918D35604211AFD320DF15D488F5BBBE4AF44318F1495AAF46AABAA2CB30FD45CF91

Function 00EB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00EB8CF3

Part of subcall function 00E98E54: _wcslen.LIBCMT ref: 00E98E77

_wcslen.LIBCMT ref: 00EB8D4E
_wcslen.LIBCMT ref: 00EB8D9C
_wcslen.LIBCMT ref: 00EB8DDC
_wcslen.LIBCMT ref: 00EB8E6E

Strings

none, xrefs: 00EB8E65, 00EB8E6A
stdcall, xrefs: 00EB8DD6, 00EB8DDB
winapi, xrefs: 00EB8D96, 00EB8D9B
cdecl, xrefs: 00EB8D48, 00EB8D4D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0a9ac5a8ef882e303368519a93bcefcfeb79a779ec3c080b9c83c1f66e61ad39
Instruction ID: 830bd7417a12955201107c8f50963eef7d9a3d1d197141866dd2a2b83aaf6b0b
Opcode Fuzzy Hash: 0a9ac5a8ef882e303368519a93bcefcfeb79a779ec3c080b9c83c1f66e61ad39
Instruction Fuzzy Hash: AC518031A041169BCB14DF68CE519FFB7A9AF64328B21622AE966F73C4DB31DD40C790

Function 00EB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00EB3774
CoUninitialize.OLE32 ref: 00EB377F
CoCreateInstance.OLE32(?,00000000,00000017,00ECFB78,?), ref: 00EB37D9
IIDFromString.OLE32(?,?), ref: 00EB384C
VariantInit.OLEAUT32(?), ref: 00EB38E4
VariantClear.OLEAUT32(?), ref: 00EB3936

Strings

Failed to create object, xrefs: 00EB37E4, 00EB389A
Invalid parameter, xrefs: 00EB3865
NULL Pointer assignment, xrefs: 00EB381E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d8d78fa61287f7263aae9e87c9e4f939b218ecf3eeeba228e619c5c855ca42fe
Instruction ID: d6b08d66435bd8d9c24c65e791f595b0600f398546879e353703dca22249e358
Opcode Fuzzy Hash: d8d78fa61287f7263aae9e87c9e4f939b218ecf3eeeba228e619c5c855ca42fe
Instruction Fuzzy Hash: DE61B171608311AFD314DF64C84AFABBBE4AF44714F10581AF585B7291D770EE49CB92

Function 00EA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00EA33CF

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EA33F0

Strings

Line %d (File "%s"):, xrefs: 00EA3443, 00EA345C
Error: , xrefs: 00EA34D1
Incorrect parameters to object property !, xrefs: 00EA34AB
"%s" (%d) : ==> %s:, xrefs: 00EA3522
^ ERROR , xrefs: 00EA349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00EA3504

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: b69c512bcc76fa12e991d4ac2580f8a41c11cc63fa0e21da50dad924344b486c
Instruction ID: f79998c2dec186e580278895ec6b86d24d25bba3c80f0275135d9346d7b4ec76
Opcode Fuzzy Hash: b69c512bcc76fa12e991d4ac2580f8a41c11cc63fa0e21da50dad924344b486c
Instruction Fuzzy Hash: 3B518F71D00209ABDF15EBA0CD4AEEEBBB9BF09340F206165F51572062EB752F58DB60

Function 00E9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E9B5FC
_wcslen.LIBCMT ref: 00E9B608
_wcslen.LIBCMT ref: 00E9B64D
_wcslen.LIBCMT ref: 00E9B68C
_wcslen.LIBCMT ref: 00E9B6C7

Strings

KEYS, xrefs: 00E9B647, 00E9B64C
REMOVE, xrefs: 00E9B602, 00E9B607
APPEND, xrefs: 00E9B6C1, 00E9B6C6
EXISTS, xrefs: 00E9B686, 00E9B68B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 45484e0018fb645dc678c38ff34ba6c81ca80b0441fcd406bbd4a8ebe1da7968
Instruction ID: 651120aad14c86093001a2b91e3763037e1d09730a67341c088d83fe2052fe1d
Opcode Fuzzy Hash: 45484e0018fb645dc678c38ff34ba6c81ca80b0441fcd406bbd4a8ebe1da7968
Instruction Fuzzy Hash: AB41FD32A001279BCF106F7DDE915BE77A5AFA075CB24622AE421F7285E731DD81C790

Function 00EA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EA53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EA5416
GetLastError.KERNEL32 ref: 00EA5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00EA54A7

Strings

READONLY, xrefs: 00EA5452
UNKNOWN, xrefs: 00EA5444
INVALID, xrefs: 00EA5459
NOTREADY, xrefs: 00EA544B
READY, xrefs: 00EA5460, 00EA5468

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c716cf6cecab3700235a91105640e19d05c1632886efcbdf2b321a9af7354095
Instruction ID: 3cbd9016dcddf7d3e7836732fd3e8d4b5d1f65b02f59231b3a1dd9e190b85ce3
Opcode Fuzzy Hash: c716cf6cecab3700235a91105640e19d05c1632886efcbdf2b321a9af7354095
Instruction Fuzzy Hash: 6E31E236A006049FC710DF68C484AADBBB4EF4E309F189065E516FF292D731ED86CB90

Function 00EC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00EC3C79
SetMenu.USER32(?,00000000), ref: 00EC3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC3D10
IsMenu.USER32(?), ref: 00EC3D24
CreatePopupMenu.USER32 ref: 00EC3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC3D5B
DrawMenuBar.USER32 ref: 00EC3D63

Strings

F, xrefs: 00EC3D4E
0, xrefs: 00EC3C54

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 6e44beb936add4310f44e8b545e792e1ad85e2cf69a3bc187b92e85413c23eef
Instruction ID: bbf02fb9b3244896a24ae4191f38cc473b8e2bd85a8657c179c52dc1fa69eafb
Opcode Fuzzy Hash: 6e44beb936add4310f44e8b545e792e1ad85e2cf69a3bc187b92e85413c23eef
Instruction Fuzzy Hash: 5D418874A01209AFDB14CF64D944FEABBB5FF49314F14402CF94AA7360D732AA16CB90

Function 00E91EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00E91F64
GetDlgCtrlID.USER32 ref: 00E91F6F
GetParent.USER32 ref: 00E91F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E91F8E
GetDlgCtrlID.USER32(?), ref: 00E91F97
GetParent.USER32(?), ref: 00E91FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E91FAE

Strings

ComboBox, xrefs: 00E91EEC
ListBox, xrefs: 00E91F21

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: f2df44897f4dadfd01a9e664d7843935e6fd2eda1f5e86d67de8f31419cf4c66
Instruction ID: 5e170ca60a3accd4c9b194e2e9282d842d32638ed529a7e5bad6e31ca3f6deb7
Opcode Fuzzy Hash: f2df44897f4dadfd01a9e664d7843935e6fd2eda1f5e86d67de8f31419cf4c66
Instruction Fuzzy Hash: A321AC71A00218BFCF05AFA0CC89EFEBBA8AF15310F102155F965B72A1CB795909DB61

Function 00EC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EC3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EC3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00EC3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EC3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EC3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00EC3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00EC3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00EC3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00EC3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00EC3C13

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a3586945d1d97ee09c663c54a1e9000625d41e558694c45333e78b847fe9a25b
Instruction ID: 6241eb5832a30c863cb36564da0f1f1306fab167c909909204802854ca902f67
Opcode Fuzzy Hash: a3586945d1d97ee09c663c54a1e9000625d41e558694c45333e78b847fe9a25b
Instruction Fuzzy Hash: CC615975900208AFDB10DFA8CD81FEEB7F8AB09704F105199FA15A72A1D771AE46DB60

Function 00E9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E9B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B165
GetWindowThreadProcessId.USER32(00000000), ref: 00E9B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00E9A1E1,?,00000001), ref: 00E9B21D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 9cf2280524bc0a707b628d99896b80b912b69077c6070fab823426d6e77d473b
Instruction ID: e2127d4faacf469840051adab87468df134d2b2bed11f4c9b49be150343402e7
Opcode Fuzzy Hash: 9cf2280524bc0a707b628d99896b80b912b69077c6070fab823426d6e77d473b
Instruction Fuzzy Hash: CD319C71501208BFDF109F26EE48FAD7BADFB51719F205019FA05E61A0D7B4AA468F60

Function 00E62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E62C94

Part of subcall function 00E629C8: HeapFree.KERNEL32(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0

_free.LIBCMT ref: 00E62CA0
_free.LIBCMT ref: 00E62CAB
_free.LIBCMT ref: 00E62CB6
_free.LIBCMT ref: 00E62CC1
_free.LIBCMT ref: 00E62CCC
_free.LIBCMT ref: 00E62CD7
_free.LIBCMT ref: 00E62CE2
_free.LIBCMT ref: 00E62CED
_free.LIBCMT ref: 00E62CFB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c1bdeb1e494c96b97ff8640e4779527a8e7913d3c73c0c9633601209baf44b82
Instruction ID: a007ef78b41c1b222920f5e75c5ff75d582289020504bebb76d33319c8a8d582
Opcode Fuzzy Hash: c1bdeb1e494c96b97ff8640e4779527a8e7913d3c73c0c9633601209baf44b82
Instruction Fuzzy Hash: 0B11A776640508BFCB06EF54E842CDD3BA5FF853D0F4154A9FA486F222D631EE509B90

Function 00E31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E31459
OleUninitialize.OLE32(?,00000000), ref: 00E314F8
UnregisterHotKey.USER32(?), ref: 00E316DD
DestroyWindow.USER32(?), ref: 00E724B9
FreeLibrary.KERNEL32(?), ref: 00E7251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E7254B

Strings

close all, xrefs: 00E31454

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a38ee696554805f263e8a903cad95de0677b4e29e3fbb440ed88d1879e952766
Instruction ID: f78ceddea90d62b9530ca8ebf2e522ece7fc85e3bf420f272c4aa561c7e33ba1
Opcode Fuzzy Hash: a38ee696554805f263e8a903cad95de0677b4e29e3fbb440ed88d1879e952766
Instruction Fuzzy Hash: 1CD18C31701212CFCB29EF55C499B69FBA0BF45704F24A2ADE54A7B262CB31AD12CF51

Function 00EA7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EA7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA7FC1
GetFileAttributesW.KERNEL32(?), ref: 00EA7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EA8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00EA8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00EA80B0

Strings

*.*, xrefs: 00EA8066

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 337dc406ca54732b615070392a620a4a0ee182b638c831aa9c31e7e7bb04893d
Instruction ID: d3573ce5e0c2fe88ac22df00b0a1cfbd9f73a522bf05286a8fa64f59c3aad83c
Opcode Fuzzy Hash: 337dc406ca54732b615070392a620a4a0ee182b638c831aa9c31e7e7bb04893d
Instruction Fuzzy Hash: 5A81C3725082419BCB24DF14C8849AAB7D8BF8A314F14AC5EF8C5EB251EB35ED49CB52

Function 00E35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E35C7A

Part of subcall function 00E35D0A: GetClientRect.USER32(?,?), ref: 00E35D30
Part of subcall function 00E35D0A: GetWindowRect.USER32(?,?), ref: 00E35D71
Part of subcall function 00E35D0A: ScreenToClient.USER32(?,?), ref: 00E35D99

GetDC.USER32 ref: 00E746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E74708
SelectObject.GDI32(00000000,00000000), ref: 00E74716
SelectObject.GDI32(00000000,00000000), ref: 00E7472B
ReleaseDC.USER32(?,00000000), ref: 00E74733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E747C4

Strings

U, xrefs: 00E74693

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 9206e9100949536817abbd65a4e65f0a4bf570cf4d9c4517ad22322710f3ecb4
Instruction ID: 1268cad5362376fdda343b0145a5192bdd87eebe9d4462d073250ab8eb6ed46c
Opcode Fuzzy Hash: 9206e9100949536817abbd65a4e65f0a4bf570cf4d9c4517ad22322710f3ecb4
Instruction Fuzzy Hash: DB71D171500205DFCF258F64C984AFA7BB5FF4A318F24A26AE9597A2A6C331D841DF50

Function 00EA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00EA35E4

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

LoadStringW.USER32(00F02390,?,00000FFF,?), ref: 00EA360A

Strings

Line %d (File "%s"):, xrefs: 00EA366B
^ ERROR, xrefs: 00EA36C9
Error: , xrefs: 00EA36EF
"%s" (%d) : ==> %s:, xrefs: 00EA3742
"%s" (%d) : ==> %s:%s%s, xrefs: 00EA3724

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 300e3ea83063d38ca4538117fe93331cbe8538bcd2f28c89f1aa299c0af18d6e
Instruction ID: ce4cff4640b64f5e3b631e2eb58280ed57252f27a1aa2e24b09a06be9af661e4
Opcode Fuzzy Hash: 300e3ea83063d38ca4538117fe93331cbe8538bcd2f28c89f1aa299c0af18d6e
Instruction Fuzzy Hash: 98516D71800209BBDF15EBA0DC46EEEBBB8FF45304F146125F115761A2EB712A99DFA0

Function 00EC8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

Part of subcall function 00E4912D: GetCursorPos.USER32(?), ref: 00E49141
Part of subcall function 00E4912D: ScreenToClient.USER32(00000000,?), ref: 00E4915E
Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000001), ref: 00E49183
Part of subcall function 00E4912D: GetAsyncKeyState.USER32(00000002), ref: 00E4919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00EC8B6B
ImageList_EndDrag.COMCTL32 ref: 00EC8B71
ReleaseCapture.USER32 ref: 00EC8B77
SetWindowTextW.USER32(?,00000000), ref: 00EC8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EC8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00EC8CFF

Strings

@GUI_DRAGFILE, xrefs: 00EC8C9A
@GUI_DROPID, xrefs: 00EC8C51

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 3d6417dd1019b505ce129c75e2badd122dd06ed593f0bfb58c55a88db8044177
Instruction ID: 1da682bb545f6cb6ad30bc0b54ba4bef7edaef291120d97299fd3c940d4cafa4
Opcode Fuzzy Hash: 3d6417dd1019b505ce129c75e2badd122dd06ed593f0bfb58c55a88db8044177
Instruction Fuzzy Hash: 1051AA71204304AFD704DF10DA9AFAABBE4FB88714F10162DF996672E2CB719945CB62

Function 00EAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EAC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EAC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EAC2CA
GetLastError.KERNEL32 ref: 00EAC322
SetEvent.KERNEL32(?), ref: 00EAC336
InternetCloseHandle.WININET(00000000), ref: 00EAC341

Strings

, xrefs: 00EAC2BB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 90d28f5f06d068a3ca66614304a3f8286905cea54a0a9e5e4ed9c199c20701fa
Instruction ID: 8b1259a6b7b66d661a3eca0f8804dc27ab822c4442a6e410af1470791f98f36c
Opcode Fuzzy Hash: 90d28f5f06d068a3ca66614304a3f8286905cea54a0a9e5e4ed9c199c20701fa
Instruction Fuzzy Hash: 03318471500604AFDB219F658C84AAB7AFCEB4E744F20951EF44AB6210D731ED099B60

Function 00E9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E73AAF,?,?,Bad directive syntax error,00ECCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E998BC
LoadStringW.USER32(00000000,?,00E73AAF,?), ref: 00E998C3

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E99987

Strings

Line %d:, xrefs: 00E99912
., xrefs: 00E9996D
Error: , xrefs: 00E99955
Line %d (File "%s"):, xrefs: 00E9992D
%s (%d) : ==> %s.: %s %s, xrefs: 00E998F1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 07bed88c8170ca78df27ae0cf6618241dcbd4ad48bcb4592c95f19f449368c81
Instruction ID: efdb40a203e4c82a17c27043cc652da703c04db20af86f615181f3c48d75c4b6
Opcode Fuzzy Hash: 07bed88c8170ca78df27ae0cf6618241dcbd4ad48bcb4592c95f19f449368c81
Instruction Fuzzy Hash: DC215E3194021EABCF15AF90CC0AEEE7BB5FF18704F046469F629760A2EB719618DB50

Function 00E9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00E920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E9214D

Strings

list, xrefs: 00E9212F
smallicons, xrefs: 00E92115
details, xrefs: 00E920FB
SHELLDLL_DefView, xrefs: 00E920CC
largeicons, xrefs: 00E920E1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9a2ce5356512f13b85d7e22a511002478db47930451acacad2703d9612330990
Instruction ID: 94c5330c00cecc962cbb0d20b58669d33651c54424de1fae8349905fa0ae0426
Opcode Fuzzy Hash: 9a2ce5356512f13b85d7e22a511002478db47930451acacad2703d9612330990
Instruction Fuzzy Hash: BF110A77688706BAFE012221DC06DFA379CCB14729F20302AFB04B50D2FA6158565614

Function 00E6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E6CEB7
_free.LIBCMT ref: 00E6CF22
_free.LIBCMT ref: 00E6CF48
_free.LIBCMT ref: 00E6CF71
_free.LIBCMT ref: 00E6CFA9
_free.LIBCMT ref: 00E6CFDA
_free.LIBCMT ref: 00E6D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E6D09C
_free.LIBCMT ref: 00E6D0B5

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: f8b8bf204cca5eecd015ae8dafda18d1ffbcd5b362df41e5f69f3b2b3eaddf78
Instruction ID: 8c0ee28cc604b7dbfbc142b53d6820b1638067f31a3034436e0688e1b935e66b
Opcode Fuzzy Hash: f8b8bf204cca5eecd015ae8dafda18d1ffbcd5b362df41e5f69f3b2b3eaddf78
Instruction Fuzzy Hash: F6618971B85204AFDB25AFB4BC41A797BE5EF053E4F24116DF984B7281DA329D0187A0

Function 00EC50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00EC5186
ShowWindow.USER32(?,00000000), ref: 00EC51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00EC51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00EC51D1

Part of subcall function 00EC6FBA: DeleteObject.GDI32(00000000), ref: 00EC6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00EC520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EC524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00EC5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00EC5296

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: e1da3e01467206ea3a08b7ed1d9794a9ad49a1a5ef271f40e1ca783d0318fad6
Instruction ID: 8eb1fa69c28952e31aa76f9fe6261c456093545cfa02ffd574a38cf644fd7330
Opcode Fuzzy Hash: e1da3e01467206ea3a08b7ed1d9794a9ad49a1a5ef271f40e1ca783d0318fad6
Instruction Fuzzy Hash: 6B51A332A41A08AEEF249F24CD49FD937F5EB05324F54601AF515B62E1C372B9D2DB41

Function 00E48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E86890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E48874,00000000,00000000,00000000,000000FF,00000000), ref: 00E86901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E8691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00E48874,00000000,00000000,00000000,000000FF,00000000), ref: 00E8692D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 1628b0a88997ef791feb598099a779b9c978bf1e1321687e4415cd0c5991ff6f
Instruction ID: 6f92f825a3c3f6580ace1a7d816fa7b3810cd0796db3f224acb6785f133ab759
Opcode Fuzzy Hash: 1628b0a88997ef791feb598099a779b9c978bf1e1321687e4415cd0c5991ff6f
Instruction Fuzzy Hash: 3851B974A00209EFDB20DF25DD45FAA3BB5FB88714F105128F90AA72A0DB71E991DB40

Function 00EAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EAC182
GetLastError.KERNEL32 ref: 00EAC195
SetEvent.KERNEL32(?), ref: 00EAC1A9

Part of subcall function 00EAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EAC272
Part of subcall function 00EAC253: GetLastError.KERNEL32 ref: 00EAC322
Part of subcall function 00EAC253: SetEvent.KERNEL32(?), ref: 00EAC336
Part of subcall function 00EAC253: InternetCloseHandle.WININET(00000000), ref: 00EAC341

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5254d35cd8980f4ee7c1beb32aeb39b6a548ad6b5210f7b3732e36b8f8c1c939
Instruction ID: 4e4218b3cc02c4a1599dbb42a0a78acd4ec529647b2b53d569a9ca2c056cd3a9
Opcode Fuzzy Hash: 5254d35cd8980f4ee7c1beb32aeb39b6a548ad6b5210f7b3732e36b8f8c1c939
Instruction Fuzzy Hash: 3431A371200A05EFDB219FB5DD04AA67BF8FF1D304B24542EF55AAA620D731F816DBA0

Function 00E925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93A57
Part of subcall function 00E93A3D: GetCurrentThreadId.KERNEL32 ref: 00E93A5E
Part of subcall function 00E93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E925B3), ref: 00E93A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00E925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00E925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E92601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00E92605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E9260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E92623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00E92627

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d366bada70214ca7ab3008fd89776880374a387ebe0206407c9cee57d187de80
Instruction ID: 4ab3b0de65bfeb22256125e5ae276dafde611cafc91ca8000b2664b18ff4b85f
Opcode Fuzzy Hash: d366bada70214ca7ab3008fd89776880374a387ebe0206407c9cee57d187de80
Instruction Fuzzy Hash: EF01D830790210BBFF10676A9C8AF597FA9DB4EB11F211015F318BE1D1C9E214458A6A

Function 00E91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00E91449,?,?,00000000), ref: 00E9180C
HeapAlloc.KERNEL32(00000000,?,00E91449,?,?,00000000), ref: 00E91813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E91449,?,?,00000000), ref: 00E91828
GetCurrentProcess.KERNEL32(?,00000000,?,00E91449,?,?,00000000), ref: 00E91830
DuplicateHandle.KERNEL32(00000000,?,00E91449,?,?,00000000), ref: 00E91833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E91449,?,?,00000000), ref: 00E91843
GetCurrentProcess.KERNEL32(00E91449,00000000,?,00E91449,?,?,00000000), ref: 00E9184B
DuplicateHandle.KERNEL32(00000000,?,00E91449,?,?,00000000), ref: 00E9184E
CreateThread.KERNEL32(00000000,00000000,00E91874,00000000,00000000,00000000), ref: 00E91868

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 857398a8d1d4f5d2f872093610d8c72c1c9ab9619fd8c9ba1586795b88ccb7ef
Instruction ID: 35147f5d4fa9ebc04bf99b3570dbae0d7447cef30608aa65941c529cbd54e017
Opcode Fuzzy Hash: 857398a8d1d4f5d2f872093610d8c72c1c9ab9619fd8c9ba1586795b88ccb7ef
Instruction Fuzzy Hash: 9101BFB5241344BFE710AB66DC4DF5B3B6CEB89B11F144461FA05EB192C6759805CB20

Function 00E63E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E63F0B
__alldvrm.LIBCMT ref: 00E6410C
__alldvrm.LIBCMT ref: 00E6412E

Strings

}}, xrefs: 00E63E8A
}}, xrefs: 00E63E96, 00E63EF1, 00E63F0A, 00E64090
}}, xrefs: 00E640CD

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}$}}$}}
API String ID: 1036877536-1495402609
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2e1734af80e771201bfeceaffdb6261fc50b8c28b8ab59777c51e6fe6ff27f48
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 32A18BB1E403969FDB25CF28D8817AEBBE4EF62394F1451ADE585BB2C2C2348D81C751

Function 00EBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00E9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00E9D501
Part of subcall function 00E9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00E9D50F
Part of subcall function 00E9D4DC: CloseHandle.KERNEL32(00000000), ref: 00E9D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBA16D
GetLastError.KERNEL32 ref: 00EBA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EBA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EBA268
GetLastError.KERNEL32(00000000), ref: 00EBA273
CloseHandle.KERNEL32(00000000), ref: 00EBA2C4

Strings

SeDebugPrivilege, xrefs: 00EBA18F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a9cc030db598005dbb20dbd435abc7abe811c1feaab0d146d71942a911b5e7a8
Instruction ID: e661b1a914e21c75abc49494af14f5e4191a07ba3b5cbce5955cee04759e28b7
Opcode Fuzzy Hash: a9cc030db598005dbb20dbd435abc7abe811c1feaab0d146d71942a911b5e7a8
Instruction Fuzzy Hash: B661B570205242AFDB10DF19C494F56BBE1AF44318F1894ACE4566F7A3C772ED49CB92

Function 00EC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EC3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00EC393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EC3954
_wcslen.LIBCMT ref: 00EC3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EC39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EC39F4

Strings

SysListView32, xrefs: 00EC38F7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 8e99545a2875ffcbf08f9e6df3aab646b62dc352bd013d54acff65aa0e4c6a6a
Instruction ID: 941883fabbf33e3f12f0d738bbbd4f1fb7ae6b94520871c85816165ebf021891
Opcode Fuzzy Hash: 8e99545a2875ffcbf08f9e6df3aab646b62dc352bd013d54acff65aa0e4c6a6a
Instruction Fuzzy Hash: AB41C231A00208ABDF219F64CD45FEA7BA9FF48354F10552AF948F7281D7729A85CB90

Function 00E9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E9BCFD
IsMenu.USER32(00000000), ref: 00E9BD1D
CreatePopupMenu.USER32 ref: 00E9BD53
GetMenuItemCount.USER32(009F54D8), ref: 00E9BDA4
InsertMenuItemW.USER32(009F54D8,?,00000001,00000030), ref: 00E9BDCC

Strings

2, xrefs: 00E9BD37
0, xrefs: 00E9BCA8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 16848750844a8d37d82a55827ff75c08b72bd29229b5396b5b1c6bb5a64ff4ef
Instruction ID: ef12d867b235b8921100b4a6181bc34ae4905968a0e13dbb88da38b7c151d9c5
Opcode Fuzzy Hash: 16848750844a8d37d82a55827ff75c08b72bd29229b5396b5b1c6bb5a64ff4ef
Instruction Fuzzy Hash: 7551BF70A002099BDF10DFA9EA88BEEBBF8BF45318F245169E405F7290D7709945CB61

Function 00E52D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E52D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00E52D53
_ValidateLocalCookies.LIBCMT ref: 00E52DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00E52E0C
_ValidateLocalCookies.LIBCMT ref: 00E52E61

Strings

csm, xrefs: 00E52DF6
&H, xrefs: 00E52DFE, 00E52E07, 00E52E18

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H$csm
API String ID: 1170836740-1242228090
Opcode ID: e686417463f5328d970938cd716259fde60df47417ededf5f2c5a467535b50d8
Instruction ID: df85f41f30cfba28989063d21767f6ed5bd6b6881e43996d51cdfba471349b5a
Opcode Fuzzy Hash: e686417463f5328d970938cd716259fde60df47417ededf5f2c5a467535b50d8
Instruction Fuzzy Hash: D441D834A00208DBCF14DF68C845A9EBBF4BF4631AF149559EE147B392D731AA09CBD0

Function 00E9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E9C913

Strings

question, xrefs: 00E9C8CC
info, xrefs: 00E9C8B4
blank, xrefs: 00E9C895
warning, xrefs: 00E9C8FC
stop, xrefs: 00E9C8E4

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fca8bdfd6aa5920f38fb67c691816600c8ab9e883527e324671d601f61f061d0
Instruction ID: 2d611d74db4ec1336da32fcbc0ee15a85b1825109f3297a073255fcf8883a7b0
Opcode Fuzzy Hash: fca8bdfd6aa5920f38fb67c691816600c8ab9e883527e324671d601f61f061d0
Instruction Fuzzy Hash: BC11D53268930ABBAB05BB549C82CAA77DCDF1535DB30242BF904B62C2E7A16E415364

Function 00E9DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E9DE42
gethostname.WSOCK32(?,00000100), ref: 00E9DE5C
gethostbyname.WSOCK32(?), ref: 00E9DE69
inet_ntoa.WSOCK32(?), ref: 00E9DEAB
_strcat.LIBCMT ref: 00E9DEB9
WSACleanup.WSOCK32 ref: 00E9DEDE

Strings

0.0.0.0, xrefs: 00E9DE87

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 22ca6ac23e5e9f950250686a979e7ebb1852ea5220684402d406158322f48e8e
Instruction ID: 04c880e9487565469f1421a1116c43bea206adb442fb0d57aa4c70ab3cb3b637
Opcode Fuzzy Hash: 22ca6ac23e5e9f950250686a979e7ebb1852ea5220684402d406158322f48e8e
Instruction Fuzzy Hash: BA113671808215AFCF24AB709C0AEEF77BCDF10715F101179F509B6091EF719A858A60

Function 00E9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E9ED2A
_wcslen.LIBCMT ref: 00E9ED3B
_wcslen.LIBCMT ref: 00E9ED79
_wcslen.LIBCMT ref: 00E9EDAF
_wcslen.LIBCMT ref: 00E9EDDF
_wcslen.LIBCMT ref: 00E9EDEF
_wcslen.LIBCMT ref: 00E9EE2B
_wcslen.LIBCMT ref: 00E9EE5A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 74e8364881a888eb61b7a575dc56ea41bf3019e2093e07c78fb3064581ba2cc2
Instruction ID: 1019ac31052da8be2c29c044912b897338474cf50b53552cfa61b8ecf0b39e7d
Opcode Fuzzy Hash: 74e8364881a888eb61b7a575dc56ea41bf3019e2093e07c78fb3064581ba2cc2
Instruction Fuzzy Hash: 04419265C1011865CB11EBB48C8A9CFB7ECEF45311F50A866EA14F3261FB34D249C3A5

Function 00E4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00E4F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00E8F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00E8F454

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 42c835bad1e3cb58e239dfbf02a5e5deb96d530e27c7ec176d627c8e4291a0ea
Instruction ID: ad6a432cace2f572a8181cf6bfa31bbe5d5e9e31c6dd09aee477362ca0b1c5e7
Opcode Fuzzy Hash: 42c835bad1e3cb58e239dfbf02a5e5deb96d530e27c7ec176d627c8e4291a0ea
Instruction Fuzzy Hash: E5412C30504640BED7359F79A988B6A7BD1ABD5B18F14603DE24F76560C672E481C711

Function 00EC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EC2D1B
GetDC.USER32(00000000), ref: 00EC2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EC2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00EC2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EC2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EC2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00EC2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EC2DE1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b63ab67f85c08d2e7f531a523bb49b5f28934ae0414265ad34507185d6d90794
Instruction ID: d9e5eb460eb366d4d89fb253c6330db421abd63cafde33c6752ec68e23680a46
Opcode Fuzzy Hash: b63ab67f85c08d2e7f531a523bb49b5f28934ae0414265ad34507185d6d90794
Instruction Fuzzy Hash: 1831A072201214BFEB114F51CD8AFEB3FADEF19715F144069FE09AA291C6769C42CBA1

Function 00E95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E95637
_memcmp.LIBVCRUNTIME ref: 00E95659
_memcmp.LIBVCRUNTIME ref: 00E95671
_memcmp.LIBVCRUNTIME ref: 00E95684
_memcmp.LIBVCRUNTIME ref: 00E9569E
_memcmp.LIBVCRUNTIME ref: 00E956B1
_memcmp.LIBVCRUNTIME ref: 00E956C9
_memcmp.LIBVCRUNTIME ref: 00E956E4

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e3d6169a187d823ba8bf1118bd365e622729dc18e29ac9ba480fc934b36b8f98
Instruction ID: d72b6c8c0fd9f4931492104dfafab0ecbd37869629d7aacf167f7816ee5d8dc5
Opcode Fuzzy Hash: e3d6169a187d823ba8bf1118bd365e622729dc18e29ac9ba480fc934b36b8f98
Instruction Fuzzy Hash: 7B21FC63741B0577DA155D209E92FFA739DAF10389F442025FD047A642F731EE1583A5

Function 00EB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00EB5007
NULL Pointer assignment, xrefs: 00EB502E, 00EB5383

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 28b42ae0d3a0bf4abfa5688493e69ee49e15bde62a0c274a7402cef148aecbb7
Instruction ID: 16a89c6c1c6ef2f56b85ec73d6e52841311129f2928ec7909f7ffe2f5f8c5138
Opcode Fuzzy Hash: 28b42ae0d3a0bf4abfa5688493e69ee49e15bde62a0c274a7402cef148aecbb7
Instruction Fuzzy Hash: 6BD19C72A0060A9FDF14DFA8C880BEEB7B5BF48348F149469E915BB281E771DD45CB90

Function 00E71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E717FB,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E716FB

Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00E71777
__freea.LIBCMT ref: 00E717A2
__freea.LIBCMT ref: 00E717AE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 4ca92328f648dffcc5e7df58c2ea4de41129468c0425c86f594d4ba0eafa7ab2
Instruction ID: bd66a3c1d031734d10b0b89820bd2405f4673e4a380107101934d932fc85ae6c
Opcode Fuzzy Hash: 4ca92328f648dffcc5e7df58c2ea4de41129468c0425c86f594d4ba0eafa7ab2
Instruction Fuzzy Hash: 8191D571E003069EDB288EBCC841AEE7BF5AF45754F18A599E809F7180D735DC44C7A0

Function 00EB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB4648
VariantInit.OLEAUT32(?), ref: 00EB4749
VariantClear.OLEAUT32(?), ref: 00EB4753
VariantClear.OLEAUT32(?), ref: 00EB47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00EB45D8, 00EB4706, 00EB47BE
Incorrect Object type in FOR..IN loop, xrefs: 00EB472C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 26c3492949f08df47474d20db1a018bfc8f47fe047f7c1a2be766d902aee4ff4
Instruction ID: bc545f3a104bec2403026d9aefa5d87141439fbf904ebcf03e32d2d23d5745fd
Opcode Fuzzy Hash: 26c3492949f08df47474d20db1a018bfc8f47fe047f7c1a2be766d902aee4ff4
Instruction Fuzzy Hash: B09192B1A00219ABDF24CFA5C844FEF7BB8EF46714F10955AF505BB282D7709945CBA0

Function 00EA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00EA125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00EA1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00EA12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00EA1430

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c4bb9075148581f322df81120decf8da94a92339250a474efd32451754800e8e
Instruction ID: 00e98595f4c4f8ba7ca951b57b7c397104898950a940242d7fe932800615cc51
Opcode Fuzzy Hash: c4bb9075148581f322df81120decf8da94a92339250a474efd32451754800e8e
Instruction Fuzzy Hash: 7191CF71A00208AFDB049FA8C884BBEB7B5FF4A715F105069E951FB291D774E945CB90

Function 00E4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6f82d9e3f4a68ca1ca2c452874c9c6feaa7c79bc1d53787c0e07d9ed4c1804f1
Instruction ID: 284eb5d3886a00fcb3018109f5fe3ce97aaee497aa1715aef60e37590f254ed8
Opcode Fuzzy Hash: 6f82d9e3f4a68ca1ca2c452874c9c6feaa7c79bc1d53787c0e07d9ed4c1804f1
Instruction Fuzzy Hash: C2914971D00219EFCB10CFA9DC84AEEBBB8FF49324F245159E519B7252D379A942CB60

Function 00EB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB396B
CharUpperBuffW.USER32(?,?), ref: 00EB3A7A
_wcslen.LIBCMT ref: 00EB3A8A
VariantClear.OLEAUT32(?), ref: 00EB3C1F

Part of subcall function 00EA0CDF: VariantInit.OLEAUT32(00000000), ref: 00EA0D1F
Part of subcall function 00EA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00EA0D28
Part of subcall function 00EA0CDF: VariantClear.OLEAUT32(?), ref: 00EA0D34

Strings

Incorrect Parameter format, xrefs: 00EB39A6, 00EB3BA1
AUTOIT.ERROR, xrefs: 00EB3A80, 00EB3A85

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 1f74434c486d2fcf0380da9baa42ed1d061a3353b8aa0109db9ab66e7619c31d
Instruction ID: 444142944e29ff71c92f13e0c5ce85c87e0caeb9b61e65cab3011f78cd69e2af
Opcode Fuzzy Hash: 1f74434c486d2fcf0380da9baa42ed1d061a3353b8aa0109db9ab66e7619c31d
Instruction Fuzzy Hash: ED9157756083059FCB04DF28C4859AABBE5FF88314F14982DF889AB351DB31EE45CB92

Function 00EB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00E9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?,?,00E9035E), ref: 00E9002B
Part of subcall function 00E9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90046
Part of subcall function 00E9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90054
Part of subcall function 00E9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?), ref: 00E90064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00EB4C51
_wcslen.LIBCMT ref: 00EB4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00EB4DCF
CoTaskMemFree.OLE32(?), ref: 00EB4DDA

Strings

NULL Pointer assignment, xrefs: 00EB4E23, 00EB4E52

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bd5460dc49a65981bb48a211bb83a6abbe423d9673b3042e9db607b34239d088
Instruction ID: 2d746c27052478840562c88a1ae9e89694559e7d11fa5828a6a24d733f3928e5
Opcode Fuzzy Hash: bd5460dc49a65981bb48a211bb83a6abbe423d9673b3042e9db607b34239d088
Instruction Fuzzy Hash: 679128B1D0021DAFDF14DFA4C885AEEBBB8BF48314F105169E915BB291DB709A45CF60

Function 00EC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EC2183
GetMenuItemCount.USER32(00000000), ref: 00EC21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EC21DD
_wcslen.LIBCMT ref: 00EC2213
GetMenuItemID.USER32(?,?), ref: 00EC224D
GetSubMenu.USER32(?,?), ref: 00EC225B

Part of subcall function 00E93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93A57
Part of subcall function 00E93A3D: GetCurrentThreadId.KERNEL32 ref: 00E93A5E
Part of subcall function 00E93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E925B3), ref: 00E93A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EC22E3

Part of subcall function 00E9E97B: Sleep.KERNELBASE ref: 00E9E9F3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a99aabf5ab04978b767b4569fb5c283fb0a309ad20b71cc4d6af773ce1af3090
Instruction ID: 20558e5e328eb67883336309d132356bb171fc36f85e3962d0c8cda2177c64e4
Opcode Fuzzy Hash: a99aabf5ab04978b767b4569fb5c283fb0a309ad20b71cc4d6af773ce1af3090
Instruction Fuzzy Hash: 66719D75A00205AFCB14EF64C945EAEBBF1EF48324F14946CE916BB351D736ED428B90

Function 00EC7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(009F52A8), ref: 00EC7F37
IsWindowEnabled.USER32(009F52A8), ref: 00EC7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00EC801E
SendMessageW.USER32(009F52A8,000000B0,?,?), ref: 00EC8051
IsDlgButtonChecked.USER32(?,?), ref: 00EC8089
GetWindowLongW.USER32(009F52A8,000000EC), ref: 00EC80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EC80C3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 6696c4e1285aa5f7d70e419c36e42d2171a670cf5f3ea74867c70f9768202a6b
Instruction ID: 036dac362224d6f3cd4b2cc0886c60b8e88387e1da3766dcaa2ad85c0b6f3ead
Opcode Fuzzy Hash: 6696c4e1285aa5f7d70e419c36e42d2171a670cf5f3ea74867c70f9768202a6b
Instruction Fuzzy Hash: F1718C34608244AFEB219F64CAD5FAABBB5FF09344F14505DE985A7261CB32A846DF10

Function 00E9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E9AEF9
GetKeyboardState.USER32(?), ref: 00E9AF0E
SetKeyboardState.USER32(?), ref: 00E9AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E9AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E9AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E9AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E9B020

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1b34bbe3aca3d75d7b27d5930aa1886dbe2088ca9c35188b2b8bb652362de3be
Instruction ID: 2ccec73306498dd03474ba0aba2f3b8ce7259050cce2e3def54d014e6b1be014
Opcode Fuzzy Hash: 1b34bbe3aca3d75d7b27d5930aa1886dbe2088ca9c35188b2b8bb652362de3be
Instruction Fuzzy Hash: 2D51E0A0A047D57DFF364234CC49BBABEE95F06308F0C9499E1D9658C2C399A8C8D791

Function 00E9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E9AD19
GetKeyboardState.USER32(?), ref: 00E9AD2E
SetKeyboardState.USER32(?), ref: 00E9AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E9ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E9ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E9AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E9AE38

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 510fcbc4d0b42d85ceafc2e6f9a886d50c769f99a76d2c6350d81e6035d83dcf
Instruction ID: 38cea8bccadbae6067f01b590d58aac7338927a8e9c98f81be6fc658a943e4df
Opcode Fuzzy Hash: 510fcbc4d0b42d85ceafc2e6f9a886d50c769f99a76d2c6350d81e6035d83dcf
Instruction Fuzzy Hash: BC51D6A15047D53DFF3683348C55B7A7ED85F46308F0C94A9E1D5668C2D294ECC8D792

Function 00E6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00E73CD6,?,?,?,?,?,?,?,?,00E65BA3,?,?,00E73CD6,?,?), ref: 00E65470
__fassign.LIBCMT ref: 00E654EB
__fassign.LIBCMT ref: 00E65506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00E73CD6,00000005,00000000,00000000), ref: 00E6552C
WriteFile.KERNEL32(?,00E73CD6,00000000,00E65BA3,00000000,?,?,?,?,?,?,?,?,?,00E65BA3,?), ref: 00E6554B
WriteFile.KERNEL32(?,?,00000001,00E65BA3,00000000,?,?,?,?,?,?,?,?,?,00E65BA3,?), ref: 00E65584

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3f438ebb3a24238bc99f9625a9d5651b258222108ab508e9b1626eaeac8d28c6
Instruction ID: c63017d89a7e1a8ea30a5719b0ef2a0583510cc2ac8a1079b905bf720fab1f00
Opcode Fuzzy Hash: 3f438ebb3a24238bc99f9625a9d5651b258222108ab508e9b1626eaeac8d28c6
Instruction Fuzzy Hash: D151B0B1A006499FDB10CFA8E845AEEBBF9EF48340F14515AF956F7291D6309A41CF60

Function 00EB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB307A
Part of subcall function 00EB304E: _wcslen.LIBCMT ref: 00EB309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00EB1112
WSAGetLastError.WSOCK32 ref: 00EB1121
WSAGetLastError.WSOCK32 ref: 00EB11C9
closesocket.WSOCK32(00000000), ref: 00EB11F9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: bdb26e60dab64998d22583583d0903c30546bc64af0138bd458182851a92edb8
Instruction ID: a97be5ec2596e3335071a14f771a360b8d853bce6fa4c530c70adb140518a608
Opcode Fuzzy Hash: bdb26e60dab64998d22583583d0903c30546bc64af0138bd458182851a92edb8
Instruction Fuzzy Hash: A141F731600114AFDB109F28C895BEBBBE9EF45368F149099F909BB291C771ED45CBA0

Function 00E9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E9CF22,?), ref: 00E9DDFD

Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E9CF22,?), ref: 00E9DE16

lstrcmpiW.KERNEL32(?,?), ref: 00E9CF45
MoveFileW.KERNEL32(?,?), ref: 00E9CF7F
_wcslen.LIBCMT ref: 00E9D005
_wcslen.LIBCMT ref: 00E9D01B
SHFileOperationW.SHELL32(?), ref: 00E9D061

Strings

\*.*, xrefs: 00E9CFF3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d686890a99ca437c668d886542a4abf1c0ad23dee4c37e77784c9bd7f0797a32
Instruction ID: 6c2ef5bd6ac9d2b5941ac15940553144269d1c430a94e09924d7fe861ef72f0a
Opcode Fuzzy Hash: d686890a99ca437c668d886542a4abf1c0ad23dee4c37e77784c9bd7f0797a32
Instruction Fuzzy Hash: 614153719052189FDF16EBA4DD81ADEB7F9AF48380F1010E6E509FB142EB34A689CB50

Function 00EC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00EC2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00EC2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00EC2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00EC2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00EC2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00EC2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC2F0B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7061c8a883aeb2b37c4e4fde1b4df02a23052405ab2febe57502d7c1b58ea7e0
Instruction ID: 09b0ddd4dec5109f3bdca4e3974d91c7759f13404089977223a733e271ece5e6
Opcode Fuzzy Hash: 7061c8a883aeb2b37c4e4fde1b4df02a23052405ab2febe57502d7c1b58ea7e0
Instruction Fuzzy Hash: 313106306041589FEB22DF59DE84FA937E1FB4AB14F151168FA04AF2B1CB72A846DB41

Function 00E97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E97769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E9778F
SysAllocString.OLEAUT32(00000000), ref: 00E97792
SysAllocString.OLEAUT32(?), ref: 00E977B0
SysFreeString.OLEAUT32(?), ref: 00E977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00E977DE
SysAllocString.OLEAUT32(?), ref: 00E977EC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1b698493f5ef6a44023f81f52eaf949b423ae4663ad80a7c0b5e384f189afb4c
Instruction ID: 91e4426c0deb8f854711b4a9b475628bd11774839a88e9c9ad2d186de683d5c0
Opcode Fuzzy Hash: 1b698493f5ef6a44023f81f52eaf949b423ae4663ad80a7c0b5e384f189afb4c
Instruction Fuzzy Hash: 0921B276604219AFDF10DFA9DC88CBB73ACFB097657148026F954EB250D670DC8AC760

Function 00E977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E97842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E97868
SysAllocString.OLEAUT32(00000000), ref: 00E9786B
SysAllocString.OLEAUT32 ref: 00E9788C
SysFreeString.OLEAUT32 ref: 00E97895
StringFromGUID2.OLE32(?,?,00000028), ref: 00E978AF
SysAllocString.OLEAUT32(?), ref: 00E978BD

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 8a7ac092118275d90f6ead81d45aab76d91d656c0fa853804447bd9ade6e42c6
Instruction ID: dd4e3beb8a1827a6b2023bee508af9ae43ed301a57071a02215331ba1ede2101
Opcode Fuzzy Hash: 8a7ac092118275d90f6ead81d45aab76d91d656c0fa853804447bd9ade6e42c6
Instruction Fuzzy Hash: DB21C131608214AFDF249FA9DC88DAA77FCFB087607148025F954EB2A0D670DC4ACB64

Function 00EA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EA04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA052E

Strings

nul, xrefs: 00EA0567

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 60da6f98c276b99e06e6a5b16d6ed89bad8c389c40eea6dd5d8f89102ce33cee
Instruction ID: 5ef26b28c7d9e76297eb3eb7caa3022be17a5c2315eec82f472db201c89fc3ea
Opcode Fuzzy Hash: 60da6f98c276b99e06e6a5b16d6ed89bad8c389c40eea6dd5d8f89102ce33cee
Instruction Fuzzy Hash: 672171719003059FDB309F69DC44A9A7BB4AF4A768F204A29E8A1FA1E0D770A955CF20

Function 00EA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EA05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EA0601

Strings

nul, xrefs: 00EA0639

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2c4246df99ed70e95c3efce9d749b9e896b992146422f963a149cb9b0bf4cfeb
Instruction ID: 48ab17f15e78600d6ff0e8d2474a73108cdebfb965f78164ec6cdd1e3c559036
Opcode Fuzzy Hash: 2c4246df99ed70e95c3efce9d749b9e896b992146422f963a149cb9b0bf4cfeb
Instruction Fuzzy Hash: 832181755003059FDB209F699C04E9A77E4BFDA728F201A19F9A1FB2E0E771A865CB10

Function 00EC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E3604C
Part of subcall function 00E3600E: GetStockObject.GDI32(00000011), ref: 00E36060
Part of subcall function 00E3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E3606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EC4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EC411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EC412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EC4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EC4145

Strings

Msctls_Progress32, xrefs: 00EC40E3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d2203443568f5fd6030501eff8e2bb248556edbeb357562ddb36bc5940ed61f2
Instruction ID: 098f204e634c71fbe527ba01c3560f81c78dfe327f4de00a3df64c68a0e95c76
Opcode Fuzzy Hash: d2203443568f5fd6030501eff8e2bb248556edbeb357562ddb36bc5940ed61f2
Instruction Fuzzy Hash: 1F1190B214021DBEEF218F64CC86EE77F9DEF08798F005111FA58A2090C6729C22DBA4

Function 00E6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E6D7A3: _free.LIBCMT ref: 00E6D7CC

_free.LIBCMT ref: 00E6D82D

Part of subcall function 00E629C8: HeapFree.KERNEL32(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0

_free.LIBCMT ref: 00E6D838
_free.LIBCMT ref: 00E6D843
_free.LIBCMT ref: 00E6D897
_free.LIBCMT ref: 00E6D8A2
_free.LIBCMT ref: 00E6D8AD
_free.LIBCMT ref: 00E6D8B8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c963f67a7a7dd32964fa16e372d55ad4e090c8b1622c5491a7bed9ab473a886f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D1115171BC4B04AAD521BFB0EC47FCB7BDC6F80780F84182AB299B6092DA65B5054751

Function 00E9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E9DA74
LoadStringW.USER32(00000000), ref: 00E9DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E9DA91
LoadStringW.USER32(00000000), ref: 00E9DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E9DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E9DAB9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 0e1bd1640be48c3430c4b7825b2067ee597019de731f4d842e34678c13c9e3e3
Instruction ID: 837603f1b35f851bb820cf2422b486b76e6879ef5e26854255de50ad689b3ffb
Opcode Fuzzy Hash: 0e1bd1640be48c3430c4b7825b2067ee597019de731f4d842e34678c13c9e3e3
Instruction Fuzzy Hash: 8D0186F25002087FEB10ABA59D89EF7736CE708701F5014A6F75AF2041EA759E898F74

Function 00EA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(009EE778,009EE778), ref: 00EA097B
EnterCriticalSection.KERNEL32(009EE758,00000000), ref: 00EA098D
TerminateThread.KERNEL32(?,000001F6), ref: 00EA099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00EA09A9
CloseHandle.KERNEL32(?), ref: 00EA09B8
InterlockedExchange.KERNEL32(009EE778,000001F6), ref: 00EA09C8
LeaveCriticalSection.KERNEL32(009EE758), ref: 00EA09CF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a90852645e8362b629c859448c6bb53757190fac27014afb051506615d28d25d
Instruction ID: d7b4990389ab3412fa6c3d6e5dfd8decdaecbad81734bab78d3f8fe8f1d87d09
Opcode Fuzzy Hash: a90852645e8362b629c859448c6bb53757190fac27014afb051506615d28d25d
Instruction Fuzzy Hash: DEF01D31442902AFD7455B95EE88EDABA35FF45702F502025F105648B1C776A46ACF90

Function 00EB1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00EB1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00EB1DE1
WSAGetLastError.WSOCK32 ref: 00EB1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00EB1EDB
inet_ntoa.WSOCK32(?), ref: 00EB1E8C

Part of subcall function 00E939E8: _strlen.LIBCMT ref: 00E939F2

Part of subcall function 00EB3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00EAEC0C), ref: 00EB3240

_strlen.LIBCMT ref: 00EB1F35

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 85c2938b59fe8cec7c19aa5de808e120b5a13fb3d2df5eb0408df2914e5b5ee0
Instruction ID: d4ff02aa08cb61aef4a7777f73e5a78678853f516b104d0565e354331b4114a3
Opcode Fuzzy Hash: 85c2938b59fe8cec7c19aa5de808e120b5a13fb3d2df5eb0408df2914e5b5ee0
Instruction Fuzzy Hash: DDB1C331204340AFC324DF24C895E6B7BE5AF84328F94A59CF5566B2A2CB71ED46CB91

Function 00E35D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00E35D30
GetWindowRect.USER32(?,?), ref: 00E35D71
ScreenToClient.USER32(?,?), ref: 00E35D99
GetClientRect.USER32(?,?), ref: 00E35ED7
GetWindowRect.USER32(?,?), ref: 00E35EF8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b5567c50d87188dc7cc31783bb4e0d71b30bebd32f969139141abebe7f8225a2
Instruction ID: d3d0a9e2fc45546a0a340b1323768eae83a1c21538686a00e2741f65c7afcdf3
Opcode Fuzzy Hash: b5567c50d87188dc7cc31783bb4e0d71b30bebd32f969139141abebe7f8225a2
Instruction Fuzzy Hash: 89B19B75A0074ADBDB14CFA9C4447EEBBF1FF48314F14A41AE8A9E7290DB34AA51CB50

Function 00E601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E600D6
__allrem.LIBCMT ref: 00E600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E6010B
__allrem.LIBCMT ref: 00E60122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E60140

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 63368fdb48be8acef606cf7d681cded79f5006e645e78cc2c63fc970b4387fd3
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 41813772B407169BE7249F28DC41B6B73E9AF413A4F24693EF451F7682E770D9008750

Function 00E661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00E582D9,00E582D9,?,?,?,00E6644F,00000001,00000001,?), ref: 00E66258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E6644F,00000001,00000001,?,?,?,?), ref: 00E662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E663D8
__freea.LIBCMT ref: 00E663E5

Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852

__freea.LIBCMT ref: 00E663EE
__freea.LIBCMT ref: 00E66413

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ae009057f66604e2b65ca64405614fc1e9063ac96dcbd329e8a321509125d795
Instruction ID: 39ddce9b61ab7b5bb6626d9cf90e881a1be1146dc7e8630bc515be0060c51566
Opcode Fuzzy Hash: ae009057f66604e2b65ca64405614fc1e9063ac96dcbd329e8a321509125d795
Instruction Fuzzy Hash: 825104726A0206AFDB258F64EC81EAF77A9EF94794F245229FC15F6250DB34DC40C660

Function 00EBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBBD25
RegCloseKey.ADVAPI32(00000000), ref: 00EBBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EBBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EBBDF3
RegCloseKey.ADVAPI32(?), ref: 00EBBDFF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d8887ef0712870f3bfd59fe671e8261384f7f42a6cdbc642d344cb8e973e9ea5
Instruction ID: 775a2bb70a66d5060593494b215faf1d293418ab52b6f4d740c3de809c455a05
Opcode Fuzzy Hash: d8887ef0712870f3bfd59fe671e8261384f7f42a6cdbc642d344cb8e973e9ea5
Instruction Fuzzy Hash: 0B81A030208241AFD714DF24C895E6BBBE5FF84308F14996CF4996B2A2DB71ED45CB92

Function 00E8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00E8F7B9
SysAllocString.OLEAUT32(00000001), ref: 00E8F860
VariantCopy.OLEAUT32(00E8FA64,00000000), ref: 00E8F889
VariantClear.OLEAUT32(00E8FA64), ref: 00E8F8AD
VariantCopy.OLEAUT32(00E8FA64,00000000), ref: 00E8F8B1
VariantClear.OLEAUT32(?), ref: 00E8F8BB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fa5977f459eb7fb36aacfdf96eef7219e6bc63dbb60c87814fc879aaf263d83f
Instruction ID: d63e1aabb50eba51cdedfb6e6e733baa915d00cfecf37e7ce9851ff479836065
Opcode Fuzzy Hash: fa5977f459eb7fb36aacfdf96eef7219e6bc63dbb60c87814fc879aaf263d83f
Instruction Fuzzy Hash: A751B631640310BACF14BBA5D895B69B3E9EF85714F24B466E90EFF292DB708C40C766

Function 00EA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00EA94E5
_wcslen.LIBCMT ref: 00EA9506
_wcslen.LIBCMT ref: 00EA952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00EA9585

Strings

X, xrefs: 00EA9412

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: e856ef2adb0aa786b0037cf8f48244c91e2f571485a3ca48f617f314a76cc555
Instruction ID: 475ed8a62f5033da069b69d9adfeb26a093d659a7ef08a8d2edf9293e6e3afae
Opcode Fuzzy Hash: e856ef2adb0aa786b0037cf8f48244c91e2f571485a3ca48f617f314a76cc555
Instruction Fuzzy Hash: 11E1A2715083009FC724DF24C485B6ABBE4FF89314F15996DF899AB2A2DB31ED05CB92

Function 00E4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

BeginPaint.USER32(?,?,?), ref: 00E49241
GetWindowRect.USER32(?,?), ref: 00E492A5
ScreenToClient.USER32(?,?), ref: 00E492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E492D3
EndPaint.USER32(?,?,?,?,?), ref: 00E49321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00E871EA

Part of subcall function 00E49339: BeginPath.GDI32(00000000), ref: 00E49357

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a23d44bb093ba1b860625393a076f52ce4703c7c6f93c8e277ee89f900ebbc66
Instruction ID: 436ac6efd50349c79fd3882d7c173e4ef751a6a24ad157ede92b9f99e94f8419
Opcode Fuzzy Hash: a23d44bb093ba1b860625393a076f52ce4703c7c6f93c8e277ee89f900ebbc66
Instruction Fuzzy Hash: A6419130105200AFD721DF25EC88FAB7BF8FB46724F140269F998A72E2C7719845DB61

Function 00EA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EA080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00EA0847
EnterCriticalSection.KERNEL32(?), ref: 00EA0863
LeaveCriticalSection.KERNEL32(?), ref: 00EA08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00EA08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EA0921

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 728781aa8e44a0a2f7d16e5a2d9f12e61c69f16693f32d99af49d51b4573f80f
Instruction ID: 9d44ca4435cf5ef65b51ac088983c83afe7592f5d4c9e1b27c76ce43d67181bc
Opcode Fuzzy Hash: 728781aa8e44a0a2f7d16e5a2d9f12e61c69f16693f32d99af49d51b4573f80f
Instruction Fuzzy Hash: 78419A31900205EFDF04AF54DC85AAAB7B8FF48310F1440A9ED04AE296DB31EE65CBA4

Function 00EC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E8F3AB,00000000,?,?,00000000,?,00E8682C,00000004,00000000,00000000), ref: 00EC824C
EnableWindow.USER32(?,00000000), ref: 00EC8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00EC82D1
ShowWindow.USER32(?,00000004), ref: 00EC82E5
EnableWindow.USER32(?,00000001), ref: 00EC830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00EC832F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 11443f68715e13636f9934e2343d4cd9eea4fbe772bf1572712f7948f2f56087
Instruction ID: 7a61062553431b7de82c0166eae931c9c5d11e235ec43ac87e5d85790a953b7b
Opcode Fuzzy Hash: 11443f68715e13636f9934e2343d4cd9eea4fbe772bf1572712f7948f2f56087
Instruction Fuzzy Hash: 50418334601644EFDB15CF25CB99FA47BE0FB0A718F18616DE5486B272CB33A846CB50

Function 00E94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E94C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E94CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E94CEA
_wcslen.LIBCMT ref: 00E94D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E94D10
_wcsstr.LIBVCRUNTIME ref: 00E94D1A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 1bc17b88f5ef64bc7c844f41ac4fe8f98d466a5e156cf1c0af47ebdfcdbcf732
Instruction ID: 586563ff742310c00086866242e6e9a875406ac5b700dde1517bac0970a7933e
Opcode Fuzzy Hash: 1bc17b88f5ef64bc7c844f41ac4fe8f98d466a5e156cf1c0af47ebdfcdbcf732
Instruction Fuzzy Hash: 392129B52042007FEF155B35AD09E7B7BDCDF45B54F105039F809EA1D1EA61DC0282A1

Function 00EA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E33A97,?,?,00E32E7F,?,?,?,00000000), ref: 00E33AC2

_wcslen.LIBCMT ref: 00EA587B
CoInitialize.OLE32(00000000), ref: 00EA5995
CoCreateInstance.OLE32(00ECFCF8,00000000,00000001,00ECFB68,?), ref: 00EA59AE
CoUninitialize.OLE32 ref: 00EA59CC

Strings

.lnk, xrefs: 00EA5876, 00EA58C1, 00EA5985

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0193b173e15accb13a101b8aba30c819b131af6bd8746f87919e9ead444591c5
Instruction ID: 5199cd9027dd70fa7e937d15d2f27f159c29fa245531f5b2b429bcdffcf926f5
Opcode Fuzzy Hash: 0193b173e15accb13a101b8aba30c819b131af6bd8746f87919e9ead444591c5
Instruction Fuzzy Hash: 0ED174766087019FC714DF25C484A2ABBE2FF8A714F14985DF889AB361DB31EC45CB92

Function 00E9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E90FCA
Part of subcall function 00E90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E90FD6
Part of subcall function 00E90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E90FE5
Part of subcall function 00E90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E90FEC
Part of subcall function 00E90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E91002

GetLengthSid.ADVAPI32(?,00000000,00E91335), ref: 00E917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E917BA
HeapAlloc.KERNEL32(00000000), ref: 00E917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E917DA
GetProcessHeap.KERNEL32(00000000,00000000,00E91335), ref: 00E917EE
HeapFree.KERNEL32(00000000), ref: 00E917F5

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5c979a85dbdaecd456216af2fb9d24d2592086636eca9f0fd56e0a641485b81e
Instruction ID: b05ea7ca30c4fd50e150e7aee1d789ed10a429cbf624849bb245ec4b383b5e18
Opcode Fuzzy Hash: 5c979a85dbdaecd456216af2fb9d24d2592086636eca9f0fd56e0a641485b81e
Instruction Fuzzy Hash: E811AC32605206FFDF109FA6CC49FAE7BB9EB42359F244069F445B7220C736A945CB60

Function 00E914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00E91506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E91515
CloseHandle.KERNEL32(00000004), ref: 00E91520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E9154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00E91563

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 8b2df1a46d3bf8c63919fcc0044983480a553f41a3a637c8c1181f683d9672f0
Instruction ID: 3a0db22b74ba379187766778a039d54e52c8e2c1a42980c9975144d86ed3a1f8
Opcode Fuzzy Hash: 8b2df1a46d3bf8c63919fcc0044983480a553f41a3a637c8c1181f683d9672f0
Instruction Fuzzy Hash: 21114A7250020AAFDF118FA8DD49FDE7BA9FB48748F154065FA05B2060C3768E659B60

Function 00E53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E53379,00E52FE5), ref: 00E53390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E5339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E533B7
SetLastError.KERNEL32(00000000,?,00E53379,00E52FE5), ref: 00E53409

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b92c59250c70f7e22a9c38179f6b24bea3b766efa4de19ff568e76014dfab72e
Instruction ID: 17b772a1560e8816307b53a2fef1110cc0e7ef9983b665f5dcbacec0a63388f3
Opcode Fuzzy Hash: b92c59250c70f7e22a9c38179f6b24bea3b766efa4de19ff568e76014dfab72e
Instruction Fuzzy Hash: B8016832608311BEE61527757C819A62A84DB413FF330263DFD20B51F0EF514D0F9148

Function 00E62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E65686,00E73CD6,?,00000000,?,00E65B6A,?,?,?,?,?,00E5E6D1,?,00EF8A48), ref: 00E62D78
_free.LIBCMT ref: 00E62DAB
_free.LIBCMT ref: 00E62DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00E5E6D1,?,00EF8A48,00000010,00E34F4A,?,?,00000000,00E73CD6), ref: 00E62DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00E5E6D1,?,00EF8A48,00000010,00E34F4A,?,?,00000000,00E73CD6), ref: 00E62DEC
_abort.LIBCMT ref: 00E62DF2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a5984ee8e0a24144333e4e5b3602a4519df58d095c6033e3d8179e32b11b0320
Instruction ID: 782a2eb45af4f8b51dfc58387f8f3fda7b654bb72a738c9b0e23114148d03bad
Opcode Fuzzy Hash: a5984ee8e0a24144333e4e5b3602a4519df58d095c6033e3d8179e32b11b0320
Instruction Fuzzy Hash: 38F0CD315C5E012BC2122739BC16E5E1599AFC17E5F35241CFA28B21D1DF258C065260

Function 00EC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E49693
Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496A2
Part of subcall function 00E49639: BeginPath.GDI32(?), ref: 00E496B9
Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00EC8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00EC8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00EC8A70
LineTo.GDI32(?,00000000,00000003), ref: 00EC8A80
EndPath.GDI32(?), ref: 00EC8A90
StrokePath.GDI32(?), ref: 00EC8AA0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: b1b257498af01b67f7f982db335862763baa99af260f8780e00f769d508e894e
Instruction ID: 2776b670ef6f41380dcd0ec9ff0ae81a2e469e67e65378cd6d4ac0bff98bf58a
Opcode Fuzzy Hash: b1b257498af01b67f7f982db335862763baa99af260f8780e00f769d508e894e
Instruction Fuzzy Hash: EF11397200010CFFDB129F91DC88EAA7F6CEB08354F008026FA49AA1A1C7729D56DFA0

Function 00E951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E95218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E95229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E95230
ReleaseDC.USER32(00000000,00000000), ref: 00E95238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E9524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00E95261

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 928bd6b962fb8a5880fb4d840a3deb74040ee20aac4eb9c57a8a94e792354e34
Instruction ID: c25ee15c4d86797a935f4a2e1839ad87292b48ec4c48835700159e196f389af9
Opcode Fuzzy Hash: 928bd6b962fb8a5880fb4d840a3deb74040ee20aac4eb9c57a8a94e792354e34
Instruction Fuzzy Hash: E5018475A01B04BFEF105BA69C49E4EBFB8EB44751F144066FA08B7390D6719805CBA0

Function 00E31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E31BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E31BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E31C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E31C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E31C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E31C22

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 39c384275fc3caefc3e5eb46b202ae5a27697c09b80fa9dde2004be7ec0119a0
Instruction ID: 44f7e68481842899474b5a5d31b0891679cc914349d2fe26949322aa7bf2d4fc
Opcode Fuzzy Hash: 39c384275fc3caefc3e5eb46b202ae5a27697c09b80fa9dde2004be7ec0119a0
Instruction Fuzzy Hash: B7016CB09027597DE3008F5A8C85B52FFA8FF19754F00411BD15C47A41C7F5A864CBE5

Function 00E9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E9EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E9EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00E9EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E9EB75

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 73e6650a02580f198dfab94c6325e628ebfeea2a66d32a553362ed2eba72307c
Instruction ID: a4017b9f6456160da27a217bd466339b80eb1aacf0e0ed8a0fb6decf93163d37
Opcode Fuzzy Hash: 73e6650a02580f198dfab94c6325e628ebfeea2a66d32a553362ed2eba72307c
Instruction Fuzzy Hash: 98F09A72601158BFE7205B639C0EEEF3A7CEFCAF15F100168F605E1090E7A21A06C6B5

Function 00E87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E87452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E87469
GetWindowDC.USER32(?), ref: 00E87475
GetPixel.GDI32(00000000,?,?), ref: 00E87484
ReleaseDC.USER32(?,00000000), ref: 00E87496
GetSysColor.USER32(00000005), ref: 00E874B0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: d407f3f0fc91cf9173c6e3433a3118b03c9456e8f63d35de1e1bce6adf0547ad
Instruction ID: e5435bc343f2956f31ef2d4ae2248fb5aeaf291a30677c7b40d2bd39d850f579
Opcode Fuzzy Hash: d407f3f0fc91cf9173c6e3433a3118b03c9456e8f63d35de1e1bce6adf0547ad
Instruction Fuzzy Hash: AC018B31400215EFDB10AFA5DC08FEA7BB5FB04311F240060FD6DB21A1CB321E46AB51

Function 00E91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E9187F
UnloadUserProfile.USERENV(?,?), ref: 00E9188B
CloseHandle.KERNEL32(?), ref: 00E91894
CloseHandle.KERNEL32(?), ref: 00E9189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00E918A5
HeapFree.KERNEL32(00000000), ref: 00E918AC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9d327459e92336cf49fb4311cdc79806c61b8b0b65f2a73b00b371ab59c9f816
Instruction ID: 4ea46741e674fd5d9ecba58dcd9816b1340003afa6d7c686b71a97e210c99fe7
Opcode Fuzzy Hash: 9d327459e92336cf49fb4311cdc79806c61b8b0b65f2a73b00b371ab59c9f816
Instruction Fuzzy Hash: 68E0C236404501BFDB015BA7ED0CD0ABB39FB49B22B208231F229A1471CB339466DB50

Function 00EB7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00E50242: EnterCriticalSection.KERNEL32(00F0070C,00F01884,?,?,00E4198B,00F02518,?,?,?,00E312F9,00000000), ref: 00E5024D
Part of subcall function 00E50242: LeaveCriticalSection.KERNEL32(00F0070C,?,00E4198B,00F02518,?,?,?,00E312F9,00000000), ref: 00E5028A

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E500A3: __onexit.LIBCMT ref: 00E500A9

__Init_thread_footer.LIBCMT ref: 00EB7BFB

Part of subcall function 00E501F8: EnterCriticalSection.KERNEL32(00F0070C,?,?,00E48747,00F02514), ref: 00E50202
Part of subcall function 00E501F8: LeaveCriticalSection.KERNEL32(00F0070C,?,00E48747,00F02514), ref: 00E50235

Strings

+T, xrefs: 00EB7E2E
5, xrefs: 00EB7C78
Variable must be of type 'Object'., xrefs: 00EB7C3A
G, xrefs: 00EB7C7F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T$5$G$Variable must be of type 'Object'.
API String ID: 535116098-4125810065
Opcode ID: 6b83785220804024b460e7fa701de8ff37ebb57edde2fa372a1ff0a82cbd165c
Instruction ID: 804eb39618a16963ac8f2170361afa1b72c6e6229e98a5b670ffd924957fd6ba
Opcode Fuzzy Hash: 6b83785220804024b460e7fa701de8ff37ebb57edde2fa372a1ff0a82cbd165c
Instruction Fuzzy Hash: E291AC70A04209AFCB14EF54D881DEEBBB1BF89304F14905DF886BB692DB31AE41DB51

Function 00E9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E9C6EE
_wcslen.LIBCMT ref: 00E9C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E9C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E9C7CA

Strings

0, xrefs: 00E9C6AF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c1231750f5f34c34b15e110011b58fa80fb65444ef3ba4a2f8e0ecbb8d68b314
Instruction ID: a8b5d23f23e3ec9c6a60ebe03174c24754a5029abd66c019be77e114fcc94a91
Opcode Fuzzy Hash: c1231750f5f34c34b15e110011b58fa80fb65444ef3ba4a2f8e0ecbb8d68b314
Instruction Fuzzy Hash: 8D5101716043009BDB14AF78C885BABB7E4AF89718F242A2EF995F31D1DB70D844DB52

Function 00EBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00EBAEA3

Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625

GetProcessId.KERNEL32(00000000), ref: 00EBAF38
CloseHandle.KERNEL32(00000000), ref: 00EBAF67

Strings

@, xrefs: 00EBAE72
<, xrefs: 00EBAE6B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a32e2f89e08863dc62ef40a3b3293a437b8eef21011ea2ea3720c743a78ef1ca
Instruction ID: d3ee41e7a9866cc533b0021c8c81e84e4bbe3694a1d806244564874498fa5436
Opcode Fuzzy Hash: a32e2f89e08863dc62ef40a3b3293a437b8eef21011ea2ea3720c743a78ef1ca
Instruction Fuzzy Hash: BE716571A00219DFCF14DF54C488A9EBBF1AF08314F0894A9E856BB262CB75ED85CB91

Function 00E9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E97206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E9723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E9724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E972CF

Strings

DllGetClassObject, xrefs: 00E97242

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 15364708f04dbd8018f44c0ffec9e8bd9e785cc708f0723678af48de6655a3a2
Instruction ID: 0e2a1bc51939ef59085c30aa4badecbd4ad55e44d005902e1f3eed27ff37c9bd
Opcode Fuzzy Hash: 15364708f04dbd8018f44c0ffec9e8bd9e785cc708f0723678af48de6655a3a2
Instruction Fuzzy Hash: DC41BEB1624204EFDF15CF54C884A9A7BB9EF44700F2490A9FD49AF21AD7B1DD09CBA0

Function 00EC3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC3E35
IsMenu.USER32(?), ref: 00EC3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EC3E92
DrawMenuBar.USER32 ref: 00EC3EA5

Strings

0, xrefs: 00EC3D89

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 01b440bc3932eba94c69fb0406f4f1e27af8421973303d23c961e3fa7d059690
Instruction ID: ea49bf017d907119d10204594651271bb70ebe719f6be096d820960692416b12
Opcode Fuzzy Hash: 01b440bc3932eba94c69fb0406f4f1e27af8421973303d23c961e3fa7d059690
Instruction Fuzzy Hash: 60415975A00309AFDB10DF60D984EEABBB5FF49354F04912DE905A7250D732AE56CF60

Function 00E91DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E91E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E91E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E91EA9

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

Strings

ComboBox, xrefs: 00E91DF0
ListBox, xrefs: 00E91E25

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 68837914a14b6c4d87908f3767a07ab41e7c2ebecb9357ff49fca957ffb6268b
Instruction ID: 4c0d18877a5a0fd8ca4ade6e5fbe317fd86f7e20e7dff7b0ecfb346e345eb6fe
Opcode Fuzzy Hash: 68837914a14b6c4d87908f3767a07ab41e7c2ebecb9357ff49fca957ffb6268b
Instruction Fuzzy Hash: 1121F375A00204BEDF14AB64DD4ACFFBBB8DF45364F106129F925B71E1DB75490AC620

Function 00EC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EC2F8D
LoadLibraryW.KERNEL32(?), ref: 00EC2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EC2FA9
DestroyWindow.USER32(?), ref: 00EC2FB1

Strings

SysAnimate32, xrefs: 00EC2F68

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 4334a187da547784970e49c3faa564058ac91e91728a15ab0fb6bb8999f4611b
Instruction ID: 3c6a5d4a4c029f61379558204a5b0ed6798fa633923612282d4efa3f7fb935b3
Opcode Fuzzy Hash: 4334a187da547784970e49c3faa564058ac91e91728a15ab0fb6bb8999f4611b
Instruction Fuzzy Hash: 07219A71200249AFEB218F64DD80FBB77B9EB59368F10622CFA50F21A0D772DC529760

Function 00E54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00E54D1E,00E628E9,(,00E54CBE,00000000,00EF88B8,0000000C,00E54E15,(,00000002), ref: 00E54D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E54DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00E54D1E,00E628E9,(,00E54CBE,00000000,00EF88B8,0000000C,00E54E15,(,00000002,00000000), ref: 00E54DC3

Strings

mscoree.dll, xrefs: 00E54D86
CorExitProcess, xrefs: 00E54D98

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7e86bcf980adf06b536c4ddafd4fa66722a1a5414c2aee7b545a6d0578c8c24e
Instruction ID: 6c7a08dbddb5cd68b30f331151325bf04cbca5d422e48e76cf3ba1413a23969f
Opcode Fuzzy Hash: 7e86bcf980adf06b536c4ddafd4fa66722a1a5414c2aee7b545a6d0578c8c24e
Instruction Fuzzy Hash: AEF0AF30A00208BFDB109F92DC09FAEBFB4EF44716F1400A5FC09B22A0CB31598ACB91

Function 00E34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E34EAE
FreeLibrary.KERNEL32(00000000,?,?,00E34EDD,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00E34EA8
kernel32.dll, xrefs: 00E34E94

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0e773d52db0f5524a2ceb94467463ba7aa172d9d6fc9a4d3607a462b790f3924
Instruction ID: 1320b2e5d9eb6334821d303835137106d48393034919958301510b875bc1b858
Opcode Fuzzy Hash: 0e773d52db0f5524a2ceb94467463ba7aa172d9d6fc9a4d3607a462b790f3924
Instruction Fuzzy Hash: 0BE08635A026225F922117276C1CF6B6964AF81B66B191125FD08F6150DB61DD0780A1

Function 00E34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E34E74
FreeLibrary.KERNEL32(00000000,?,?,00E73CDE,?,00F01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00E34E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00E34E6E
kernel32.dll, xrefs: 00E34E5B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c3ddc4b56d93559ede6de1bc426cad4da347576a20879e24c2a3d61cb38f28a8
Instruction ID: bb4bef91bd528c039ad1e06048ae0aa905cd8c7d79b0a9170a3a46e41fa586c4
Opcode Fuzzy Hash: c3ddc4b56d93559ede6de1bc426cad4da347576a20879e24c2a3d61cb38f28a8
Instruction Fuzzy Hash: C9D0C2329036215B47221B27AC0CEAB2E28AF81F153191524F908B6150CF22CD07C1D0

Function 00EA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA2C05
DeleteFileW.KERNEL32(?), ref: 00EA2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EA2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EA2CC0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 2161dbf747a350b939e25a4408a2c3ab91600aea43ae5ae0163598c5a93768e5
Instruction ID: 7b52d8aa12fd6c666260f2ee8cf0a548c9dedb07240765ea66761d5587d90436
Opcode Fuzzy Hash: 2161dbf747a350b939e25a4408a2c3ab91600aea43ae5ae0163598c5a93768e5
Instruction Fuzzy Hash: 13B16072D00119ABDF25DBA4CC85EDEBBBDEF09310F1050AAF609F6151EA31AA44CF61

Function 00EBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00EBA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EBA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EBA468
CloseHandle.KERNEL32(?), ref: 00EBA63D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 93b1b1636a19865079a8eff46332a825a8cf3d9cc4fed255e598e9b34fa79d19
Instruction ID: 167c61f5de4218c13581b11b10d577dce9fa0619d12ae6ff9a999dd28e2df005
Opcode Fuzzy Hash: 93b1b1636a19865079a8eff46332a825a8cf3d9cc4fed255e598e9b34fa79d19
Instruction Fuzzy Hash: E7A1A471604300AFD720DF24D886F6AB7E5AF84714F18986DF59AAB292D770EC41CB92

Function 00E6BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00ED3700), ref: 00E6BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00F0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00E6BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00F01270,000000FF,?,0000003F,00000000,?), ref: 00E6BC36
_free.LIBCMT ref: 00E6BB7F

Part of subcall function 00E629C8: HeapFree.KERNEL32(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0

_free.LIBCMT ref: 00E6BD4B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 8b26456cfe07bb1b708ed6ad6c354100f87422ddc5d13491a6659f4c8bc39adb
Instruction ID: 727ae476e45e3f5fbaef47ef0c2a3fb2fe6d5e5c967730eccf308ac8f4618c3a
Opcode Fuzzy Hash: 8b26456cfe07bb1b708ed6ad6c354100f87422ddc5d13491a6659f4c8bc39adb
Instruction Fuzzy Hash: B851E871980209EFDB10EF65AC819AEB7FCFF80394B10526AE554F7291EB709E81DB50

Function 00E9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E9CF22,?), ref: 00E9DDFD

Part of subcall function 00E9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E9CF22,?), ref: 00E9DE16

Part of subcall function 00E9E199: GetFileAttributesW.KERNEL32(?,00E9CF95), ref: 00E9E19A

lstrcmpiW.KERNEL32(?,?), ref: 00E9E473
MoveFileW.KERNEL32(?,?), ref: 00E9E4AC
_wcslen.LIBCMT ref: 00E9E5EB
_wcslen.LIBCMT ref: 00E9E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00E9E650

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d6cb8e707a6057b485940428966197525ef9e6b498ba34ebe2ed059f8d88806c
Instruction ID: 94ab035ce56df78761ea6efb7fd6e5ba4754ee5e3661fff99f18f583b066883d
Opcode Fuzzy Hash: d6cb8e707a6057b485940428966197525ef9e6b498ba34ebe2ed059f8d88806c
Instruction Fuzzy Hash: 1A5162B24083459BCB24DB90D8819DFB7ECAF84344F10591EF689E3292EF75A588C766

Function 00EBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00EBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EBB6AE,?,?), ref: 00EBC9B5
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBC9F1
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA68
Part of subcall function 00EBC998: _wcslen.LIBCMT ref: 00EBCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EBBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EBBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EBBB63
RegCloseKey.ADVAPI32(?,?), ref: 00EBBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00EBBBB3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3c2d3b81457423d0e70195e9f847659dcb5a605e945853466ad8d43c4a484279
Instruction ID: b104485fe8c4170cb8a566c8b1a3706b04122028dc9346b179adb9caa284e1bf
Opcode Fuzzy Hash: 3c2d3b81457423d0e70195e9f847659dcb5a605e945853466ad8d43c4a484279
Instruction Fuzzy Hash: 5C61AE31208201AFD314DF14C895E6BBBE5FF84308F14A56CF499AB2A2CB71ED45CB92

Function 00E98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E98BCD
VariantClear.OLEAUT32 ref: 00E98C3E
VariantClear.OLEAUT32 ref: 00E98C9D
VariantClear.OLEAUT32(?), ref: 00E98D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E98D3B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 2ae6cf5d42e082bd6786f2599f563c0c9f51368b314a591bb29ff5c0adc85752
Instruction ID: b0a6fa1f842b417d24b1544fa93c86e7b0739f58bf0bd882af6b7c5559293c8a
Opcode Fuzzy Hash: 2ae6cf5d42e082bd6786f2599f563c0c9f51368b314a591bb29ff5c0adc85752
Instruction Fuzzy Hash: F0515CB5A00219DFCB14CF68C894EAAB7F9FF89314B158559E919EB350D730E911CB90

Function 00EA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EA8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00EA8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EA8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EA8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EA8C5F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 515d896044e091b67b848bfb5cf73cdb6b53ae57f45164d2c54e1d1c962c25e6
Instruction ID: 1a11988bc720e4ccee7313430f8acc97c8bf197bf4c2a612a04307979dc02632
Opcode Fuzzy Hash: 515d896044e091b67b848bfb5cf73cdb6b53ae57f45164d2c54e1d1c962c25e6
Instruction Fuzzy Hash: AE514975A00218AFCB14DF65C884E6ABBF5FF49314F089458E849AB362CB31ED51CF91

Function 00EB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00EB8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00EB8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EB8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00EB9032
FreeLibrary.KERNEL32(00000000), ref: 00EB9052

Part of subcall function 00E4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00EA1043,?,75C0E610), ref: 00E4F6E6
Part of subcall function 00E4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E8FA64,00000000,00000000,?,?,00EA1043,?,75C0E610,?,00E8FA64), ref: 00E4F70D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 97b97476e075fca143f826e6743bacb20a2db58a8eb6de71565eab79c5bbbb69
Instruction ID: 2e937d9fd8c961c1e7645a8d4689e10d6c821ad03d4c45552f7e285e99b2a0ca
Opcode Fuzzy Hash: 97b97476e075fca143f826e6743bacb20a2db58a8eb6de71565eab79c5bbbb69
Instruction Fuzzy Hash: 88512835605205DFCB15EF54C4948EABBF5FF49314F0990A8E90AAB362DB31ED86CB90

Function 00EC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00EC6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00EC6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00EC6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00EAAB79,00000000,00000000), ref: 00EC6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00EC6CC7

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c4e92d4ca97db8eeacfa95495369b9e2ee6a91c271c1495134fd0601fa80c60a
Instruction ID: 547cd3be15ab579186e7a30316a963eb46f30f7ed59f709b07126bd5ab9fe5de
Opcode Fuzzy Hash: c4e92d4ca97db8eeacfa95495369b9e2ee6a91c271c1495134fd0601fa80c60a
Instruction Fuzzy Hash: A741D635604104AFDB24CF28CE58FA7BBA5EB49354F14122CF999B72E1C372ED42DA40

Function 00E62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E620C3
_free.LIBCMT ref: 00E620E3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd4ae5bc35e9d118c4aa2d4bc946a8e60bc108f513104e99a80a1311ec558f83
Instruction ID: c5a9ddc30dbf762efe3806c6249b54cae67f48248cc9d690134432bba6d203f3
Opcode Fuzzy Hash: bd4ae5bc35e9d118c4aa2d4bc946a8e60bc108f513104e99a80a1311ec558f83
Instruction Fuzzy Hash: 4C410232A406009FCB24DF78D980A6EB3E5EF89354F2555ACEA05FB391DA31AD01CB81

Function 00E4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E49141
ScreenToClient.USER32(00000000,?), ref: 00E4915E
GetAsyncKeyState.USER32(00000001), ref: 00E49183
GetAsyncKeyState.USER32(00000002), ref: 00E4919D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 25e2ab9bdb05383872044db8e9c10201287e22e3f80818fd1e7f9c6012f330df
Instruction ID: 23e828d507eaa685c20cb270460953ff6a235f3c6ebacbac937aa982bb70db77
Opcode Fuzzy Hash: 25e2ab9bdb05383872044db8e9c10201287e22e3f80818fd1e7f9c6012f330df
Instruction Fuzzy Hash: 0041703190951ABBDF05AF64D848BEEB774FB05324F205229E46DB32D1C731A954CB51

Function 00EA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00EA38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00EA3922
TranslateMessage.USER32(?), ref: 00EA394B
DispatchMessageW.USER32(?), ref: 00EA3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA3966

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4e605091f87d6c568740ae1a305af96f30646cfe6dfbbc3f2e53e2c947d16320
Instruction ID: 90f79a4a046806504f44c54c48407e7f04c57d4d1787cfecd4ccbecd159ff2a2
Opcode Fuzzy Hash: 4e605091f87d6c568740ae1a305af96f30646cfe6dfbbc3f2e53e2c947d16320
Instruction Fuzzy Hash: B031F5709043459EEB34CB349808BB73BE8BB4A308F145569F456AA0E4E3B4B689DB11

Function 00EACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00EACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00EACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00EAC21E,00000000), ref: 00EACFF2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: aa39812eefc6103e7b35f400e39e2e237d2072cf27337880a95b7b28b70000b1
Instruction ID: 5a2bf343e7d7f7d92f053a49ff3aa4adf7c9df513de03b505368eca5679bfd5e
Opcode Fuzzy Hash: aa39812eefc6103e7b35f400e39e2e237d2072cf27337880a95b7b28b70000b1
Instruction Fuzzy Hash: 4D317F75604205AFDB20DFA5D884EABBBF9EB09314B20542EF506F6110DB30BD45DB60

Function 00E91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E91915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00E919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00E919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00E919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00E919E2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 533f2d1b556be7061dfe7b6aa8462b87f30221ed49fda914e772afd691a739ab
Instruction ID: 1b7ad89f5c07c91f55d284fa6c818b1927526a98b3a56a68e723b75b3654349d
Opcode Fuzzy Hash: 533f2d1b556be7061dfe7b6aa8462b87f30221ed49fda914e772afd691a739ab
Instruction Fuzzy Hash: 3A31DF71A0021AEFCF00CFA8CD98ADE3BB5EB44318F105269F925B72D0C3709944CB91

Function 00EC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EC5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EC579D
_wcslen.LIBCMT ref: 00EC57AF
_wcslen.LIBCMT ref: 00EC57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC5816

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 48f842a36773e3239a30ceafc76634794a7c64f905f3b8f0673f7796637d695f
Instruction ID: ab2fffa3a8a20bc8681982c3ecb409b7d4d56f14348a31503b10587e63f94a95
Opcode Fuzzy Hash: 48f842a36773e3239a30ceafc76634794a7c64f905f3b8f0673f7796637d695f
Instruction Fuzzy Hash: A4218172904618DADB208F60CD85FEE77B8FF44724F10925AF929BA180D771A9C6CF51

Function 00EB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00EB0951
GetForegroundWindow.USER32 ref: 00EB0968
GetDC.USER32(00000000), ref: 00EB09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00EB09B0
ReleaseDC.USER32(00000000,00000003), ref: 00EB09E8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c633499292efdc52f6074809cf3627eb75e5df315a31c9f9eb136a141bad6491
Instruction ID: aa9bbb73be0c70f1faf03835e2d794a13853ef15ba2727664aaa5483d6b92991
Opcode Fuzzy Hash: c633499292efdc52f6074809cf3627eb75e5df315a31c9f9eb136a141bad6491
Instruction Fuzzy Hash: CE216F35600204AFD704EF65C988EAFBBE9EF89740F149079E84AB7752CB30AC05CB90

Function 00E6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E6CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E6CDE9

Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E6CE0F
_free.LIBCMT ref: 00E6CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E6CE31

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 70b5d50826eedb4d7c6afe0b17895260fdacbb078a184c7d73e8f1f657e9d0f4
Instruction ID: 537d7a2408668f765f30653b4ac10cf553174111e1907340c0b434ae0dca6260
Opcode Fuzzy Hash: 70b5d50826eedb4d7c6afe0b17895260fdacbb078a184c7d73e8f1f657e9d0f4
Instruction Fuzzy Hash: D401D472A422157F232116BB7C8CC7B7A7DDFC6BE53351129F909F7200EA668D0281B0

Function 00E49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E49693
SelectObject.GDI32(?,00000000), ref: 00E496A2
BeginPath.GDI32(?), ref: 00E496B9
SelectObject.GDI32(?,00000000), ref: 00E496E2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 07bae1241627723048c0edca0718d018ef190bde9d92199ed93d88e6477e153d
Instruction ID: dbd0dd7fc30f65ace4cc592a9737ed60767821a2878bb59aaffea028c4603b61
Opcode Fuzzy Hash: 07bae1241627723048c0edca0718d018ef190bde9d92199ed93d88e6477e153d
Instruction Fuzzy Hash: 5821A730802309EFDB119F25FC08BAA3BB4BB50359F210256F418B61B1D3719856DF90

Function 00E4990E Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E498CC
SetTextColor.GDI32(?,?), ref: 00E498D6
SetBkMode.GDI32(?,00000001), ref: 00E498E9
GetStockObject.GDI32(00000005), ref: 00E498F1
GetWindowLongW.USER32(?,000000EB), ref: 00E49952

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 6d14e69f22affd0d4c3ac4242c487b6e172310605592808dd71a88a06b1bd912
Instruction ID: 748b88403f6df9f303209ee04e9c6f49ecb1e9ea2fc0161ea14cd2a78687a1f5
Opcode Fuzzy Hash: 6d14e69f22affd0d4c3ac4242c487b6e172310605592808dd71a88a06b1bd912
Instruction Fuzzy Hash: CA213A325462109FCB258F26FC54EEB3B60AB96335B28025DF6A67A1E3C7324851DB50

Function 00E95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E95726
_memcmp.LIBVCRUNTIME ref: 00E95744
_memcmp.LIBVCRUNTIME ref: 00E95757
_memcmp.LIBVCRUNTIME ref: 00E9576F
_memcmp.LIBVCRUNTIME ref: 00E95787

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1c91e65a3ddbb861a06882d5c30f57a6b73801ed7878bfeed1f1070a0a924ec0
Instruction ID: 6ab34ca8aebf130d605c50c2779fca3ad96fe302cc8277a345fa0988e4eaf781
Opcode Fuzzy Hash: 1c91e65a3ddbb861a06882d5c30f57a6b73801ed7878bfeed1f1070a0a924ec0
Instruction Fuzzy Hash: 8701F563741709FBDA095650AE92FFB739D9B20399F006026FD04BA241F731EF2583A0

Function 00E62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00E5F2DE,00E63863,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6), ref: 00E62DFD
_free.LIBCMT ref: 00E62E32
_free.LIBCMT ref: 00E62E59
SetLastError.KERNEL32(00000000,00E31129), ref: 00E62E66
SetLastError.KERNEL32(00000000,00E31129), ref: 00E62E6F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: ce5e8896d03948d8da19d60bde5ff6578669dd39ab5b7fb933d163fcb9646184
Instruction ID: 8e5efc4bfbed4e31cec7488a35ca5fb068cd016193740031b812cfa2d605915f
Opcode Fuzzy Hash: ce5e8896d03948d8da19d60bde5ff6578669dd39ab5b7fb933d163fcb9646184
Instruction Fuzzy Hash: B201F4366C5E006BC71327397C49D6B26ADABD13E9B35603CF629B22D2EF228C065120

Function 00E9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?,?,00E9035E), ref: 00E9002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?), ref: 00E90064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E8FF41,80070057,?,?), ref: 00E90070

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: aba1204bfcee3453447031fcb2d87dd2b7f5e4be21eb03d1e03f3ab76ca8a245
Instruction ID: 114046b4ef585fce7d4c5cbfc6642a0d3e3f62a25c4d1ad16f12831fb5369cde
Opcode Fuzzy Hash: aba1204bfcee3453447031fcb2d87dd2b7f5e4be21eb03d1e03f3ab76ca8a245
Instruction Fuzzy Hash: 61017872600204AFDB158F6ADC04FAA7AADEB44792F645524F909E2210E772ED459BA0

Function 00E910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E91114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E9112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E90B9B,?,?,?), ref: 00E91136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E9114D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 25627c7cd4f8a8c9dd1ad2b581fcecaad3b8558c7acf0721fb74bbffaac5f950
Instruction ID: 15d752ee7a7b8cf5055a0a8427b85e9ed501386d6b7cd2796bf26362dd30da5b
Opcode Fuzzy Hash: 25627c7cd4f8a8c9dd1ad2b581fcecaad3b8558c7acf0721fb74bbffaac5f950
Instruction Fuzzy Hash: F8016D75101205BFDB114F66DC4DE6A3B6EEF85364B240465FA45E3350DB32DC428A60

Function 00E90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E90FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E90FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E90FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E90FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E91002

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ebf56306e67905721eca0018327b6c17e248e7151ece9e87494995ea3cdbf28b
Instruction ID: c3902daf6119ad49f5c7e320ea68489474d68c9f409702a92edd97f3c332c1c5
Opcode Fuzzy Hash: ebf56306e67905721eca0018327b6c17e248e7151ece9e87494995ea3cdbf28b
Instruction Fuzzy Hash: ABF0AF75100301AFDB210FA69C49F5A3B6EFF89761F200464F909E6250CA32DC42CA60

Function 00E91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E9102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E91036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E9104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91062

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cbc7f8a314896fb289e0d1e95fa8072e9c62d62e5bcc7945229585b20ca70740
Instruction ID: e70ec399f3def2993c5113cf7768b0822aa79d59ad78bb9fed0e8aa5b6222875
Opcode Fuzzy Hash: cbc7f8a314896fb289e0d1e95fa8072e9c62d62e5bcc7945229585b20ca70740
Instruction Fuzzy Hash: EFF06235101301EFDB215FA6EC49F5A3B6DFF897A1F240464F949E7250CA72D8469A60

Function 00EA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0324
CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0331
CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA033E
CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA034B
CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0358
CloseHandle.KERNEL32(?,?,?,?,00EA017D,?,00EA32FC,?,00000001,00E72592,?), ref: 00EA0365

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4b77a68d64ac78f5f62208f0fa7f67c3ca232e8b3caeda85c0a02f203e51178e
Instruction ID: eb74bc9ab5e8cb81b2c4148ea0a1f634b45a30394d11d9bdf71f3ba963e26824
Opcode Fuzzy Hash: 4b77a68d64ac78f5f62208f0fa7f67c3ca232e8b3caeda85c0a02f203e51178e
Instruction Fuzzy Hash: 4F01AE72800B159FCB30AF66D880816FBF9BF653193159A3FD19662931C3B1B959DF80

Function 00E6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E6D752

Part of subcall function 00E629C8: HeapFree.KERNEL32(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0

_free.LIBCMT ref: 00E6D764
_free.LIBCMT ref: 00E6D776
_free.LIBCMT ref: 00E6D788
_free.LIBCMT ref: 00E6D79A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ca3b576429f81882497ccbe2f1319291440a60747d83cd146f4c063f131b6db1
Instruction ID: a358e3a7550931b8a9d2fff74dc0d0cf0842b4a1fa0a93fa1f9568e4a7abf175
Opcode Fuzzy Hash: ca3b576429f81882497ccbe2f1319291440a60747d83cd146f4c063f131b6db1
Instruction Fuzzy Hash: 6DF0E132A846486B8619EB55F9C5C5677DDBBC47D47F4280AF144F7501C720FC44C665

Function 00E95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E95C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E95C6F
MessageBeep.USER32(00000000), ref: 00E95C87
KillTimer.USER32(?,0000040A), ref: 00E95CA3
EndDialog.USER32(?,00000001), ref: 00E95CBD

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9ab8b95d11a9d2d9997b71e870566b232723145ec6def08616e668c1e864a5df
Instruction ID: 4fb21e074c2f39818a1af8ddce7464b77dca05b420b4e0ac3676971025479e08
Opcode Fuzzy Hash: 9ab8b95d11a9d2d9997b71e870566b232723145ec6def08616e668c1e864a5df
Instruction Fuzzy Hash: 81014F31500B04AFEB215B21DE4EFE6B7B8AB00B05F041569F686B15E1DBB1A9898B90

Function 00E622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E622BE

Part of subcall function 00E629C8: HeapFree.KERNEL32(00000000,00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000), ref: 00E629DE
Part of subcall function 00E629C8: GetLastError.KERNEL32(00000000,?,00E6D7D1,00000000,00000000,00000000,00000000,?,00E6D7F8,00000000,00000007,00000000,?,00E6DBF5,00000000,00000000), ref: 00E629F0

_free.LIBCMT ref: 00E622D0
_free.LIBCMT ref: 00E622E3
_free.LIBCMT ref: 00E622F4
_free.LIBCMT ref: 00E62305

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 296528e54d8c1967e0d6b8c3a2adb09c0f8945b959ea201706281011d6feff9a
Instruction ID: d9652acc0369b4f2420d8ea10d1b2e0c492f76e4798864d42b4fb308f347e438
Opcode Fuzzy Hash: 296528e54d8c1967e0d6b8c3a2adb09c0f8945b959ea201706281011d6feff9a
Instruction Fuzzy Hash: 62F05E70A809698BC71AAF94BC019193BE6F7D87E2B21254EF510F22B1CB301811FFE5

Function 00E495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E495D4
StrokeAndFillPath.GDI32(?,?,00E871F7,00000000,?,?,?), ref: 00E495F0
SelectObject.GDI32(?,00000000), ref: 00E49603
DeleteObject.GDI32 ref: 00E49616
StrokePath.GDI32(?), ref: 00E49631

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0cb1fc4fcf8c884a7e483299b96ebe07bbb09184f31ff23020da0ea558ca27dd
Instruction ID: 4c0aec86679f1ad4ec57c48095ea13e5be7a7a147f334338e9cd621e928b64cd
Opcode Fuzzy Hash: 0cb1fc4fcf8c884a7e483299b96ebe07bbb09184f31ff23020da0ea558ca27dd
Instruction Fuzzy Hash: 7FF04931006208EFDB229F6AED1CBA53F61BB00326F248264F469750F1C735899AEF20

Function 00E60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E610F9
__freea.LIBCMT ref: 00E61117

Part of subcall function 00E61537: _free.LIBCMT ref: 00E6154F

Strings

am/pm, xrefs: 00E6117A
a/p, xrefs: 00E611DE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 7536c33a64a6c2f783c111658deba90b5332ee8f323c430034b8508152932e25
Instruction ID: 7d7a367efbb76f236e91fb98abe6729fe44f9a4c053731577430b66202a67c9e
Opcode Fuzzy Hash: 7536c33a64a6c2f783c111658deba90b5332ee8f323c430034b8508152932e25
Instruction Fuzzy Hash: 6ED115319C0245CACB268F68E8557FABBB1EF06384F2D6199E902BB751D3359D80CB91

Function 00E65AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO, xrefs: 00E65BA8, 00E65C6C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-1663374661
Opcode ID: 597d3ace61ac2d558d923426184aadfac71f637403d1e199dde5144e70a20005
Instruction ID: 32dd0faa35f4dbaa66717770e0c277c0ee647a6e8b9f10a8e432600c771a16ed
Opcode Fuzzy Hash: 597d3ace61ac2d558d923426184aadfac71f637403d1e199dde5144e70a20005
Instruction Fuzzy Hash: 6751E376F8060AAFCB109FA4EC45FEEBBB8EF45394F14205AF405B7291D6319901DB61

Function 00E68A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00E68B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00E68B7A
__dosmaperr.LIBCMT ref: 00E68B81

Strings

., xrefs: 00E68A63

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .
API String ID: 2434981716-3963672497
Opcode ID: 50f2e132533699e3eedfc2f1c85e9775caded30a6531579d718408dec8372a5d
Instruction ID: 79e762f5fd3bbfc317961ef307afa12b0eebac9ab8c170962b43da4ded82c79a
Opcode Fuzzy Hash: 50f2e132533699e3eedfc2f1c85e9775caded30a6531579d718408dec8372a5d
Instruction Fuzzy Hash: C541BFB4604045AFD7249F64ED84ABD3FE6EF85384F2863AAF894B7552DE31CC029750

Function 00E92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E921D0,?,?,00000034,00000800,?,00000034), ref: 00E9B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E92760

Part of subcall function 00E9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00E9B3F8

Part of subcall function 00E9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00E9B355
Part of subcall function 00E9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E92194,00000034,?,?,00001004,00000000,00000000), ref: 00E9B365
Part of subcall function 00E9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E92194,00000034,?,?,00001004,00000000,00000000), ref: 00E9B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E9281A

Strings

@, xrefs: 00E92832

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 0dd3a71b86f494886f95e4bcf14fdf9126a02c1d2681c046c36a99620ecd2dc2
Instruction ID: ece77a47ed2271f662d23690aa25836dd56e82b2eb78138005dcaeb962cabf56
Opcode Fuzzy Hash: 0dd3a71b86f494886f95e4bcf14fdf9126a02c1d2681c046c36a99620ecd2dc2
Instruction Fuzzy Hash: A6411A72900218BFDF10DBA4DD45EEEBBB8AF09700F105099FA55B7181DB716E45CBA1

Function 00E6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00E61769
_free.LIBCMT ref: 00E61834
_free.LIBCMT ref: 00E6183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00E61760, 00E61767, 00E61796, 00E617CE

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: b28233e40e44b4d2a06980f7d0dc4f8c81e210138f0fe99c95486aea5f4ee5b7
Instruction ID: 091a6f1c05916c2e98f1b023e7569cfbb0b44fc77573052f07a8e259e2f25e77
Opcode Fuzzy Hash: b28233e40e44b4d2a06980f7d0dc4f8c81e210138f0fe99c95486aea5f4ee5b7
Instruction Fuzzy Hash: 8431B571A80208AFCB26DF99EC85D9EBBFCFB85390F1851AAF404E7211D6705E40DB90

Function 00E9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E9C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00E9C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F01990,009F54D8), ref: 00E9C395

Strings

0, xrefs: 00E9C2DF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 21f96263765a5459b1c59ec26459d41d979617f56c7faa09a0d5808a063d5a90
Instruction ID: 8112032cc9264528ca51c616cf32dce387ad85ae74f64241703a4f800791acfd
Opcode Fuzzy Hash: 21f96263765a5459b1c59ec26459d41d979617f56c7faa09a0d5808a063d5a90
Instruction Fuzzy Hash: 7941E6712043019FDB20EF25D844F5ABBE4EF85314F209A6DF9A5A72D1D770E904CB52

Function 00EC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00ECCC08,00000000,?,?,?,?), ref: 00EC44AA
GetWindowLongW.USER32 ref: 00EC44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC44D7

Strings

SysTreeView32, xrefs: 00EC447C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 207d0c2ea67d82d8397da77436ac9b5473b32218c01301d9269da8a1eff18f5d
Instruction ID: 39d2b0dce6594c037affa4006e4fa0b81614f6049efb712ec024ff9655e8d4f3
Opcode Fuzzy Hash: 207d0c2ea67d82d8397da77436ac9b5473b32218c01301d9269da8a1eff18f5d
Instruction Fuzzy Hash: E6318D71210605AFDB258E38DD45FEA7BA9EB08328F206329F979A21D0D772AC529750

Function 00E96E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00E96EED
VariantCopyInd.OLEAUT32(?,?), ref: 00E96F08
VariantClear.OLEAUT32(?), ref: 00E96F12

Strings

*j, xrefs: 00E96E8B, 00E96E90, 00E96EF8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j
API String ID: 2173805711-1845181700
Opcode ID: 2575f4d64734cde73796df4da69eb22a230ce2b677ed86b6646ac83d283dd8ea
Instruction ID: db4fb1b134863c3a8bc3e6d7da9093e311cfa49ffc8938e1088f86ec7ab11e64
Opcode Fuzzy Hash: 2575f4d64734cde73796df4da69eb22a230ce2b677ed86b6646ac83d283dd8ea
Instruction Fuzzy Hash: 4231AF72704205DFCF08AFA4E8559FD3BB6FF85304B1024AAF9036B2A1C734991ADB90

Function 00EB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00EB3077,?,?), ref: 00EB3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00EB307A
_wcslen.LIBCMT ref: 00EB309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00EB3106

Strings

255.255.255.255, xrefs: 00EB3095, 00EB309A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: e3aa93fb4170230fb0dd7fd9eb020d3f30bd1510de5a46d550a6264c3d1e4430
Instruction ID: cb5a3ad4c2e2373ed45b8bd708a645bc93b9e3b25c8cd5c94aefc2e8204fa25d
Opcode Fuzzy Hash: e3aa93fb4170230fb0dd7fd9eb020d3f30bd1510de5a46d550a6264c3d1e4430
Instruction Fuzzy Hash: 4D31D53A6042059FC720DF38C586EEB77E4EF54318F249059E915AB392DB72EE45C760

Function 00EC3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EC3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EC3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC3F78

Strings

SysMonthCal32, xrefs: 00EC3F0B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 005950a85df67aa4ef8677974c1fb6cf4c28eb152e0ef37614e8f64f00745019
Instruction ID: 122ae3303f2a77ec4e4e1e0cc6a46d61b0271c2bf4c0c94a0747bc2a7cc86d8b
Opcode Fuzzy Hash: 005950a85df67aa4ef8677974c1fb6cf4c28eb152e0ef37614e8f64f00745019
Instruction Fuzzy Hash: 6221BF32600219BFDF258F60CD46FEA3BB9EB48718F115218FA157B1D0D6B2A955CB90

Function 00EC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EC4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EC4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EC471A

Strings

msctls_updown32, xrefs: 00EC4684

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 50b7c7d6ac5a16a958be91fed56d0833da281e2d422311b32f86af5b3bcd715d
Instruction ID: 057308bd2359179e25939ed618ba36403787e0f2e9a07be332431edae0e332ea
Opcode Fuzzy Hash: 50b7c7d6ac5a16a958be91fed56d0833da281e2d422311b32f86af5b3bcd715d
Instruction Fuzzy Hash: 7D215EF5600208AFEB10DF64DD91DAB37EDEB4A398B141059FA04AB391CB71EC52DA60

Function 00E995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E9961D

Strings

#requireadmin, xrefs: 00E995D9
#notrayicon, xrefs: 00E995B7
#OnAutoItStartRegister, xrefs: 00E995F3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: fa7c25ce8734daa7d5549d4e73cce73d52798e5e541e4f5bfdffefd7e3f7d39b
Instruction ID: 3ff0afe890fbb6d69c94a5562b2bfaf8facda9dfaa69f142e848a295828fca52
Opcode Fuzzy Hash: fa7c25ce8734daa7d5549d4e73cce73d52798e5e541e4f5bfdffefd7e3f7d39b
Instruction Fuzzy Hash: 5E215B7210461166DB31AB2C9D03FBB73E89F91314F10642EFD49B7083EB61AD85C2E6

Function 00EC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EC3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EC3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EC3876

Strings

Listbox, xrefs: 00EC380F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a038b087f8610e9abf2b9c289df2f24155efd194c04c16c043324e488d45f0be
Instruction ID: 1a9d248d0182fd4c9feeb8893543ea55bd625249b8701c5fc6cd1f07e658f26f
Opcode Fuzzy Hash: a038b087f8610e9abf2b9c289df2f24155efd194c04c16c043324e488d45f0be
Instruction Fuzzy Hash: 2B21B372600118BFEF219F64DD45FBB376EEF89754F109129F904AB190C672DC528790

Function 00EA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EA4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EA4A5C
SetErrorMode.KERNEL32(00000000,?,?,00ECCC08), ref: 00EA4AD0

Strings

%lu, xrefs: 00EA4A6F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 95232af82497f8cde1437ffea8a8580be830eb5dafd49d5a71f683776a4d912e
Instruction ID: 5a0614ed18aaf4861641b77eaf90cd424113db39b51cbd28328dcd1f0398ca5e
Opcode Fuzzy Hash: 95232af82497f8cde1437ffea8a8580be830eb5dafd49d5a71f683776a4d912e
Instruction Fuzzy Hash: 53317371A00208AFDB10DF54C885EAABBF8EF49308F1490A5F509EF252D771ED46CB61

Function 00EC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EC424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EC4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EC4271

Strings

msctls_trackbar32, xrefs: 00EC4226

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 98fa022b60fe75f95620c1712e6e270303add447d9b1ac6048f4bc99cc9b17fc
Instruction ID: 0633de6c52766776627c1257c9e881fef9e18e8dab0110029716b1b58726b78f
Opcode Fuzzy Hash: 98fa022b60fe75f95620c1712e6e270303add447d9b1ac6048f4bc99cc9b17fc
Instruction Fuzzy Hash: CF11E372240208BEEF205F69CC06FAB3BACEF85B58F111128FA55F20E0D272D8529B10

Function 00E92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

Part of subcall function 00E92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E92DC5
Part of subcall function 00E92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E92DD6
Part of subcall function 00E92DA7: GetCurrentThreadId.KERNEL32 ref: 00E92DDD
Part of subcall function 00E92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E92DE4

GetFocus.USER32 ref: 00E92F78

Part of subcall function 00E92DEE: GetParent.USER32(00000000), ref: 00E92DF9

GetClassNameW.USER32(?,?,00000100), ref: 00E92FC3
EnumChildWindows.USER32(?,00E9303B), ref: 00E92FEB

Strings

%s%d, xrefs: 00E92FFF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 681b7543ca74b7de1234ca3ad636c615f40be915dc7f11048aa2aa98d9eaae3e
Instruction ID: 68459877ee39f016db9d1f8ec6be9fc83a101dcfad58dafd8213a81b32e103bf
Opcode Fuzzy Hash: 681b7543ca74b7de1234ca3ad636c615f40be915dc7f11048aa2aa98d9eaae3e
Instruction Fuzzy Hash: 531184716002057BCF147F749C89EED77AAAF94304F14A079FE09BB252DE71994ACB60

Function 00EC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EC58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00EC58EE
DrawMenuBar.USER32(?), ref: 00EC58FD

Strings

0, xrefs: 00EC588F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f3d84e2c322db714d17e8abddf7bed79da79aa13a097edf643e91b1d36b39cfa
Instruction ID: 2300fe6f81c060b968a5d0b3b9691bbe98a187981c4b5fc2ad2ea62216239d5b
Opcode Fuzzy Hash: f3d84e2c322db714d17e8abddf7bed79da79aa13a097edf643e91b1d36b39cfa
Instruction Fuzzy Hash: F0015E32500218EEDB219F11DC44FAEBBB4FB85765F1080A9E859E6151DB319A86DF21

Function 00E8D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00E8D3BF
FreeLibrary.KERNEL32 ref: 00E8D3E5

Strings

X64, xrefs: 00E8D2A8
GetSystemWow64DirectoryW, xrefs: 00E8D3B9

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e6da47e55927f73a9944d5ad0073980bd2b719e9a89371853eecdebc73d66905
Instruction ID: 2e3e5aa84aaa96f5d4adcf8206551041c0a44e1ef5ceb8cf333ca8964d08dddd
Opcode Fuzzy Hash: e6da47e55927f73a9944d5ad0073980bd2b719e9a89371853eecdebc73d66905
Instruction Fuzzy Hash: 46F0E53184E621AFD73136165C54EE97324AF10B01B69B679E80EF21D5DB20CD468792

Function 00E9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcafedaef8140e5e9e93f3e2a5f19c3b91e5b37c4c33a78e085e4025687dd54
Instruction ID: a3f8a35674b4140bc47c9ee86fd9815c88c6ec6fb2a2c8e0b387654fa62d977e
Opcode Fuzzy Hash: 4bcafedaef8140e5e9e93f3e2a5f19c3b91e5b37c4c33a78e085e4025687dd54
Instruction Fuzzy Hash: D1C16C75A0021AEFCB14CFA8C894EAEB7B5FF48704F609598E905EB251D731EE41DB90

Function 00EB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EB3459
CoUninitialize.OLE32 ref: 00EB3463
VariantInit.OLEAUT32(?), ref: 00EB346E
VariantClear.OLEAUT32(?), ref: 00EB371B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 05776e43279c0c777d2a1873afb3b5dbf93aa919ea24d7d47a0517d81c3f4cac
Instruction ID: 8b6784ba3e417f223550e9e391abcaf6f4cd089565b8e4a41716a6facd14e5ae
Opcode Fuzzy Hash: 05776e43279c0c777d2a1873afb3b5dbf93aa919ea24d7d47a0517d81c3f4cac
Instruction Fuzzy Hash: 82A18075604300AFCB14DF25C486A6ABBE5FF88714F14985DF98AAB362DB30ED01CB91

Function 00E90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00ECFC08,?), ref: 00E905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00ECFC08,?), ref: 00E90608
CLSIDFromProgID.OLE32(?,?,00000000,00ECCC40,000000FF,?,00000000,00000800,00000000,?,00ECFC08,?), ref: 00E9062D
_memcmp.LIBVCRUNTIME ref: 00E9064E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 2953bced8ed78a9da1850cfba7cdbb7ad93fb22c5990c542e88fb12c6122f7a4
Instruction ID: 00604242a96e5dfc1cfb9e0a6855f9e602a84e30463823a0bc2e49912cd1efc8
Opcode Fuzzy Hash: 2953bced8ed78a9da1850cfba7cdbb7ad93fb22c5990c542e88fb12c6122f7a4
Instruction Fuzzy Hash: 65810771A00109AFCF04DF94C988EEEB7B9FF89315F605558E516BB250DB71AE06CB60

Function 00E71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E714C0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1bdfaf60cd36902e1c99475a67a2993478250f4666f0b5afe55660ab5cc4bb91
Instruction ID: 3543d0a2da71b5c9f5ed994c94c2420c9fe86f93a21aaacea82eb7c71cfd3d6b
Opcode Fuzzy Hash: 1bdfaf60cd36902e1c99475a67a2993478250f4666f0b5afe55660ab5cc4bb91
Instruction Fuzzy Hash: D9416D756003006BDB256BBD9C46ABE3AE5EF417B0F24A6A5F83DF3292F63448425361

Function 00EC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC62E2
ScreenToClient.USER32(?,?), ref: 00EC6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00EC6382

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c7dc530d2aeef02d3b5c270ff5b4cd8604b9ccfd5a5bd71ba026b61245accddd
Instruction ID: df25edd0a986670b8c3651352034093a2017c496c515c3fa20f3ffb3ecb41082
Opcode Fuzzy Hash: c7dc530d2aeef02d3b5c270ff5b4cd8604b9ccfd5a5bd71ba026b61245accddd
Instruction Fuzzy Hash: 77514C70900249AFDF14DF68DA80EAE7BB5FB85364F10916DF815AB2A0D731AD42CB50

Function 00EB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00EB1AFD
WSAGetLastError.WSOCK32 ref: 00EB1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00EB1B8A
WSAGetLastError.WSOCK32 ref: 00EB1B94

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ff40ca8910806199bc0fce344d0de4971b1f35b0231b97cdfe81332a061ee2a9
Instruction ID: e72097cf13289b65a0e8f90287eb63fe5a1ef9b9fd0c706afe072594c255763d
Opcode Fuzzy Hash: ff40ca8910806199bc0fce344d0de4971b1f35b0231b97cdfe81332a061ee2a9
Instruction Fuzzy Hash: BA41D575600200AFD720AF24D88AF667BE5AB44718F54D49CF61AAF3D2D772DD41CB90

Function 00E6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403e36f19871c95b08ccea1f1b8742252be45f21d903387016cc5b9f46cedcc7
Instruction ID: 2ebba378716f484b8a255e019b80a5b4a8b897cccc1cbbd3c6686a41c5d3cf9d
Opcode Fuzzy Hash: 403e36f19871c95b08ccea1f1b8742252be45f21d903387016cc5b9f46cedcc7
Instruction Fuzzy Hash: 98416971A40314BFD724AF38DC01BAABBE9EB84350F10952EF112FB291E77199418780

Function 00EA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EA5783
GetLastError.KERNEL32(?,00000000), ref: 00EA57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EA57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EA57FA

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a2f1ea830e151317b0e5abba8fd693899e1a44b34ea3315afc09f6e6fc80d449
Instruction ID: fc63f32eeaa7df7ceb0d71531e8f26e9f8c770b09e9a049c537e1a581a2cfea8
Opcode Fuzzy Hash: a2f1ea830e151317b0e5abba8fd693899e1a44b34ea3315afc09f6e6fc80d449
Instruction Fuzzy Hash: 38411C3A600610DFCB25DF15C444A59BBE2EF49324F199498E84A7F362CB35FD01CB91

Function 00E6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00E582D9,?,00E582D9,?,00000001,?,?,00000001,00E582D9,00E582D9), ref: 00E6D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E6D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00E6D9AB
__freea.LIBCMT ref: 00E6D9B4

Part of subcall function 00E63820: RtlAllocateHeap.NTDLL(00000000,?,00F01444,?,00E4FDF5,?,?,00E3A976,00000010,00F01440,00E313FC,?,00E313C6,?,00E31129), ref: 00E63852

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4786f4b6f89ffaf602e7c64e9679145c96a7b50f007d2e52211e386e51759dce
Instruction ID: 6db2ded456b79c9a14c4b07581b35b9881b0279195df0f97012790e8af09e8f8
Opcode Fuzzy Hash: 4786f4b6f89ffaf602e7c64e9679145c96a7b50f007d2e52211e386e51759dce
Instruction Fuzzy Hash: 6A31DE72E0020AABDF24CF65EC45EAF7BA5EB80354B154168FC08E7290EB75CD55CBA0

Function 00EC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00EC5352
GetWindowLongW.USER32(?,000000F0), ref: 00EC5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EC5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EC53A8

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: cf40ace1862894e34e2bdfb7297ab95b9b7d377f4eaf086e73b05d1950eacf21
Instruction ID: a0cd337c3862d8323ac79c79a92fd91c59920d94c5d933b5b34260eee0fc0bd2
Opcode Fuzzy Hash: cf40ace1862894e34e2bdfb7297ab95b9b7d377f4eaf086e73b05d1950eacf21
Instruction Fuzzy Hash: 9731E632B55A48EFEB309F1CCE05FE83761AB04394F586119FA10B61E5C7B2B9C29B41

Function 00E9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00E9ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E9AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E9AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00E9ACC6

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 313684724e7589c49eb49cd5e05a06959f10c6b33593293db3f129945358fa27
Instruction ID: ffb82d444966bfabe93ee3bf605d149f0f4170b1712f95a2f7e7192d75d51f24
Opcode Fuzzy Hash: 313684724e7589c49eb49cd5e05a06959f10c6b33593293db3f129945358fa27
Instruction Fuzzy Hash: 22310830A00618AFEF35CB658C04BFAFBA5AF89315F1C663AE4857A1D1C375898587D2

Function 00EC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EC769A
GetWindowRect.USER32(?,?), ref: 00EC7710
PtInRect.USER32(?,?,00EC8B89), ref: 00EC7720
MessageBeep.USER32(00000000), ref: 00EC778C

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: de0386cc40ce05f091ed8d3e4fcc92bb5f418bbc4a5d3a02b097a2d5eae81413
Instruction ID: dfe049e06edcfffb82ccecc793b797e57614911e323436a63ac877f9d570ba04
Opcode Fuzzy Hash: de0386cc40ce05f091ed8d3e4fcc92bb5f418bbc4a5d3a02b097a2d5eae81413
Instruction Fuzzy Hash: D0417C346092189FDB01CF68CA94FA977F5BB49315F1550AEE894AB261C732E942CF90

Function 00EC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EC16EB

Part of subcall function 00E93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E93A57
Part of subcall function 00E93A3D: GetCurrentThreadId.KERNEL32 ref: 00E93A5E
Part of subcall function 00E93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E925B3), ref: 00E93A65

GetCaretPos.USER32(?), ref: 00EC16FF
ClientToScreen.USER32(00000000,?), ref: 00EC174C
GetForegroundWindow.USER32 ref: 00EC1752

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cf1d26fb8f71c446af35e2d76b1bbb33bf6e321dbf813e2e3cba149166614bef
Instruction ID: 2e6fde9b04c577e14d78b2c9dbf7684a358533631d5a6eb6c6f339d191e6b778
Opcode Fuzzy Hash: cf1d26fb8f71c446af35e2d76b1bbb33bf6e321dbf813e2e3cba149166614bef
Instruction Fuzzy Hash: 9A315075D00109AFCB04EFA9C985DAEBBF9EF49304B5490AAE415F7212D631DE46CFA0

Function 00E9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E9D501
Process32FirstW.KERNEL32(00000000,?), ref: 00E9D50F
Process32NextW.KERNEL32(00000000,?), ref: 00E9D52F
CloseHandle.KERNEL32(00000000), ref: 00E9D5DC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 731fa367a461b555b19aaa380581e44be2f6580f9b01b350630800664762b933
Instruction ID: 84fe627524618fe238524d43c454d582caf678511c82a14039865509c67a48d9
Opcode Fuzzy Hash: 731fa367a461b555b19aaa380581e44be2f6580f9b01b350630800664762b933
Instruction Fuzzy Hash: 06319C311083009FD304EF64DC85AAFBBF8AFD9354F14092DF585A61A2EB719949CB92

Function 00EC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

GetCursorPos.USER32(?), ref: 00EC9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E87711,?,?,?,?,?), ref: 00EC9016
GetCursorPos.USER32(?), ref: 00EC905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E87711,?,?,?), ref: 00EC9094

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1f10af34a9d7fc52321908dbe51a0578a445fb27e94a9b023dc2d406ef95449c
Instruction ID: c72d7af8fe6817253543e3b637f4de4333452a9ee0de49ab0bbc58659296243e
Opcode Fuzzy Hash: 1f10af34a9d7fc52321908dbe51a0578a445fb27e94a9b023dc2d406ef95449c
Instruction Fuzzy Hash: 6321D131600118EFDB258F95CC59FFA3BB9FF89350F104069F9056B2A2C3769992EB60

Function 00E9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00ECCB68), ref: 00E9D2FB
GetLastError.KERNEL32 ref: 00E9D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E9D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00ECCB68), ref: 00E9D376

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c6ef4cc1a0773b1e0d3249d486f3c8bfb6d2797805e46ab9909bd104ce7c4526
Instruction ID: 8c1936736d59210513c04efafe6d70c6930ecb2942f9eeb68552ac3d25cea3b0
Opcode Fuzzy Hash: c6ef4cc1a0773b1e0d3249d486f3c8bfb6d2797805e46ab9909bd104ce7c4526
Instruction Fuzzy Hash: 50219F705083119F8B04DF28C8858AEBBE4AF56369F205A1DF499E32A1D731D94ACB93

Function 00E91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E9102A
Part of subcall function 00E91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E91036
Part of subcall function 00E91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91045
Part of subcall function 00E91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E9104C
Part of subcall function 00E91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E91062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E915BE
_memcmp.LIBVCRUNTIME ref: 00E915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E91617
HeapFree.KERNEL32(00000000), ref: 00E9161E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: dcdee8c37498648ac053bb297fb75bd0fe64561384e048655f495f9a70e3f0f6
Instruction ID: d09adae023f9845d86b7c4e6d06d433d20f45abbca2b55c350dec4db29b1f699
Opcode Fuzzy Hash: dcdee8c37498648ac053bb297fb75bd0fe64561384e048655f495f9a70e3f0f6
Instruction Fuzzy Hash: E9219D31E4010AEFDF00DFA5C945BEEB7B8EF44348F194499E445BB241E731AA49CBA0

Function 00EC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00EC280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00EC2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00EC2840

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 774c91cbd6b718089b34096306ef5020a309d575ff04dd92a556f6dd531d5225
Instruction ID: ccc56bbd5858d936e65468edc6825204ba2ff57402cf637ad9a00d78f3e75008
Opcode Fuzzy Hash: 774c91cbd6b718089b34096306ef5020a309d575ff04dd92a556f6dd531d5225
Instruction Fuzzy Hash: DE21C131204511AFD7149B24C984FAA7B99AF45324F24915DF52AAB6E2CB72FC43CB90

Function 00E978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00E9790A,?,000000FF,?,00E98754,00000000,?,0000001C,?,?), ref: 00E98D8C
Part of subcall function 00E98D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00E98DB2
Part of subcall function 00E98D7D: lstrcmpiW.KERNEL32(00000000,?,00E9790A,?,000000FF,?,00E98754,00000000,?,0000001C,?,?), ref: 00E98DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00E98754,00000000,?,0000001C,?,?,00000000), ref: 00E97923
lstrcpyW.KERNEL32(00000000,?), ref: 00E97949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E98754,00000000,?,0000001C,?,?,00000000), ref: 00E97984

Strings

cdecl, xrefs: 00E9797B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8fe1ab9924f9b366135e1ef7db42440a22bf73c4220743ffe3247e731e6b10d4
Instruction ID: 8115e66aa3f22724391b425ab313b3aacbe715be4681b42945795856659a21f2
Opcode Fuzzy Hash: 8fe1ab9924f9b366135e1ef7db42440a22bf73c4220743ffe3247e731e6b10d4
Instruction Fuzzy Hash: E311033A200302AFCF159F39D844E7A77E9FF85354B10502AF986DB2A4EB329805C7A1

Function 00EC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00EC7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00EC7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EC7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EAB7AD,00000000), ref: 00EC7D6B

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 37de330928d93b755634641385dafbe77efc83670957cefe2d59566957e816e2
Instruction ID: 55d66081ad36567d4c015fd177fc03242c5d1a854da78188bdd96f3c7288facd
Opcode Fuzzy Hash: 37de330928d93b755634641385dafbe77efc83670957cefe2d59566957e816e2
Instruction Fuzzy Hash: 7911AE31604615AFCB108F28DD04EA63BA4BF46364F215328F87AE72E0D7328952DB40

Function 00EC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00EC56BB
_wcslen.LIBCMT ref: 00EC56CD
_wcslen.LIBCMT ref: 00EC56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EC5816

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: a3165d853d437e572fe32ae4ede3cbe2b72c17c9dd4f669bfd857de8571e2142
Instruction ID: c4f8459ebd405b1980bd96f80d2d0f0620aed8a554f6bee8161617309227c7e6
Opcode Fuzzy Hash: a3165d853d437e572fe32ae4ede3cbe2b72c17c9dd4f669bfd857de8571e2142
Instruction Fuzzy Hash: 8311E47260060896DB209F61CE85FEE37ACBF50768B10546EF916F6081E771EAC6CB60

Function 00E61D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87bce0e78925c9adc8b27ccf0c4dd53c0f80a798086ddcc49a348f63dd44145b
Instruction ID: b1fb734377b2cbe600abaa0c692e4fcf9e257d39a57e4accb4dab33e297caa9c
Opcode Fuzzy Hash: 87bce0e78925c9adc8b27ccf0c4dd53c0f80a798086ddcc49a348f63dd44145b
Instruction Fuzzy Hash: 8E01A2B268AA163EF61216797CC1F676A6CDF817F9F382369F621712D2DB618C005170

Function 00E91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E91A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E91A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E91A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E91A8A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: df0dd9ef6b9ed376439bac7b7907381cec5752148407f47d1d9d0388e2943461
Instruction ID: 9c2f58240da581db733fd72d8b8441417b29678ee5191ab731bc5326556d9356
Opcode Fuzzy Hash: df0dd9ef6b9ed376439bac7b7907381cec5752148407f47d1d9d0388e2943461
Instruction Fuzzy Hash: 6511093AD01219FFEF11DBA5CD85FADBB78EB08754F2000A1EA04B7290D6B16E51DB94

Function 00E9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E9E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00E9E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E9E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E9E24D

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e9ec98119a78d231f87e63ae39a7c51e7b8cdb18c9071e845385525ba86a450b
Instruction ID: 1d1b6edf5a9e708db1806763d8625aa0001e5006cc629db21ce4b91a6d49cacd
Opcode Fuzzy Hash: e9ec98119a78d231f87e63ae39a7c51e7b8cdb18c9071e845385525ba86a450b
Instruction Fuzzy Hash: 2F11C876904258BFCB01DBA9AC05E9E7FACFB45714F144265F924F3391D671CD0487A0

Function 00E5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00E5CFF9,00000000,00000004,00000000), ref: 00E5D218
GetLastError.KERNEL32 ref: 00E5D224
__dosmaperr.LIBCMT ref: 00E5D22B
ResumeThread.KERNEL32(00000000), ref: 00E5D249

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 6f735da1765e78e4640e33652e234c01e1efc90309bb50363fe8fa7cd8975c47
Instruction ID: b3594febad4d993fa8db326b9ce637a27c7a95ddbc54a6a7f334cf3cd606e04a
Opcode Fuzzy Hash: 6f735da1765e78e4640e33652e234c01e1efc90309bb50363fe8fa7cd8975c47
Instruction Fuzzy Hash: B601DB7A409204BFC7215BA6DC05B9E7AA9DF81732F201659FD25B11E0DB71890AC6A0

Function 00EC9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00E49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00E49BB2

GetClientRect.USER32(?,?), ref: 00EC9F31
GetCursorPos.USER32(?), ref: 00EC9F3B
ScreenToClient.USER32(?,?), ref: 00EC9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00EC9F7A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 08b9f5b922f14e9289b53fc388b5e72cf0b4cee0857a5e623dc46c8035a0cc7b
Instruction ID: 9adab063777f6e1a03aad46b9f66b44c07417d228dee41cab27647655c215205
Opcode Fuzzy Hash: 08b9f5b922f14e9289b53fc388b5e72cf0b4cee0857a5e623dc46c8035a0cc7b
Instruction Fuzzy Hash: 80112532A0015AEBDB10DF69D989EFE77B9FB05311F100469F911F3142D332AA86CBA1

Function 00E3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E3604C
GetStockObject.GDI32(00000011), ref: 00E36060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E3606A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 51a8c0f82f43b017b7375452495b0f1f325d6bdf434980a36033c0617effc924
Instruction ID: 808cc62acb9d77bf8e5181a7882b814387ed1340fec3b6043f392c5d317f73d1
Opcode Fuzzy Hash: 51a8c0f82f43b017b7375452495b0f1f325d6bdf434980a36033c0617effc924
Instruction Fuzzy Hash: 3911A172501508BFEF264FA48C49EEA7F69FF09354F145112FA0466110C732DC60DFA0

Function 00E53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00E53B56

Part of subcall function 00E53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00E53AD2
Part of subcall function 00E53AA3: ___AdjustPointer.LIBCMT ref: 00E53AED

_UnwindNestedFrames.LIBCMT ref: 00E53B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00E53B7C
CallCatchBlock.LIBVCRUNTIME ref: 00E53BA4

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: bd81dea388c134e700bb3edf266436083e7245bd16cd4cfe5c2fcb2e5757b027
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 21014C72100148BBDF125EA5CC42EEB7FADEF48799F045814FE48A6161C732E965EBA0

Function 00E63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E313C6,00000000,00000000,?,00E6301A,00E313C6,00000000,00000000,00000000,?,00E6328B,00000006,FlsSetValue), ref: 00E630A5
GetLastError.KERNEL32(?,00E6301A,00E313C6,00000000,00000000,00000000,?,00E6328B,00000006,FlsSetValue,00ED2290,FlsSetValue,00000000,00000364,?,00E62E46), ref: 00E630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E6301A,00E313C6,00000000,00000000,00000000,?,00E6328B,00000006,FlsSetValue,00ED2290,FlsSetValue,00000000), ref: 00E630BF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: a0ba3fedbcaf790faf0721d147d4864af96674ac13cf9940e2745d57c3554875
Instruction ID: db52643661ef02770ea33df6c6aaa7c8aa0ee4a82997dac73da9eaa16e316bef
Opcode Fuzzy Hash: a0ba3fedbcaf790faf0721d147d4864af96674ac13cf9940e2745d57c3554875
Instruction Fuzzy Hash: 4001FC32381622AFC7714B79BC44E577798EF05BE5B201620F919F3150C721D90AC6D0

Function 00E97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00E9747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E97497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00E974CA

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e2688af53c60b072d336e604b816326b489b443d7e8a66e8ad0f7a967dac811c
Instruction ID: 702c06d93a54285191a5be7f705efaa2a7417dee843c85a611f2c7fcf0e160b8
Opcode Fuzzy Hash: e2688af53c60b072d336e604b816326b489b443d7e8a66e8ad0f7a967dac811c
Instruction Fuzzy Hash: EB118EB12153109FEB208F15DC08F967BFCEB00B04F108569E6AAE6152D771E949DB90

Function 00E9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E9ACD3,?,00008000), ref: 00E9B126

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 40a87aa3ac3d0bf41755f6b13f21321db77c99f647a7707254dcb29921567280
Instruction ID: 8ceb42bc82830d9dda4d5137a978a6048b3adcebc22ddeabeed47f9c6f6a45b9
Opcode Fuzzy Hash: 40a87aa3ac3d0bf41755f6b13f21321db77c99f647a7707254dcb29921567280
Instruction Fuzzy Hash: DB116D31C0262CEBCF04AFE6EA68AEEBF78FF49711F115095D941B2281CB305655CB91

Function 00EC7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EC7E33
ScreenToClient.USER32(?,?), ref: 00EC7E4B
ScreenToClient.USER32(?,?), ref: 00EC7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EC7E8A

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 591b255cd185dc8538849a313e2907544595a8a5f681c705102a5727832f802e
Instruction ID: d426b72074e493ae8d66c4b24d092d84017455ca8601bb1cb5f36bed0841444e
Opcode Fuzzy Hash: 591b255cd185dc8538849a313e2907544595a8a5f681c705102a5727832f802e
Instruction Fuzzy Hash: 661156B9D0020AAFDB41CFA9C984AEEBBF5FF08310F505066E955E3210D735AA55CF50

Function 00E92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E92DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E92DD6
GetCurrentThreadId.KERNEL32 ref: 00E92DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E92DE4

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 8be88ed58308a0ad349fc80f88b2a9139b0a52e93adede56f3d557d27b1be998
Instruction ID: 28b22ed6077268730297a660ea4dbb792282f5f82fa8cb16e1d70e44a3ab85df
Opcode Fuzzy Hash: 8be88ed58308a0ad349fc80f88b2a9139b0a52e93adede56f3d557d27b1be998
Instruction Fuzzy Hash: 31E06D715012247FDF201B639C0DEEB3E6CEF42FA5F101029F20AF10809AA28886C6B0

Function 00EC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E49693
Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496A2
Part of subcall function 00E49639: BeginPath.GDI32(?), ref: 00E496B9
Part of subcall function 00E49639: SelectObject.GDI32(?,00000000), ref: 00E496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00EC8887
LineTo.GDI32(?,?,?), ref: 00EC8894
EndPath.GDI32(?), ref: 00EC88A4
StrokePath.GDI32(?), ref: 00EC88B2

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 988ce9ac0c4e53c7c3e8d5dd1a122b328b4980af372ef5f9349dd27e0be3df5c
Instruction ID: 485ffc9185c2b77e5ad7b8101ea9639277b9559abca7393c060ef3c2383d5529
Opcode Fuzzy Hash: 988ce9ac0c4e53c7c3e8d5dd1a122b328b4980af372ef5f9349dd27e0be3df5c
Instruction Fuzzy Hash: 01F0B836002218FAEB126F95AE0AFCE3F69AF06310F548014FA01710E2C7B61526DFE9

Function 00E498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E498CC
SetTextColor.GDI32(?,?), ref: 00E498D6
SetBkMode.GDI32(?,00000001), ref: 00E498E9
GetStockObject.GDI32(00000005), ref: 00E498F1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 271f5413588b46ecf1d20c9dfbfc54e7e798a303306e38693515959df54938bc
Instruction ID: 7296984fa6b62be6792e04083e54222e3b09ee6b33b30e41fc8115c029d6cdd0
Opcode Fuzzy Hash: 271f5413588b46ecf1d20c9dfbfc54e7e798a303306e38693515959df54938bc
Instruction Fuzzy Hash: 26E06531644240AEDB215B76BC09FD93F21AB51336F288229F6FD740E1C37286469B10

Function 00E9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00E91634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00E911D9), ref: 00E9163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E911D9), ref: 00E91648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00E911D9), ref: 00E9164F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1b502eda8b52b1622bb39445b9a44cb4762fff30a3df68dc376dbedb4ab02012
Instruction ID: 3a89a81060a4795f6eedb99f90deac4b7039edda87c101232cba41460bd47aec
Opcode Fuzzy Hash: 1b502eda8b52b1622bb39445b9a44cb4762fff30a3df68dc376dbedb4ab02012
Instruction Fuzzy Hash: F5E08671A01211DFDB201FA2AD0DF4A3B7CBF44795F284868F249E9090E635844BC750

Function 00E8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E8D858
GetDC.USER32(00000000), ref: 00E8D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8D882
ReleaseDC.USER32(?), ref: 00E8D8A3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9d92fb0612debd8b859572a9af1c566394e48146bb9783b8002a0b11e058d824
Instruction ID: 0de9790cfde2a0114c682b09e6f66a0a581789264cba42db23ab15574f1b945e
Opcode Fuzzy Hash: 9d92fb0612debd8b859572a9af1c566394e48146bb9783b8002a0b11e058d824
Instruction Fuzzy Hash: 82E01AB4804204DFCB41AFA1D90CAADBBF2FB08710F249029E84AF7350C73A9907AF40

Function 00E8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E8D86C
GetDC.USER32(00000000), ref: 00E8D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E8D882
ReleaseDC.USER32(?), ref: 00E8D8A3

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 469cb12115f0b99aaca2f0749c551fa70dac15b7e5165932c8231fce16fcfe07
Instruction ID: 027f07ac40c3bf4914d16790200c40792ca1a8d5bb0aed0ff45d72ba0843ecd0
Opcode Fuzzy Hash: 469cb12115f0b99aaca2f0749c551fa70dac15b7e5165932c8231fce16fcfe07
Instruction Fuzzy Hash: B0E01A74800200DFCB409FA1D90CA6DBBF1BB08710F249018E84AF7350C73A99079F40

Function 00EA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E37620: _wcslen.LIBCMT ref: 00E37625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00EA4ED4

Strings

LPT, xrefs: 00EA4DFB
*, xrefs: 00EA4E10

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: a2478173c5d42c4366c6c92d32102caa7a1b07a7de5267ff08799ba7f6942bce
Instruction ID: e93523991a971b6ef86d308c950abb1bf1fc996739eebcfa24e98097e781e54f
Opcode Fuzzy Hash: a2478173c5d42c4366c6c92d32102caa7a1b07a7de5267ff08799ba7f6942bce
Instruction Fuzzy Hash: 7D9152B9A002049FCB14DF54C484EA9BBF1BF89308F19A099E44AAF392D775FD85CB51

Function 00E5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E5E30D

Strings

pow, xrefs: 00E5E2E5, 00E5E302

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 8606981a46dec57fe4f0bce14bfce0db6002e7c3470884a3cb40f14c6ec3bcae
Instruction ID: dac1881d418044eca5750b9383cab66e98896f670e6cacb8f1d585e47ec89f9e
Opcode Fuzzy Hash: 8606981a46dec57fe4f0bce14bfce0db6002e7c3470884a3cb40f14c6ec3bcae
Instruction Fuzzy Hash: 3551AC61A4C20196CB197714E9013BA3B94EB507CEF307D9DE8E1723A8EB318DCD9A42

Function 00EB7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00E8569E,00000000,?,00ECCC08,?,00000000,00000000), ref: 00EB78DD

Part of subcall function 00E36B57: _wcslen.LIBCMT ref: 00E36B6A

CharUpperBuffW.USER32(00E8569E,00000000,?,00ECCC08,00000000,?,00000000,00000000), ref: 00EB783B

Strings

<s, xrefs: 00EB790C, 00EB790F, 00EB7924

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s
API String ID: 3544283678-2940880691
Opcode ID: 5716270e6b8811408c7f6633989254548ad43906854bd6c071eb23b0ea6d6f8d
Instruction ID: 828732abeeff87a07543a2b64d30fde22094da86e11566e684a9116898f228d0
Opcode Fuzzy Hash: 5716270e6b8811408c7f6633989254548ad43906854bd6c071eb23b0ea6d6f8d
Instruction Fuzzy Hash: 17616F72914129ABCF04EBE4CC95DFEB7B4BF94704F546125E582B3091EF306A45CBA0

Function 00E4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00E4E1B1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fd9163d5dabfad8c150c58dbe67e33516502e5e86370331ecc912eae72c51cb4
Instruction ID: bf44c24fb7a0becf057654f15f542e570be8f6593113908d33113c4feb8b10ce
Opcode Fuzzy Hash: fd9163d5dabfad8c150c58dbe67e33516502e5e86370331ecc912eae72c51cb4
Instruction Fuzzy Hash: F0514331A04246DFDB18EF68D481AFA7BA4FF15314F24A056E899BB3E0D7359D42CB90

Function 00E4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E4F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E4F2BB

Strings

@, xrefs: 00E4F2AF

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a8fbe543381a8017dd243d1cf13c951f5d2b7f3b66c67027a8b13888c84e1d89
Instruction ID: 7f79d8a1036897df4d44ae40140da68bfb1ab65020dd22c7ea05b9ea52199d0a
Opcode Fuzzy Hash: a8fbe543381a8017dd243d1cf13c951f5d2b7f3b66c67027a8b13888c84e1d89
Instruction Fuzzy Hash: E35159715087889BD320AF11DC8ABAFBBF8FB84300F81885CF1D961195EB308569CB66

Function 00EB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00EB57E0
_wcslen.LIBCMT ref: 00EB57EC

Strings

CALLARGARRAY, xrefs: 00EB57E6, 00EB57EB

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9b5a741b7aae447eb9a0895b01bd986e9a6633d9d540f74d2e3d35d3ffb10429
Instruction ID: 7682bc2997d9a5ad7cb1539fd9435c404f08fe04b615dbc2f85d7190e8145d77
Opcode Fuzzy Hash: 9b5a741b7aae447eb9a0895b01bd986e9a6633d9d540f74d2e3d35d3ffb10429
Instruction Fuzzy Hash: FA418C72A002099FCB18DFA9C886AFEBBF5EF59324F146029E505B7251E7309D81CB90

Function 00EAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EAD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EAD13A

Strings

|, xrefs: 00EAD10B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 880066afae90120354895fd52d8ee18097ddb541fac92d68ca81bea0c9c1be33
Instruction ID: 296ec72ec49f6d1300a769876e6c8b20f06dd5595f944bcccf466499de2d58a6
Opcode Fuzzy Hash: 880066afae90120354895fd52d8ee18097ddb541fac92d68ca81bea0c9c1be33
Instruction Fuzzy Hash: AD313971D01209ABCF15EFA5CC89AEEBFF9FF19304F005019E815B6162E735AA46CB60

Function 00EC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EC3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EC365C

Strings

static, xrefs: 00EC35BC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bb500713e74b4eb21d20d9f622ccd552b61f91061547eb02ad2e5f514f4fcc98
Instruction ID: c72f5ec03566a0250589b92b43dc7083d8c8a9d7964f5a23b4c7b8d15a8e6d30
Opcode Fuzzy Hash: bb500713e74b4eb21d20d9f622ccd552b61f91061547eb02ad2e5f514f4fcc98
Instruction Fuzzy Hash: 6C317E71110204AADB24DF78D841FFB73A9FF48714F10A61DF965A7280DA32AD92DB60

Function 00EC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00EC461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EC4634

Strings

', xrefs: 00EC458E

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 023acf1d8da5d628a9720a08b7684db7db1083621c4291dc2c6ea21c98d7d748
Instruction ID: d4b7c57304c4bf1c24cf48ae52a29ca9e4c17838f90c25101738cc380e167d00
Opcode Fuzzy Hash: 023acf1d8da5d628a9720a08b7684db7db1083621c4291dc2c6ea21c98d7d748
Instruction Fuzzy Hash: 083128B5A002099FDB14CF69CA90FDA7BB5FF09304F14506AE904AB381D771A942CF90

Function 00EC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EC327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EC3287

Strings

Combobox, xrefs: 00EC3249

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d8365d79c12931bbe8f07d46f2f83e815a707983b8f63088a35306a27e9f707a
Instruction ID: 86d7f4c540ac9449d1b04ca6646b6a1c98f99779d3db50858ade29689f1ffc40
Opcode Fuzzy Hash: d8365d79c12931bbe8f07d46f2f83e815a707983b8f63088a35306a27e9f707a
Instruction Fuzzy Hash: A711E6713002087FEF299F64DD80FBB37ABEB54368F109128F518B72A0D6329D528760

Function 00EC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00E3604C
Part of subcall function 00E3600E: GetStockObject.GDI32(00000011), ref: 00E36060
Part of subcall function 00E3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E3606A

GetWindowRect.USER32(00000000,?), ref: 00EC377A
GetSysColor.USER32(00000012), ref: 00EC3794

Strings

static, xrefs: 00EC3757

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 51795df9eb34ce6d92d2bff03b1ef3535d732725c9e5dedd2595926db0537ca4
Instruction ID: 7c9cb8b426250ea4b8c2f95c05211c8efcfdca6506f2d14a4a2aa2e3acc16f8b
Opcode Fuzzy Hash: 51795df9eb34ce6d92d2bff03b1ef3535d732725c9e5dedd2595926db0537ca4
Instruction Fuzzy Hash: 4C1159B2610209AFDF00DFB8CD4AEEA7BF8FB08314F005929F955E2250D736E8129B50

Function 00EACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EACDA6

Strings

<local>, xrefs: 00EACD66

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 01b0524aef5b8358d1d6c30b9fad5c5d4a0d25862da57db8c9666d8431d8cdeb
Instruction ID: 897f6feefc8fef0901e0c541c10cf798a75ed1969042068ffa969a45a698e02c
Opcode Fuzzy Hash: 01b0524aef5b8358d1d6c30b9fad5c5d4a0d25862da57db8c9666d8431d8cdeb
Instruction Fuzzy Hash: DE1106712016357AD7344B668C44EF3BE6CEF177A8F205236B109A7180D370A841D6F0

Function 00EC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EC34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EC34BA

Strings

edit, xrefs: 00EC348F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f636cabec5a53c5a2ed925953193762d266ee2dc940d76779fa03d2b5550818b
Instruction ID: c9e35552bf4ea021d85c5e63ab991bf16786af5dc64ab0e4f1d4b275d32c3792
Opcode Fuzzy Hash: f636cabec5a53c5a2ed925953193762d266ee2dc940d76779fa03d2b5550818b
Instruction Fuzzy Hash: C2115B71100208AAEB254E74DE44FEA37AAFB05778F60A328F975A31D0C672DD529B50

Function 00E96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

CharUpperBuffW.USER32(?,?,?), ref: 00E96CB6
_wcslen.LIBCMT ref: 00E96CC2

Strings

STOP, xrefs: 00E96CBC, 00E96CC1

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 2b3b406df7c1fe0abd076d0093d8e94369ecf0012ea48962c6855163a1edbc5a
Instruction ID: cfe0e90be082e2a56da29d74806d7d3fa120380acd3a41d2719eee8710a3513f
Opcode Fuzzy Hash: 2b3b406df7c1fe0abd076d0093d8e94369ecf0012ea48962c6855163a1edbc5a
Instruction Fuzzy Hash: D20108326005268ACF11AFBDDC419BF77F4EB60714B102936F862B2191EB31D840C650

Function 00E91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E91D4C

Strings

ComboBox, xrefs: 00E91CEB
ListBox, xrefs: 00E91D16

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a15c7a2b88bf8b99cd5685f51d6220e9bb77400bf14d09299b8b1c5c83ea598e
Instruction ID: 71b2bd23867135bdcfc13af0cb21866e2a3868583a5f7a1c8d5b8b0990c0b2c2
Opcode Fuzzy Hash: a15c7a2b88bf8b99cd5685f51d6220e9bb77400bf14d09299b8b1c5c83ea598e
Instruction Fuzzy Hash: 75012431600219AB8F08EBA0CC15CFEB7A8EF52390F102A19F822773C2EB705908C660

Function 00E91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E91C46

Strings

ComboBox, xrefs: 00E91BE5
ListBox, xrefs: 00E91C10

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: ff2bdde99d7c82d152a7dc0d65f2a13e01a5003920d800ab8b4b45f563a4b0dc
Instruction ID: b8f57607c6bc06d810ac61e3e9ce9bebaa044fcb3115506dbf18fed90dfed8da
Opcode Fuzzy Hash: ff2bdde99d7c82d152a7dc0d65f2a13e01a5003920d800ab8b4b45f563a4b0dc
Instruction Fuzzy Hash: 3101F7716842097ACF08EBA0CA55EFFB7E89F51340F102019B90673282EA609E08C6B1

Function 00E91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E91CC8

Strings

ComboBox, xrefs: 00E91C69
ListBox, xrefs: 00E91C94

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 01e29cbb417a8e2bb0ebd551fda214d9cdd2d3a6482f61be40977e60ab0338c2
Instruction ID: f6c6f26a369cc1fe321882f91d72c15a109be11f9f9b3143245501ff3e38e451
Opcode Fuzzy Hash: 01e29cbb417a8e2bb0ebd551fda214d9cdd2d3a6482f61be40977e60ab0338c2
Instruction Fuzzy Hash: 6301D67568021977CF18EBA0CA05EFEF7E89B11340F642015B902B3282EAA19F08C672

Function 00E91D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E39CB3: _wcslen.LIBCMT ref: 00E39CBD

Part of subcall function 00E93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00E93CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00E91DD3

Strings

ComboBox, xrefs: 00E91D75
ListBox, xrefs: 00E91DA0

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e9937e9681b9ce12568e0d2d880e3f1db6e6278bd4f4dbff5527d8bb35cd289c
Instruction ID: 21429a245a0a6c21a5e94239fb2a71af308796b6484b4d3e7bd6ff149c9adc59
Opcode Fuzzy Hash: e9937e9681b9ce12568e0d2d880e3f1db6e6278bd4f4dbff5527d8bb35cd289c
Instruction Fuzzy Hash: 41F0F471A4031966CF08E7A4CD56EFEBBA8AB01340F142915F922B32C2DBA05908C260

Function 00EB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00EB7493
_wcslen.LIBCMT ref: 00EB74B9

Strings

3, 3, 16, 1, xrefs: 00EB7483

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: e0161d8691f93e112afc685d47b2f0fc2fee84cf820f821ccbe663070f9dc364
Instruction ID: 0a6704b582cd85f9c8bbe51b8b3ab7ca4431a176878685453b400f444ea6eea9
Opcode Fuzzy Hash: e0161d8691f93e112afc685d47b2f0fc2fee84cf820f821ccbe663070f9dc364
Instruction Fuzzy Hash: A2E02B5260532120933112799CC29BF5AC9CFC57567103C2BFDD1F22A6EA948DD193A0

Function 00E90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E90B23

Strings

Error allocating memory., xrefs: 00E90B1C
AutoIt, xrefs: 00E90B17

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 49dbcd5568d7244cd86d0aaee3f042e27785df0a5799e81391ec861df9d921b6
Instruction ID: 51924ae27c125ebe0112d7ab50e63363ba615135d7fc187ba699333b6aa1a2d2
Opcode Fuzzy Hash: 49dbcd5568d7244cd86d0aaee3f042e27785df0a5799e81391ec861df9d921b6
Instruction Fuzzy Hash: 69E048322443183AD21436557D07FC97AC48F45F65F20642BFB9C755C38AE2649156A9

Function 00E50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E50D71,?,?,?,00E3100A), ref: 00E4F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00E3100A), ref: 00E50D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E3100A), ref: 00E50D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E50D7F

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 3b67903e7414bbe3ae9282140488b501afced516580c761c9f0a1658a26f9d6b
Instruction ID: 542baa9c27e320ce448c3d80526dfd952d5fa99b2ebaabb668742b5dab82c29c
Opcode Fuzzy Hash: 3b67903e7414bbe3ae9282140488b501afced516580c761c9f0a1658a26f9d6b
Instruction Fuzzy Hash: 13E06D702007418FD3249FB9E508B427BF1BF00745F005D2DF886E6661DBB6E4498B91

Function 00EA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00EA302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00EA3044

Strings

aut, xrefs: 00EA3038

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5441a65b32a478037ca8cc81946ac44cf8410cf7d9e2c1e326ede3efa09f640b
Instruction ID: 0352ae56872eb3a32d438b4b77908c616eaf9ccb23681b213e6f9e9ae7764f68
Opcode Fuzzy Hash: 5441a65b32a478037ca8cc81946ac44cf8410cf7d9e2c1e326ede3efa09f640b
Instruction Fuzzy Hash: 5ED05B71500318ABDA20D7A59C0DFD73A6CD704750F000161BA55F20A1DAB19545CAD0

Function 00E8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E8D220

Strings

X64, xrefs: 00E8D2A8
%.3d, xrefs: 00E8D22B

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 80b567d154d497b0cfa691ba3c3f9fe59936e74b1fbd64ef54baff854657116c
Instruction ID: e3455203406c55d858182c508ee68caad179110d2e9e50033fba14dc72b60f98
Opcode Fuzzy Hash: 80b567d154d497b0cfa691ba3c3f9fe59936e74b1fbd64ef54baff854657116c
Instruction Fuzzy Hash: BCD0126184D108F9CB50A6D0DC49CF9B3BCEB08301F60A462F90EB2090E634C5086761

Function 00EC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EC236C
PostMessageW.USER32(00000000), ref: 00EC2373

Part of subcall function 00E9E97B: Sleep.KERNELBASE ref: 00E9E9F3

Strings

Shell_TrayWnd, xrefs: 00EC2365

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 61f2875c7d876e7181c47f9861c876018ce6fc9a79baee6d9de326c97de14da2
Instruction ID: a66ccbdce016a681e250587143a4c7c7a2a16fcea8a4f51ddc081426732137ad
Opcode Fuzzy Hash: 61f2875c7d876e7181c47f9861c876018ce6fc9a79baee6d9de326c97de14da2
Instruction Fuzzy Hash: ECD0C9327813107BE664B7729C0FFC666549B44B14F105926B74AFA1E0C9A5A8068A55

Function 00EC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EC232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EC233F

Part of subcall function 00E9E97B: Sleep.KERNELBASE ref: 00E9E9F3

Strings

Shell_TrayWnd, xrefs: 00EC2325

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 526972999719d873937b1beb41422733d7dfcea040a026a7d65f3571bb44eaf7
Instruction ID: b0d07a93cbfe6ed85c1d03697288d4604566c61e875b2e676d991d95f7328646
Opcode Fuzzy Hash: 526972999719d873937b1beb41422733d7dfcea040a026a7d65f3571bb44eaf7
Instruction Fuzzy Hash: 14D02232780300BBE664B332DC0FFC67A049B00B00F100926B30AFA1E0C8F1A806CB00

Function 00E6BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E6BE93
GetLastError.KERNEL32 ref: 00E6BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E6BEFC

Memory Dump Source

Source File: 00000000.00000002.2468798639.0000000000E31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E30000, based on PE: true

Associated: 00000000.00000002.2468699747.0000000000E30000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000ECC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469109120.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469342205.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2469448498.0000000000F04000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e30000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 600f7405aaba6f1738afbc70b853f519a92842e6f1312519983840b42efdafd8
Instruction ID: f086ba6a0dd3022c74e6e2c1f38aaca398280dd03cfeddb77b90aadf1efb7801
Opcode Fuzzy Hash: 600f7405aaba6f1738afbc70b853f519a92842e6f1312519983840b42efdafd8
Instruction Fuzzy Hash: EE411635780206AFCF218F65EC44ABA7BA5EF41394F246169F959F71B1DB318C81CB60

Source: Joe Sandbox View	IP Address: 23.219.161.132 23.219.161.132
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /ppsecure/deviceaddcredential.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 7642Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4710Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 466Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dFcZVSNauNPZHTY&MD=nc6V4FUn HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=dFcZVSNauNPZHTY&MD=nc6V4FUn HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.64
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\089331d6-ce5a-4508-96ab-21da355f6de0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\0c7c2aac-283f-4a71-8a53-8a250ed30171.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\14bf73ce-ddca-4671-93fc-5830a585a006.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3b6886d4-c45c-4818-9a80-c24ca1c68f49.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\561a2f8e-d994-4e78-9946-b6e2dff63a33.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\84de3965-d8e5-4118-ada7-7032ccf98f58.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\49d57e84-2e88-4eb4-851e-4ed622d0edb0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D081AB-1028.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D081AB-1C20.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\37dbbeb7-4926-4425-81ff-b0e4616429ee.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\8d60c8ca-c206-403e-ab70-b87d44157cf8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\9022b4dc-47f5-4392-89a9-d69b36c87d73.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre