Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1501322
MD5:	0f3a98cdf618c29f848e577fd8cd3a3f
SHA1:	8077c4c97b939f4aa69ac29a8e2a725e2ddcc223
SHA256:	ee254e08302538c5a0e7b2724757a4f51bac47618fd2012e93bc4b08b5ca5579
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3840 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0F3A98CDF618C29F848E577FD8CD3A3F)

msedge.exe (PID: 1408 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6404 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,7710264983636281153,5119054965228980513,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2712 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7232 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8836 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3324 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8844 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6256 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6608 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7544 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3168 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2104 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7636 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7656 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5816 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3520 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: protocols.json.5.dr	String found in binary or memory: https://.onedrive.com
Source: protocols.json.5.dr	String found in binary or memory: https://.onedrive.live.com
Source: file.exe, 00000000.00000002.2509967153.0000000001880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?
Source: file.exe, 00000000.00000002.2509967153.0000000001880000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2509967153.0000000001858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: file.exe, 00000000.00000002.2509967153.0000000001880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password
Source: file.exe, 00000000.00000002.2509655765.00000000016D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/passwordC:
Source: protocols.json.5.dr	String found in binary or memory: https://sharepoint.com
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55461 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55457 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60322 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55457
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55461
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60322
Source: unknown	Network traffic detected: HTTP traffic on port 60321 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60321
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 55460
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60325 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60325
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60324

Source: unknown	HTTPS traffic detected: 51.104.136.2:443 -> 192.168.2.7:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.71:443 -> 192.168.2.7:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.71:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.240.158:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.240.158:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.240.158:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.240.158:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.7:55457 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_002AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_002AED6A

Source: C:\Users\user\Desktop\file.exe

0_2_002AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0029AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_002C9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83edb743-a
Source: file.exe, 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_956d9216-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1fd8405d-f
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c8792db2-9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0029D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00291201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00291201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0029E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00238060	0_2_00238060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A2046	0_2_002A2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00298298	0_2_00298298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026E4FF	0_2_0026E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026676B	0_2_0026676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C4873	0_2_002C4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025CAA0	0_2_0025CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023CAF0	0_2_0023CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024CC39	0_2_0024CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00266DD9	0_2_00266DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024D065	0_2_0024D065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024B119	0_2_0024B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002391C0	0_2_002391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251394	0_2_00251394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251706	0_2_00251706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025781B	0_2_0025781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00237920	0_2_00237920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024997D	0_2_0024997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002519B0	0_2_002519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00257A4A	0_2_00257A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251C77	0_2_00251C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00257CA7	0_2_00257CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002BBE44	0_2_002BBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00269EEE	0_2_00269EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00251F32	0_2_00251F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0023BF40	0_2_0023BF40

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00239CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00250A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0024F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@72/298@12/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A37B5 GetLastError,FormatMessageW,

0_2_002A37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002910BF AdjustTokenPrivileges,CloseHandle,		0_2_002910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002A51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002BA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_002BA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_002A648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_002342A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user~1\AppData\Local\Temp\9ff6a8c7-f54b-4caf-9250-b2fba1e7e301.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,7710264983636281153,5119054965228980513,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3324 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6256 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2104 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3520 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,7710264983636281153,5119054965228980513,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3324 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6256 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2104 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3520 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00250A76 push ecx; ret

0_2_00250A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0024F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0024F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_002C1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95416

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 5915

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe TID: 6604

Thread sleep time: -59150s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 5915 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0029DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0026C2A2 FindFirstFileExW,	0_2_0026C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A68EE FindFirstFileW,FindClose,	0_2_002A68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_002A698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0029D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0029D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0029D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002A9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002A979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_002A9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_002A5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Web Data.23.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Web Data.23.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Web Data.23.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Web Data.23.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Web Data.23.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Web Data.23.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Web Data.23.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Web Data.23.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Web Data.23.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Web Data.23.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Web Data.23.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Web Data.23.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Web Data.23.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Web Data.23.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Web Data.23.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Web Data.23.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-95324

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002AEAA2 BlockInput,

0_2_002AEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00262622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00262622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00254CE8 mov eax, dword ptr fs:[00000030h]

0_2_00254CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00290B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00290B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00262622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00262622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0025083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0025083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002509D5 SetUnhandledExceptionFilter,	0_2_002509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00250C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00250C21

Source: C:\Users\user\Desktop\file.exe

0_2_00291201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00272BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00272BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0029B226 SendInput,keybd_event,

0_2_0029B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_002B22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00290B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00291663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00291663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00250698 cpuid

0_2_00250698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_002A8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0028D27A GetUserNameW,

0_2_0028D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0026B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0026B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_002342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_002342DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_002B1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_002B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_002B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	21%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://sharepoint.com	0%	Avira URL Cloud	safe
https://.onedrive.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://.onedrive.live.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/passwordC:	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/password	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	unknown
s-part-0045.t-0009.t-msedge.net	13.107.246.73	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bzib.nelreports.net/api/report?cat=bingbusiness	false	URL Reputation: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://.onedrive.live.com	protocols.json.5.dr	false	Avira URL Cloud: safe	unknown
https://.onedrive.com	protocols.json.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://sharepoint.com	protocols.json.5.dr	false	Avira URL Cloud: safe	unknown
https://myaccount.google.com/signinoptions/passwordC:	file.exe, 00000000.00000002.2509655765.00000000016D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myaccount.google.com/signinoptions/password	file.exe, 00000000.00000002.2509967153.0000000001880000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.73	s-part-0045.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.251.179.84	unknown	United States	15169	GOOGLEUS	false
142.250.81.238	unknown	United States	15169	GOOGLEUS	false
142.251.40.164	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.40.110	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
23.44.133.38	unknown	United States	20940	AKAMAI-ASN1EU	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.7
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501322
Start date and time:	2024-08-29 18:36:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@72/298@12/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe, UsoClient.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 74.125.133.84, 204.79.197.239, 13.107.21.239, 13.107.6.158, 2.19.126.152, 2.19.126.145, 142.250.185.163, 142.250.185.67, 2.23.209.185, 2.23.209.173, 2.23.209.188, 2.23.209.183, 2.23.209.176, 2.23.209.179, 2.23.209.182, 2.23.209.177, 2.23.209.175, 20.103.156.88, 199.232.210.172, 142.250.80.99, 142.251.40.163, 142.250.80.67, 142.251.40.99
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, time.windows.com, arc.msn.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, dns.msftncsi.com, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:37:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
18:37:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_C327D06BE457E5CC9900222A896CFE4D "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
13.107.246.73	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://v3r1fy.tdr1v.freemyip.com	Get hash	malicious	HTMLPhisher	Browse
	https://pub-6a08b05596ae4c139f14fc7b92eb075c.r2.dev/NewOneDrive78.html	Get hash	malicious	Unknown	Browse
	https://cb1cd44761364cecb21c459c42a86757.svc.dynamics.com/t/t/oIX7RshqCPFFtVxUphHklxDHFg31zySxgRv75vmlL2Yx/ipf8JYDu9fTBRLVxBJ5f98zUiqcPZCqXAj98vZXuDQkx	Get hash	malicious	Unknown	Browse
	https://zngw.officeinvoicedoc.com/DhpuI	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	https://support.microsoft.com/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	Get hash	malicious	HTMLPhisher	Browse
	crewssubaru doc.pdf	Get hash	malicious	HTMLPhisher	Browse
239.255.255.250	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse
	http://passtcnet.homeunix.com/amj/2.mp4	Get hash	malicious	Unknown	Browse
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse
	New Document from Community Insurance Center.html	Get hash	malicious	HTMLPhisher	Browse
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://alkimialofts.com/on%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse
	https://decktop.us/MUYKd1	Get hash	malicious	Unknown	Browse
	sxs.exe	Get hash	malicious	Unknown	Browse
23.44.133.38	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0045.t-0009.t-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.73
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.73
	http://v3r1fy.tdr1v.freemyip.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.73
	https://pub-6a08b05596ae4c139f14fc7b92eb075c.r2.dev/NewOneDrive78.html	Get hash	malicious	Unknown	Browse	13.107.246.73
	https://cb1cd44761364cecb21c459c42a86757.svc.dynamics.com/t/t/oIX7RshqCPFFtVxUphHklxDHFg31zySxgRv75vmlL2Yx/ipf8JYDu9fTBRLVxBJ5f98zUiqcPZCqXAj98vZXuDQkx	Get hash	malicious	Unknown	Browse	13.107.246.73
	https://zngw.officeinvoicedoc.com/DhpuI	Get hash	malicious	HTMLPhisher	Browse	13.107.246.73
	UploadCustomersTemplate(2).xlsm	Get hash	malicious	Unknown	Browse	13.107.246.73
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.73
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.73
	https://support.microsoft.com/windows/protect-yourself-from-phishing-0c7ea947-ba98-3bd9-7184-430e1f860a44	Get hash	malicious	HTMLPhisher	Browse	13.107.246.73
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	New Document from Community Insurance Center.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	172.64.148.10
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://alkimialofts.com/on%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	https://decktop.us/MUYKd1	Get hash	malicious	Unknown	Browse	162.247.243.29
	sxs.exe	Get hash	malicious	Unknown	Browse	172.67.41.60
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	104.18.15.188
AKAMAI-ASN1EU	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	23.67.131.235
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.9
	5qckfVuvzX.exe	Get hash	malicious	RHADAMANTHYS	Browse	172.236.107.96
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	https://emp.eduyield.com/el?aid=28gedda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/spesbonaconstruction.com/.css/Gb1K92P0/di5hbmRyaWVpZXZhQGdtcy13b3JsZHdpZGUuY29t$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	HTMLPhisher	Browse	172.233.33.244
	https://d4g6kw04.na1.hubspotlinks.com/Ctc/I9+113/d4G6KW04/VVDXvw2129f7W9lgpSl3-BQgwW4125np5kh8PvN1n_9Xx5kBl-W50kH_H6lZ3lBW5xCLbK6c416cW6G0HMx6QhV7VVrZqSG3HBKSjV6wDNg4ZyZn6W7_FTpm1dqZm4W723tVM4rftccW3vWlSp1wGvTJW2zXXwV1X740xN1t2gyvnMRlqW7JdFVP1Ty-FHN3Fp_ww3m7TdW66_q2r1Q3VwtW7Dpks077Qf8bM1V49whQ40NW6RphCp8kpt1HV_HZcV84HKmBW5lF7ZC61FD66W73XZV57GJ9ZkVDMN0b9hXGx2W8dysfm3qm-8VMZTWKPM6VCVW6l8ws98dhwKqW4Z2gzl8fZ601N7pH1zqJ5vZ5N90-353vPlZ7VD24xR8Rht6PVyTztF65g6ScN24XQrJRlvxMW20qlrM4TTNP7W6Lc5vQ43Pq7NW32bHwR84HFLgVgWx3d5S85nlf8gcVNq04	Get hash	malicious	Unknown	Browse	88.221.110.227
CLOUDFLARENETUS	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	New Document from Community Insurance Center.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	z47maaaaaaaaaaaaax.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	172.64.148.10
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://alkimialofts.com/on%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	104.26.0.100
	https://decktop.us/MUYKd1	Get hash	malicious	Unknown	Browse	162.247.243.29
	sxs.exe	Get hash	malicious	Unknown	Browse	172.67.41.60
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	104.18.15.188
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	20.119.0.39
	file.exe	Get hash	malicious	Unknown	Browse	20.75.60.91
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	file.exe	Get hash	malicious	Unknown	Browse	13.107.253.42
	SecuriteInfo.com.Linux.Siggen.9999.6015.2041.elf	Get hash	malicious	Mirai	Browse	20.41.197.130
	SecuriteInfo.com.Linux.Siggen.9999.16227.30183.elf	Get hash	malicious	Mirai	Browse	20.46.111.111
	Message-ID 08282024 110831 PM.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.253.42
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.73
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://passtcnet.homeunix.com/amj/2.mp4	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	https://sgsconsulting.com/	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	file.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	https://alkimialofts.com/on%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	http://idtyvfyfmst.weebly.com	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	https://decktop.us/MUYKd1	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	sxs.exe	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	http://www.water-filter.com	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	http://econltractors.com	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158
	http://general72.s3-website.us-east-2.amazonaws.com	Get hash	malicious	Unknown	Browse	13.85.23.86 184.28.90.27 20.190.159.71 51.104.136.2 40.127.240.158

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.59880313134358
Encrypted:	false
SSDEEP:	96:0q8NkC1fAuOZBHB55873vBERtJk4czSDS4S4SDSqI4a:/8NbuuONnzRDk4F
MD5:	1F95690EA413DFDF607119DE0CC18591
SHA1:	8A558820DBAAC13BD752BE1773F59D19EF9EF3BF
SHA-256:	CAE1D10169440D02CF2564BABE5A7FF09A8ECD8F01B49A0461DB080D48F729C5
SHA-512:	EAED084476B516017D1D181973F7EB3DB3405862FA802BA07AD3786C94257E6C58DE582E98230E693B4FC4161223301ED25F0E748B4191AEED667C033DCEE348
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1f438701-fdb5-484e-b9c9-665ba401b177.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70361
Entropy (8bit):	6.071850534683187
Encrypted:	false
SSDEEP:	1536:XMGQ5XMBGCSHKIDPd7AkFDg0dqC3rGts/9QyWnp10e0QIflpZ:XMrJM8hHKanxr9/91CpmzQWfZ
MD5:	215E631429FD2BA9DB5A7E99FCB04A4C
SHA1:	070B76B889AA4D704709C2F923B05E942CD41CBC
SHA-256:	F49D2058A6A4C3F6D42F6C40661292A4B14278664AAE0691B1B06F7417438D7B
SHA-512:	E9EA817C4833108BEAB6458B2CB749EAA0385D95CBF13D29E1EC2DC2621C01B751BF4F11D74DA6A9E540E83731D8018DA09E307120492D1A394B4199E06B83E8
Malicious:	false
Preview:	{"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4yiCP35c3GslC7pbGWtdjepFQa8o4gNsBaDMhehaeQEDKO6AuQYO0uvD+5/wQXojHN6Y2SPI05Q0YrzvQdAR90ulreieqdtVSV

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4b1aae65-9646-4cbd-b859-6708119ca477.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.584232078006681
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afAuOgt0ykHB+w5UdrxJ3vBrfbLdRmWOCXvaJkXoc4IwlRgoq:Xq8NkC1fAuOZtB55873vBbAUCJk4csRq
MD5:	D0AE6406F8BC9BD02811B34D9E6F07FF
SHA1:	F18F75D19138FFF7A8D5D73DEC8291E53AF1204A
SHA-256:	EFD8693C12274F8A0EA9EF673D1482DB16D14C0BE3E57521378930C79AF189D6
SHA-512:	34BD75FE058B90EE5CA5594EEBD54040F8B6422A5F689128BF47D075E77E9BD1E4348D7095F3853DFCF655774109B9BA2C4022C5CA1649C41692E38A62FA0ABA
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"policy":{"last_statistics_update":"13369423024117344"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\53dad864-d7d1-4bca-b00e-d346fb88d045.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.4870876887855955
Encrypted:	false
SSDEEP:	96:0q8NkGS1fAuOZ58rh/cI9URoDotoCxB55873vBERtJk4czSDS4S4SDSqI4a:/8NBSuuOSeoDUtnzRDk4F
MD5:	42AB9902EE4334AEF3BA999B6DF49510
SHA1:	08162A686988346B66224242E55423C1BA3C309A
SHA-256:	80D2770E7117B02D6322115E330504C2C1E9AEB12460B245175E32C78438C809
SHA-512:	A11341CF38191685ACEB6EBB905EE362E893762A1447D05E639C16A8670A6F1A82E7FF3F311672F9DB8BDF9FF0812FE3D9F24543B63399384B28FCAE1DE24917
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\646d0f8f-5b21-49c2-8306-b688e9a070c1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20700
Entropy (8bit):	6.065022286061518
Encrypted:	false
SSDEEP:	384:dtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSAO0mVA4rRT9ljFgC:XMGQ7FCYXGIgtDAWtJ4nVVA4Hx/
MD5:	9E8F0FF586DED5C87D72E31BFB5B50C9
SHA1:	C9FD08F9169416DEA41112890D1785D2A463CF47
SHA-256:	CC06EDC99A2C29E73CD02DA3917F8027316924083F5F316B1B1DAD00B7F9348C
SHA-512:	A58B439F65939FC6A43E3E0D7A9CB9006DED47A81C092BA9418B67A77706183E0276385B4E947D0C0E380BE828DD12EB4F224F106010A22C73F4E1CF95B0948F
Malicious:	false
Preview:	{"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4yiCP35c3GslC7pbGWtdjepFQa8o4gNsBaDMhehaeQEDKO6AuQYO0uvD+5/wQXojHN6Y2SPI05Q0YrzvQdAR90ulreieqdtVSV

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\95c250be-2d80-4416-ab42-66f0ec5c0d22.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20699
Entropy (8bit):	6.06502452618218
Encrypted:	false
SSDEEP:	384:dtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSAO0mVA4rRT9ljFgC:XMGQ7FCYXGIgtDAWtJ4nxVA4Hx/
MD5:	5962605E03C19E5FC6AB348F39535041
SHA1:	6D9B7CDCA17B012DFD3298CD5B325EE4D40B76A2
SHA-256:	57E682BE46FD2412A452F3FFAA5F975FB06E1A68286C853921530E5F9956E02F
SHA-512:	A45451C22969617A4781320C698AC412D713AEB13F65B910FCC188B78E96B5978EE025AAC086D048A39CF94525A1C3004FA97670288620E83926C5B1CD62B6E9
Malicious:	false
Preview:	{"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4yiCP35c3GslC7pbGWtdjepFQa8o4gNsBaDMhehaeQEDKO6AuQYO0uvD+5/wQXojHN6Y2SPI05Q0YrzvQdAR90ulreieqdtVSV

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9ba62745-0b23-4d96-b801-b5c543a9f470.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.584232078006681
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afAuOgt0ykHB+w5UdrxJ3vBrfbLdRmWOCXvaJkXoc4IwlRgoq:Xq8NkC1fAuOZtB55873vBbAUCJk4csRq
MD5:	D0AE6406F8BC9BD02811B34D9E6F07FF
SHA1:	F18F75D19138FFF7A8D5D73DEC8291E53AF1204A
SHA-256:	EFD8693C12274F8A0EA9EF673D1482DB16D14C0BE3E57521378930C79AF189D6
SHA-512:	34BD75FE058B90EE5CA5594EEBD54040F8B6422A5F689128BF47D075E77E9BD1E4348D7095F3853DFCF655774109B9BA2C4022C5CA1649C41692E38A62FA0ABA
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"policy":{"last_statistics_update":"13369423024117344"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0A3AF-580.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04017440683061716
Encrypted:	false
SSDEEP:	192:4QBUjLYiVWK+ggCNltJZzK1d9XqY1Pg+z2u8honNE7hcRQ8NBLMn8y08Tcm2RGOD:ZUjjlhcgVhK8Q/LM08T2RGOD
MD5:	93E56711F84921ABE1F7EB8C26FD7575
SHA1:	48FB3FAA919E9309FF09BB30A8C526E0FCF036AF
SHA-256:	27533062736B98D13BD419CB77872C4752469322D86EFC64AEB01C55657521A2
SHA-512:	97932D9F191113C394CED0591C17CA39C2F45786BCFFC89453ACE7CDB014C175DC7F39BA80892E1695A4C0A3490E9B1ECD2F2E9044040B5C8091B122A8BF2D65
Malicious:	false
Preview:	...@..@...@.....C.].....@................`..8P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".kgobgb20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.............!..................>..$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z.../.$..U$@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0A3B0-A98.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4488700705510059
Encrypted:	false
SSDEEP:	3072:GODMsiSyt+GMFXD/ubHUj1lXdwh3bmfLH8Fenhkg1HFr7kipozcmFTxJEqxyNmfR:liaXIUnhkaHK4s5lchaHZCK2W
MD5:	875A0710DDCBA467923EFD8386267159
SHA1:	6892E1648E34CC16ABE19A089BF418B36D2A8ED3
SHA-256:	EC9CFC945BFA0AFA6677065DCE2AE16191FE5DA921D7F7196886833DD40777BA
SHA-512:	9034D3CF5B086EBDB1ECCECF880104BB12E9000C647272805745A51D93B69A0F3A0DF0105C173F8AC308A38FDE6D67AAFC49A9B6E8327192AA512420FEE8A8D8
Malicious:	false
Preview:	...@..@...@.....C.].....@................;..H;..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?.......".kgobgb20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.174334882627991
Encrypted:	false
SSDEEP:	3:FiWWltlWc3JtB3ViHSRqOFhJXI2EyBl+BVP/Sh/JzvuB9sUf5JVtl:o1W0JtBliyRqsx+BVsJDulbVX
MD5:	80989DB7E23276BAF5797F0DA25E1644
SHA1:	26B59C3483CB0983A500A88592874821EB9A5FDB
SHA-256:	E44E5F0EE7AD9C016265817A8466154D3DBDE4D2A7F9E706ED32D0074BFAD403
SHA-512:	4895B6A6FAAF33C9F8E24A26CA5A1AB272CE6BD2FB21EBADFA1FC61623E62CA0B6EC01D0F34014F6A98EC42BD4239D271616F11DF830EE1BA99AF6B31502299A
Malicious:	false
Preview:	sdPC.....................;...O.K..H....."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................1dd2bfae-4166-4227-afc0-31046e5a7937............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\3644440c-f6da-4d16-8b84-3b40725898b1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566368941636779
Encrypted:	false
SSDEEP:	768:0cAx4bWPcOfe98F1+UoAYDCx9Tuqh0VfUC9xbog/OVl8f00rwGppGtuE:0cAx4bWPcOfe9u1jasU0tGmtD
MD5:	628CB3D9EFE421566763FE3610F05EB2
SHA1:	4BAF3F439213AF2EF6308B172111A02265A0B26E
SHA-256:	748C95D23C7C908003D73E66DDBBA7EDF58C4971DB78514DFA3CCA4C46B7E867
SHA-512:	6176D2E9325480EA3CD8514F939BB28605C4FD468DA33A6B274E754843FBD0F25CDFAF07517A6E6E6F876102799C4AC310015A1B43C2451F84DE08387F7C0EE1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369423024751513","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369423024751513","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\36f3149c-c249-4373-a2e1-9f042d28c24d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\3931c9fb-2c94-41bd-82fb-de7ac27831bf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5715d350-d05b-4948-b9f7-2ab286f7804b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.9684975222468415
Encrypted:	false
SSDEEP:	96:st7qfUis1nb9nmlJN8z5s85eh6Cb7/x+6MhmuecmAerybS2M4/EJ:st7esmrNk5s88bV+FiAoP4MJ
MD5:	42A4855618AEB898DFEDBBB7EA4EEF37
SHA1:	9AF8BB20BBD407797C3385410240EBAD5213CB86
SHA-256:	82E295FC37C92471EBCADD81D3042B170AB09B38F56521140180301265C5E04A
SHA-512:	9F3175B1934FCB931ACAE129F41AD2828EC14EDDC25D4EA848666C981BA7D2A4ABF08F7508886EECCA31808EE09D28B43AF31B016C68D3D4E0662ADAA8872FDF
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423026208664","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369423026209425"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7758666c-e7b8-4ce9-9034-62e64f83dfd8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6432
Entropy (8bit):	4.975428958652319
Encrypted:	false
SSDEEP:	96:st7qfUis1nb9nmlJN8z5s85eh6Cb7/x+6MhmuecmAeryQ0QQ2M4/EJ:st7esmrNk5s88bV+FiAdP4MJ
MD5:	1C67B8A601C84ADCEBAE230E021D1E25
SHA1:	76171923AF5BB805EA492A6D4DF05882FE4E4221
SHA-256:	66FDEE33E48024B8D7BBF1C28AE999C6672387DBDEB6D20F080EA6DD824064AB
SHA-512:	702886E94128F24DCE364DA4FE3FFA00004FD6F0FB13D5D400A478126E0A0C4EFAAFDA6F13F9EA2F58ADD34CBDA43878E12F229700A0A9DEAF559EBFBE8255D9
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423026208664","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369423026209425"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.321285873743946
Encrypted:	false
SSDEEP:	192:uAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:ROEOKSXs/J7mGnQmLu5/5eNdl
MD5:	4EF198B9095DE3B868FC0406CAA4CBDE
SHA1:	8C154BE3C0A2EFCB3B08D0D7A0F9626302D54F95
SHA-256:	D096AA56C4B88728E304AADD9CD5A06D9B72425D8ADBD256D89E169B1431820E
SHA-512:	C120BE97386880AA0288D051AC5EB91EDF0DA79CF9B70FB47570BCEAAE7645B196924AC7698D5D91E6E67705F13B1BC74835E5E7DC13C84167634E4D895EAA98
Malicious:	false
Preview:	...m.................DB_VERSION.1]...................QUERY_TIMESTAMP:arbitration_priority_list4...13369423030712014.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.138086756240317
Encrypted:	false
SSDEEP:	6:N5wW0Ec1cNwi23oH+TcwtOEh1ZB2KLlL5wW7+q2PcNwi23oH+TcwtOEh1tIFUv:NefRZYebOEh1ZFL1es+vLZYebOEh16F2
MD5:	19CAF8432BA735AE19C8C258C1DA5D88
SHA1:	0341ED221EA4A9A1F553552D77EED56F4A865A67
SHA-256:	2349E574948B708B0CCEC0FC6423E41E834ED6D1C68C3404EE3B1BBF7392ACD4
SHA-512:	C3235F70B39EE1DEC4EC83D4306EB900CA36FB11D0D69EB43DFEA39C41EEF139275ED703AE33C0655E228AD00BA3BB83981051C8314EF494EF030817CB46158D
Malicious:	false
Preview:	2024/08/29-12:37:09.763 22bc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/29-12:37:10.018 22bc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.044255403969726964
Encrypted:	false
SSDEEP:	6:/Fii2berkM/lk0jJAJ7PtWCHJSbGWucjswM/lcglt:dcEkIJi7lWUmGWucjjEFt
MD5:	0D3EFB14E7EEBBC7095BA12937266BD2
SHA1:	2D7C3724393EE72A955E2DB63CA418F0EEC96B9E
SHA-256:	9F5B271B3582E55F9F32B2CB7C82A71EADA5C5FA128B9A60701512D733A6D681
SHA-512:	78AC9F45A1F2B69E7247173C477810761CA6BD11EBAF1E4C72314C4E0EA4C8B9827B462670AF8843CF6F026EF436F5B8DD6A0B690460B28109146BADE7B820AE
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09559770472068203
Encrypted:	false
SSDEEP:	24:QrQV4XQ3eaPVH5iV4XeaPVHaUAPnQzLIoMfXQz4MlAYT38EWp463HVIRBNUeG:5V4A3essV4XesrAfWPT3lWp43NUeG
MD5:	C208A5A0ECF0F101600B72C4807D246F
SHA1:	FEE993391ACBE5E815A4B4A71C17720F78C934B2
SHA-256:	C6016EC98478CC6A5CA827BA9CB14436965DA87DBC9AA1E71FA4A89660C10993
SHA-512:	8B0C47A661DD654F330AB4D806581A8215CCCAFE16E56C10BE16CA5D7147DC50EBB7763366DA4A2ACF4D7A43C16D91E172150B891347427A58EF36602B469EBE
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.28348165679544024
Encrypted:	false
SSDEEP:	384:7SyJtnApSyJtnlggqtJt/ygqtJt/FeDjJtL:7vJtCvJtFWJt5WJtWJt
MD5:	F1935E8176866145A8674FD1D149652F
SHA1:	1A8D92E0946240BFE40B44BC65401D12F8B56151
SHA-256:	36AEB90936C81CBC1D24C28ACB19800C3B9A0DF8736186656B3CFA0576A0F1AA
SHA-512:	7D13BDCE23D2085164D686583129101BA5B5C076568198FCE8A8C35BF176724F6E64B15ACDE25A91BB07B84AD5EFA23D7DA213981E7BC8C07AA9A441EAFC8135
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.989325630401085E-4
Encrypted:	false
SSDEEP:	3:Lsulu:Lsn
MD5:	B1D637294B9DFB09D8A3DE3C8ED13290
SHA1:	9F8E8328B89FF2BC48285214723E3543B0A00FFB
SHA-256:	1C52A562F2B60AF6F62FA503544562724748FE1F47414E6E2FA02C9A52135E48
SHA-512:	0F417DB681456D6F0D5596A77E955589CD960AB0D26A45F79B75B62A3095CF7C67C4652C610C85F3D3B34BEDDA5019AFBAA5301FD439E9A8D77B91699DB40150
Malicious:	false
Preview:	..........................................^^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:qdH9ED+An:qhqD+A
MD5:	E37FCF302B9578F5ECF1689D3565799F
SHA1:	4EBB3FC0DE666B054DD10CAB8C140BE902FFD5FE
SHA-256:	6D12E72D6251296FF7C5A7ACB4E34004EC9A2401F423F5DFD8228A066B7582AA
SHA-512:	0746AC8355850B2338B1C648A78975A8139898CF348C8A4AF5E604A01DD4F0FEDE39F41C9638A409391A43C961D8C9F5E836EB273D1A94172DC6319121C21DEC
Malicious:	false
Preview:	(.......oy retne.........................E@^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:qdH9ED+An:qhqD+A
MD5:	E37FCF302B9578F5ECF1689D3565799F
SHA1:	4EBB3FC0DE666B054DD10CAB8C140BE902FFD5FE
SHA-256:	6D12E72D6251296FF7C5A7ACB4E34004EC9A2401F423F5DFD8228A066B7582AA
SHA-512:	0746AC8355850B2338B1C648A78975A8139898CF348C8A4AF5E604A01DD4F0FEDE39F41C9638A409391A43C961D8C9F5E836EB273D1A94172DC6319121C21DEC
Malicious:	false
Preview:	(.......oy retne.........................E@^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:qdH9ED+An:qhqD+A
MD5:	E37FCF302B9578F5ECF1689D3565799F
SHA1:	4EBB3FC0DE666B054DD10CAB8C140BE902FFD5FE
SHA-256:	6D12E72D6251296FF7C5A7ACB4E34004EC9A2401F423F5DFD8228A066B7582AA
SHA-512:	0746AC8355850B2338B1C648A78975A8139898CF348C8A4AF5E604A01DD4F0FEDE39F41C9638A409391A43C961D8C9F5E836EB273D1A94172DC6319121C21DEC
Malicious:	false
Preview:	(.......oy retne.........................E@^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:qdH9ED+An:qhqD+A
MD5:	E37FCF302B9578F5ECF1689D3565799F
SHA1:	4EBB3FC0DE666B054DD10CAB8C140BE902FFD5FE
SHA-256:	6D12E72D6251296FF7C5A7ACB4E34004EC9A2401F423F5DFD8228A066B7582AA
SHA-512:	0746AC8355850B2338B1C648A78975A8139898CF348C8A4AF5E604A01DD4F0FEDE39F41C9638A409391A43C961D8C9F5E836EB273D1A94172DC6319121C21DEC
Malicious:	false
Preview:	(.......oy retne.........................E@^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl4:Ls34
MD5:	676198FFFF18F45278EAFB36A9AEC332
SHA1:	7DDE65EE72FE937E6931AD2BFC24DDB5D4563A31
SHA-256:	5DA4174252A26AA1076504C644C4644A8F3D83D857DEC8F6583483C1493B3E54
SHA-512:	535517678EB4C3D20CD1A04447569AF6E317A5584EB03768F4C11618314A343E3F1C285DB813D45F4CE1F77B1018C9CC3025E54CB4CD4FCFCCE684107BAE8912
Malicious:	false
Preview:	........................................F.X^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354087053718498
Encrypted:	false
SSDEEP:	6144:nA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:nFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	26912E457114FEF391DEFF79056A0A8D
SHA1:	FA1771D462C8044949831DE625BEAFCF84058B12
SHA-256:	3B726172811B97D9D5157A0485BCEE43879308AFAB71769494FB86BA9AF2F4A5
SHA-512:	D3CA64BC031CB226BE1D606BA7FC1BB30D2C7499915CA61E9B5043EE5AD0B405F4D7E2E9D8FB218233E926665ACF8330C5D755278F3106D5A266F3F0FEA230EB
Malicious:	false
Preview:	...m.................DB_VERSION.1be..q...............&QUERY_TIMESTAMP:domains_config_gz2...13369423031241554..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.184361921292966
Encrypted:	false
SSDEEP:	6:N5wW01wFD1cNwi23oH+Tcwtj2WwnvB2KLlL5wWcAN+q2PcNwi23oH+Tcwtj2Wwnp:NefyF5ZYebjxwnvFL1e5s+vLZYebjxwp
MD5:	71697A196709D6D639941A5DCE7C8AAB
SHA1:	192FB9337B1F8964A8AE6BB8DF9FE9FD5CE1AE7C
SHA-256:	23AFAADC07152E661E1C2D8B71A8B99DBF16054D5D623D9039CD557D81699BBA
SHA-512:	2270E5EDA448C096C180CEDF0EA3E1EC78451C83F2A20F99E5F9036197EA1AB270EBD4E63718CC86F46CAE7BD0AC3F9B34F2A94D6100588086B05F9CBAA467FD
Malicious:	false
Preview:	2024/08/29-12:37:09.922 22dc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/29-12:37:10.115 22dc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.3246057381608
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6R8:C1gAg1zfvU
MD5:	A9CF36E46EBD8BF047141C3B3866E486
SHA1:	38C06EA1187EF4F263AA2ACA7D8A070891C34A17
SHA-256:	6470B2832F77EFE1F90ED29527BD32679EAAD29124B2C3837D9D0E1EC9806686
SHA-512:	F4D01FAA73D6C114507957338AF25834EBB715BB03AB8AA9F2233CCA1FADEE19DA51B70B37F58FE37834B6F5B081F254E402FA81EC07E47EA6667918B1F2CD39
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.196974453366544
Encrypted:	false
SSDEEP:	6:N5wW0vFfB+RM1cNwi23oH+TcwttaVdg2KLlL5wW09SOq2PcNwi23oH+TcwttaPrk:NefvJB+R2ZYebDL1efxvLZYeb83FUv
MD5:	43FE8444E925A8271F64A133B0FD0EFC
SHA1:	9DD313F86C50C523C2403F42F20051AB71E8B5C9
SHA-256:	D81FE597A49AC3B3EB055428FD57FE88E91B2CF95BB3C267FE253BCADD3AD4BF
SHA-512:	4AB8E6F24313F784B8CFE555614E0F82589C888E08E6423968218AF4A6891FD26EB10487B36D3E9471EA234BD973ECBF0A8AFEA00067E39CBD0FEF9C505D5333
Malicious:	false
Preview:	2024/08/29-12:37:04.794 1c04 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/29-12:37:05.042 1c04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.18529123145355
Encrypted:	false
SSDEEP:	6:N5wW0QRM1cNwi23oH+Tcwtt6FB2KLlL5wW0fpIq2PcNwi23oH+Tcwtt65IFUv:NefQR2ZYeb8FFL1efRIvLZYeb8WFUv
MD5:	F7C01A4D41CC20D246F3E044CECC8C07
SHA1:	9FCA489EAFDA1EEF439104A40D7890DD7345C64A
SHA-256:	2F0E7C0A317718A24DFF50E4F7A4B3AFF66B05A46639558EA372BB365A2CBECA
SHA-512:	D9F7D9470EE9EAE81DE96C4AD4C3A1A77BACADA9B080F6CBE11E889CADFEFFF0D13ECA1B5BC02784B7B5C3412AA57B02584B419DB7BB7295E2A24399DF1B73CE
Malicious:	false
Preview:	2024/08/29-12:37:05.043 1c04 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/29-12:37:05.054 1c04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.184246278376986
Encrypted:	false
SSDEEP:	6:N5wW00Eq1cNwi23oH+TcwttYg2KLlL5wW0bNAq2PcNwi23oH+TcwttNIFUv:NefQZYebJL1efJAvLZYeb0FUv
MD5:	DC5B8C3E7CC94AE59184C75DB9EC3519
SHA1:	F26501B930348049C53600C2EBFEDCC64097E920
SHA-256:	F10C8CD6A96EEA47EF78B362F4ADFDC937A882C894C54354FAA74F0D8949C042
SHA-512:	0EF87E9F0C8909FD93ED0F74DBAE17EE1DA4DA06BC1081E8B1FE7703A04DFAA06E82D0E382F5E73FCC9A54518DC8E66AB3941106D6D32D4C13F21D3598E9DB12
Malicious:	false
Preview:	2024/08/29-12:37:06.362 c90 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/29-12:37:06.374 c90 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl:Ls3
MD5:	D90F2C3F671CCA5D313B3F17983B9B5E
SHA1:	6BDF2F9C41B20443F5319BC1E318AC4A5DD17FCB
SHA-256:	0B4BE1AD9B17AD0E999558598B5B2BD19CBCBFAD02641082CD0441ADEE40C5DA
SHA-512:	1521FB9FDAA03EEB9B8EC98E05D384394892A9C5C39B179BFBA3ADBB6165F1F280D25395FA82E18628BCC07C9D62223FAEF790CE5D697445F5614FA0D64662A0
Malicious:	false
Preview:	........................................?.T^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2191763562065486
Encrypted:	false
SSDEEP:	3:3y/ZllntFlljq7A/mhWJFuQ3yy7IOWUwol/dweytllrE9SFcTp4AGbNCV9RUIJ:SZlG75fOG4/d0Xi99pEYn
MD5:	B21987C621A7CDC7287099AAE84627D2
SHA1:	74BDCD2259796CB349C3C182A03700A478D1CD48
SHA-256:	D7AB6473A34051142D9110B53787DD1F5F202783D06F18E1282674EEA595C251
SHA-512:	A6EBC02B0AD248EEBE62020862C06C2145FDFEF0CF6EF10DF6D2ACFB3A73A7CAED40A0C64F17AC9CD860332BA7798E4C8B10EFE84A0CE067A43777C0EEE85FE8
Malicious:	false
Preview:	..............YW...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	385
Entropy (8bit):	5.2522665591097155
Encrypted:	false
SSDEEP:	12:NefeAPZYebRrcHEZrEkVL1efOnpM+vLZYebRrcHEZrELFUv:Nef5YebRnZrEkVL1efOpdlYebRnZrEx2
MD5:	151E315C594FFB2EB2689E09D8CD2B20
SHA1:	C3543D2D7D8770FFD22A5691761DE5A45AC2DE6F
SHA-256:	3A5D2BBC341C7D5997A817CCAE472771A1B351AEF2C8C6D5C9CC874489EDBB25
SHA-512:	7DBE5C66C79E0AD6DDB68CE59C531B489D9127C8D9EFA26389CB8BD0E9C387697334DE9E3C4B24F42713EF7448BA328DDE9D49F9A9312B5078110C2FC54A55E1
Malicious:	false
Preview:	2024/08/29-12:37:07.327 198c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/29-12:37:07.345 198c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.225172251810147
Encrypted:	false
SSDEEP:	6:N5wW0u61cNwi23oH+TcwtRa2jM8B2KLlL5wW0ESQ+q2PcNwi23oH+TcwtRa2jMGh:NefFZYebRjFL1ef1vLZYebREFUv
MD5:	38C3CCA55B00F3F9B03DB1504487CA13
SHA1:	B953E40D0E68DECE41E86E885FEF1B2C614F0FAD
SHA-256:	CE46708FC475C11BA3A419535C809F48A0681437207CF79657ED2545F348BE77
SHA-512:	606C4AB903DA176669440FF9271BD3929F7C69CFDDED16162121EC2CAC2AF73320F50850C2B5B53D8C377FEF1034DBA1A67F726E9BD51CAB4D6953CB18378DF0
Malicious:	false
Preview:	2024/08/29-12:37:06.065 1d08 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/29-12:37:06.084 1d08 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\04d17518-44e0-472a-a52f-3a16aced48ae.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\0bf814d7-d161-4b28-8158-ecb0bba980d9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\273ea87a-c05e-41ed-8b72-51907fa9459b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\3765af60-ffbf-4a10-a2ff-33c223eed38b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\3a104fd9-623e-4ce8-82de-a36fcb02e076.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\7d43e5e5-9572-4c66-9c71-5f9002fe16c7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.902189221807403
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbSpDkYMKWKWMS7PMVKJq0nMb1KKtiVY:YHpo03h6ubSpDd4MS7PMVKJTnMRK3VY
MD5:	176882E2C5301BB3929B39FF4DAB2E4E
SHA1:	B8B8E3C038708D56429C86D9F0FBB832EE6047F1
SHA-256:	2EB4EBEE3CEED5D175975BAED1834CBADC2C8CE1F416ABA18F73BAEC0B8A7C6C
SHA-512:	519A55DA583DA9E56B06BBAA50878C9D9A928F12F64C14AF471A600D24F660640AE0D66274291F8A20D217F545C447FBBF0638A864D822E606AEDCF481EB8CCA
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.7","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF259de.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF31752.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7604517778667389
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBkFQ:uIEumQv8m1ccnvS6lF
MD5:	D91A86D1496CEDE137F154F5515762E6
SHA1:	C64F4D4F47791BD95364B04881CC78C4D96B1987
SHA-256:	039AA010AD5B2D7C68F1F35311A69410E87AAB199ABB88F3A604A88E8A547379
SHA-512:	9D2666E35B3D5C75D78398E3349FB30C7D1B16D0A96CD92F7D6293919917EE90811714768C390BBEFA1806CDC4158190E7B9DD28396911C0DC5F1C39539E0207
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF1f577.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.9684975222468415
Encrypted:	false
SSDEEP:	96:st7qfUis1nb9nmlJN8z5s85eh6Cb7/x+6MhmuecmAerybS2M4/EJ:st7esmrNk5s88bV+FiAoP4MJ
MD5:	42A4855618AEB898DFEDBBB7EA4EEF37
SHA1:	9AF8BB20BBD407797C3385410240EBAD5213CB86
SHA-256:	82E295FC37C92471EBCADD81D3042B170AB09B38F56521140180301265C5E04A
SHA-512:	9F3175B1934FCB931ACAE129F41AD2828EC14EDDC25D4EA848666C981BA7D2A4ABF08F7508886EECCA31808EE09D28B43AF31B016C68D3D4E0662ADAA8872FDF
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423026208664","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369423026209425"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF2863d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.9684975222468415
Encrypted:	false
SSDEEP:	96:st7qfUis1nb9nmlJN8z5s85eh6Cb7/x+6MhmuecmAerybS2M4/EJ:st7esmrNk5s88bV+FiAoP4MJ
MD5:	42A4855618AEB898DFEDBBB7EA4EEF37
SHA1:	9AF8BB20BBD407797C3385410240EBAD5213CB86
SHA-256:	82E295FC37C92471EBCADD81D3042B170AB09B38F56521140180301265C5E04A
SHA-512:	9F3175B1934FCB931ACAE129F41AD2828EC14EDDC25D4EA848666C981BA7D2A4ABF08F7508886EECCA31808EE09D28B43AF31B016C68D3D4E0662ADAA8872FDF
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423026208664","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369423026209425"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF2fb7d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	4.9684975222468415
Encrypted:	false
SSDEEP:	96:st7qfUis1nb9nmlJN8z5s85eh6Cb7/x+6MhmuecmAerybS2M4/EJ:st7esmrNk5s88bV+FiAoP4MJ
MD5:	42A4855618AEB898DFEDBBB7EA4EEF37
SHA1:	9AF8BB20BBD407797C3385410240EBAD5213CB86
SHA-256:	82E295FC37C92471EBCADD81D3042B170AB09B38F56521140180301265C5E04A
SHA-512:	9F3175B1934FCB931ACAE129F41AD2828EC14EDDC25D4EA848666C981BA7D2A4ABF08F7508886EECCA31808EE09D28B43AF31B016C68D3D4E0662ADAA8872FDF
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423026208664","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369423026209425"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566368941636779
Encrypted:	false
SSDEEP:	768:0cAx4bWPcOfe98F1+UoAYDCx9Tuqh0VfUC9xbog/OVl8f00rwGppGtuE:0cAx4bWPcOfe9u1jasU0tGmtD
MD5:	628CB3D9EFE421566763FE3610F05EB2
SHA1:	4BAF3F439213AF2EF6308B172111A02265A0B26E
SHA-256:	748C95D23C7C908003D73E66DDBBA7EDF58C4971DB78514DFA3CCA4C46B7E867
SHA-512:	6176D2E9325480EA3CD8514F939BB28605C4FD468DA33A6B274E754843FBD0F25CDFAF07517A6E6E6F876102799C4AC310015A1B43C2451F84DE08387F7C0EE1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369423024751513","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369423024751513","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF25598.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566368941636779
Encrypted:	false
SSDEEP:	768:0cAx4bWPcOfe98F1+UoAYDCx9Tuqh0VfUC9xbog/OVl8f00rwGppGtuE:0cAx4bWPcOfe9u1jasU0tGmtD
MD5:	628CB3D9EFE421566763FE3610F05EB2
SHA1:	4BAF3F439213AF2EF6308B172111A02265A0B26E
SHA-256:	748C95D23C7C908003D73E66DDBBA7EDF58C4971DB78514DFA3CCA4C46B7E867
SHA-512:	6176D2E9325480EA3CD8514F939BB28605C4FD468DA33A6B274E754843FBD0F25CDFAF07517A6E6E6F876102799C4AC310015A1B43C2451F84DE08387F7C0EE1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369423024751513","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369423024751513","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.148593882515383
Encrypted:	false
SSDEEP:	6:N5wW2zWOVdR1cNwi23oH+TcwtSQM72KLlL5wW2GQOiQ+q2PcNwi23oH+TcwtSQMH:Nexd/ZYeb0L1ewQDvLZYebrFUv
MD5:	551E358399CA0A7B1FB5C44A3BBB071F
SHA1:	439A960D42603EA857C124F16D02786631FAAF8F
SHA-256:	9316EBA1CC02C54F2893F225F50B948B86E463FF1058C1FE8358D0BF3FBDE9A3
SHA-512:	62C805C5575E657374605E97E6AC61038D6CA19D4BBA1491E3B2B7C7B7E91BB02BCD7394C7AC223FF5F056CB285B6ADC28722A8C9515B6A7E4F0F333AD546B9B
Malicious:	false
Preview:	2024/08/29-12:37:22.234 1d08 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/29-12:37:22.305 1d08 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	329
Entropy (8bit):	5.138903866757061
Encrypted:	false
SSDEEP:	6:N5wW05J7F+RM1cNwi23oH+TcwtgUh2gr52KLlL5wW0U7FIq2PcNwi23oH+TcwtgA:NefPF+R2ZYeb3hHJL1efU7FIvLZYeb3H
MD5:	ED38DF284196C8B3CAEAF66F2FDE4247
SHA1:	5283D3A385D654495697196037B5CA17D3C2D11B
SHA-256:	3DB6C6D42ED98C07A682F3E07A00700F9F6DE00A124697B26ABEB07371C24CF3
SHA-512:	919697E3EA5F7D1A02C8D237BA63CDBE94A447FB5924A2265AD877DFD056D7F44A76773C8CAD269D96857696CCCFC3B09A7BBE7FE643F84D4E3CD337AFA5A24F
Malicious:	false
Preview:	2024/08/29-12:37:04.756 1c04 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/29-12:37:04.784 1c04 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulHa/:Lsx/
MD5:	AE00D0C1CA53BF7ED78F20ADCC8815C8
SHA1:	18802EB70D459C5B6FF4EEC948435C8C6A68A942
SHA-256:	BEC663199420A1E5FBCDC424614D5DE96C2BCBCB9B57498DD0DE6D693AA86C06
SHA-512:	4069CDF55CE64F085AAB6D6778816C312F0304757270363AC34C19A1DE6204465499C192192EFF2D0BFD539BD27C6407C9F19D66717F07C303B9D1BD88FEBB43
Malicious:	false
Preview:	........................................+%.^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:M9YHFQR0EbnBln:M90wbnTn
MD5:	2BC07D3B49CB55D43D301579869B5856
SHA1:	62DE5F0F53DFCFC4E5AA01957E73AF8834332037
SHA-256:	919FE097FB3176C85D96E7A1A43B50D520C0443093A59BCCCAF16A151D5C7BE8
SHA-512:	2AF4B1A792E778CAC0F05B93DF4C5BDD020BC6417CA95BDBA7602DE1996E6D84A9FD6DB774B5552D4D9E7E84F52951C8C37A1E08089F0FA691B840E0F128E55D
Malicious:	false
Preview:	(......oy retne..........................U^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:M9YHFQR0EbnBln:M90wbnTn
MD5:	2BC07D3B49CB55D43D301579869B5856
SHA1:	62DE5F0F53DFCFC4E5AA01957E73AF8834332037
SHA-256:	919FE097FB3176C85D96E7A1A43B50D520C0443093A59BCCCAF16A151D5C7BE8
SHA-512:	2AF4B1A792E778CAC0F05B93DF4C5BDD020BC6417CA95BDBA7602DE1996E6D84A9FD6DB774B5552D4D9E7E84F52951C8C37A1E08089F0FA691B840E0F128E55D
Malicious:	false
Preview:	(......oy retne..........................U^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:fz/mHFXAyECNw8l:CNA9Ow0
MD5:	572026D87B2AF1E158983ADE5E3321AE
SHA1:	8AC3A00039753516ED3CBE749D8D42035827DB3F
SHA-256:	C55BDC7774F42BAEC7683FE77B48CCA0EA9FB86B21E987FD1FA19E618A65E5D4
SHA-512:	8F9EC0C709BB20C60DAD26E0D3E43CAB3EECA05AEAF50396510121C1FA46235D0FCCDC69084A6BEFF38E91C2D21A2E98E0D02B2442C87994D0563E0F99C4FFBD
Malicious:	false
Preview:	(.....Z.oy retne..........................U^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:fz/mHFXAyECNw8l:CNA9Ow0
MD5:	572026D87B2AF1E158983ADE5E3321AE
SHA1:	8AC3A00039753516ED3CBE749D8D42035827DB3F
SHA-256:	C55BDC7774F42BAEC7683FE77B48CCA0EA9FB86B21E987FD1FA19E618A65E5D4
SHA-512:	8F9EC0C709BB20C60DAD26E0D3E43CAB3EECA05AEAF50396510121C1FA46235D0FCCDC69084A6BEFF38E91C2D21A2E98E0D02B2442C87994D0563E0F99C4FFBD
Malicious:	false
Preview:	(.....Z.oy retne..........................U^k./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlX+KBl:Ls3xl
MD5:	74F6F8B806122304F1F55DB46619AF1E
SHA1:	551FC08FB9A33C462942652B709AA04C4688469C
SHA-256:	BF3E4C927A71B8707C413839F8E38527F71B781C2CC6529CA83E2AD03C3C13BB
SHA-512:	F0A47C2ED3BB297C630F94658828201A6ED5D2ECEB1EF9D6E84719960C3D130760FC3ED3184075E1A54BB8B7ACC7C7F75292D4382302146CABD79DEC47FC11B1
Malicious:	false
Preview:	.........................................k[^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl/:Ls3
MD5:	5A315797D171D831B49DB7BACD0834DD
SHA1:	53C9BD0775187D0A0DDC39146DA3F274BE521FC6
SHA-256:	BCC7FD0530CDA8D4719E45CD73516917B6DBB456FC35432D87CF4FF8602E53D2
SHA-512:	A7166C0B661D5A418937E7DCB4469249669CFBD771D18E81BF5E50AB366EC4EF1E2115243AFF5275EE66B5C86F8BD2DAF8CB27C8ADB5EA69BE2E7F751BF5DD74
Malicious:	false
Preview:	..........................................Z^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.24035481204782
Encrypted:	false
SSDEEP:	6:N5wW0jj1cNwi23oH+Tcwt0jqEKj3K/2jM8B2KLlL5wW01jQ+q2PcNwi23oH+Tcwv:NefjZZYebqqBvFL1efzvLZYebqqBQFUv
MD5:	825633D63CEC878A44BFC0E0550A8496
SHA1:	1C85E69065DE6158C61EC839D7804879729028C8
SHA-256:	4757E25045167166AF84B6C2C19AAE23B408385B682319582B7B9BC0777CE803
SHA-512:	BA9C3E0C111ADB86145418C0CBF6ADAEA99C025DE845615F2108A193CF9565565835DB7B3D3CA3B73342A4F43A29E0392619A1A8DA1E91F8C78FCF2B33C7F4AA
Malicious:	false
Preview:	2024/08/29-12:37:06.559 1d08 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/29-12:37:06.639 1d08 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\5853d932-7489-42f4-8f31-0b8bc9f68be9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\83f9f307-9fa3-4292-aa45-24910e6bc75b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\9fe86c57-e7b0-4519-95be-1ae88e922369.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF259de.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF31752.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\ec33c06a-9204-43bc-950e-8f3e800b98ad.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\fbe2d1bf-b7a6-46ff-a8e7-c5669a370125.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	399
Entropy (8bit):	5.176042866322355
Encrypted:	false
SSDEEP:	12:NeHER2ZYebqqB6L1eH6uvLZYebqqBZFUv:NeHERiYebqbL1eHNlYebqy2
MD5:	5159E64EB8FBDB8C08AB3745E6C37E31
SHA1:	CA8E4C211D33B85223D5454CAB7FA3B217316163
SHA-256:	3EA363C0696E3B4F92817C28F9BFA3C1CBC613CC4895611E91DE97CD70C85D9D
SHA-512:	A9A3D1B0D88234BC950980D812D7626AD8E94897AC9B7F269358165916B50E9A199696DAF13BD3CB9B90D6660E5F3F8667574BEC7BCE097B028E4F931FD2E417
Malicious:	false
Preview:	2024/08/29-12:37:22.409 1d24 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/29-12:37:22.440 1d24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	305
Entropy (8bit):	5.235472850917324
Encrypted:	false
SSDEEP:	6:N5wW0181cNwi23oH+Tcwtkx2KLlL5wW0FQ+q2PcNwi23oH+TcwtCIFUv:NefYZYebkVL1ef++vLZYebLFUv
MD5:	7D9DEB06D57047D88517D597ABB195D6
SHA1:	1A136E35FA2CBDA4F6690B6E52ABB526AC086404
SHA-256:	CE9BC101149472E91675870005DE8F2356247256D701F866380F1617406B4728
SHA-512:	4AE0BCCE735F3CD5683D42B3EE7FF2DD5EBB8980F74C715A57FAFEC7997C4EFCF83E396992322CC5A856DDB5755345B76782E65B0BBF4EA2A802616631525CDD
Malicious:	false
Preview:	2024/08/29-12:37:04.916 1c0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/29-12:37:05.049 1c0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVFlt:IiVFlt
MD5:	04C9B7C580D1A4517C51707483DF8C6E
SHA1:	28527187D3C0E2721F293D38AFA14EDF2A636D87
SHA-256:	C6559EF8EECB7DE4495A9908BA7ACE7053A11F8B0B92DEE7B662260B2C4E13EE
SHA-512:	1581353F091AD1759893DF43CB06126C3B074D5728C04FF6013BD07608AB398E858D0E90BED4B270B1718396619F7243A53CD112D6181FF348531668F35A2549
Malicious:	false
Preview:	VLnk.....?.........M.4./................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0767832369056223
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkO4SAE+WslKOMq+vVumYxhWUn66:e/2qOB1nxCkO4SAELyKOMq+vVumaIgp
MD5:	E53991DF30CC918A238AF2E81C2FCD56
SHA1:	32B81B87C22D741910F328FB2C40DBE5DF2DD979
SHA-256:	4A422F75E21481833274B2DA82857198D45F0D13918C463E0A8585820EB19E18
SHA-512:	53C14E51C9B4F1AFDCAA4206CD55CB158B6E11D8CB9920CAB02FF042264F6D915818B121A31A473B8D53B828B712727DEBA2D535C392A8DDCADF784531E11F30
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\a49cac97-35a7-49a2-899d-5f4fa84a8eb0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566276558588677
Encrypted:	false
SSDEEP:	768:0cAx4bWPcOfJ98F1+UoAYDCx9Tuqh0VfUC9xbog/OVl8f00rwOppGtu6:0cAx4bWPcOfJ9u1jasU0tOmt1
MD5:	65F6B63C708B7972809224368590D1DC
SHA1:	82D5E0B4FD0438684CC2F105FD34DD83CA53EF2D
SHA-256:	26F549B2BA5E87CD524328AD82B2B6518850208F4EAD2D41B4C27D9DB266FABF
SHA-512:	57EAB1BD89F93C5A0F3CDF53E4199DEF5DBA6919AF4537181F97890E2171F1EACB8BEFF60BDFA017F2CF14C9308A1A676E3C817273145B5548D79AC7511CD025
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369423024751513","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369423024751513","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\d88efbde-23b8-4da6-8f1e-76946e5725b1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6534
Entropy (8bit):	4.977248215696264
Encrypted:	false
SSDEEP:	96:st7qfUis1nb9nmlJN8z5s85eh6Cb7/x+6MhmuecmAeryRjQQ2M4/EJ:st7esmrNk5s88bV+FiAnP4MJ
MD5:	3F8A12DA15ED08CDB271FC3981503D5C
SHA1:	B2705E4909C88263A664F11DA1036D8E7CAE91C8
SHA-256:	BC3C7A1DFDDA0A649BBA5C0E6F70ADE01C42B23E9DE809B052C9FA46EB6ACDFD
SHA-512:	254F8589769CA4A50E1A9245F882F53D031F6A380F7B500A032CFF6A55F10348F993079DDDF0C6958A6E8B39A91EC405FA47256AFB9B1999D18613A3BE6D61E4
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423026208664","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369423026209425"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versi

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/LnlFlFll:7+/l/Ln
MD5:	C41180E9D1DA70161DD2C1109C005512
SHA1:	A10E48B911531E5A83794D6C6CEB8660A471B71E
SHA-256:	EEC88FDB54CB31FA3243EFEABDE5B4800F230441D4731BA6C8A18274F0998127
SHA-512:	9F3F3349672A04C05DD0264DFB95EB7D79045BB63514DA6FDEA0251E7A7F1C616AEE41107911A70399C30716CC05589EBAF921104E908DACE96E0BE80ED27E35
Malicious:	false
Preview:	.... .c.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.050021942291891254
Encrypted:	false
SSDEEP:	6:GLW0Iay8uj9LW0Iay8ujMCL9X8hslotGLNl0ml/XoQDeX:aIfhbIfw6GEjVl/XoQ
MD5:	2379FFE07FC4B942664C51073743C7FC
SHA1:	760398C58A8B156BFB641BB49EEA9A0517C63950
SHA-256:	C72080220EEB1B92B34CB3D6BB5FC8E596288525C904AF672CA8CBAEF6E691F4
SHA-512:	29B113E208D8BE4FE83EB47D58669F5FE3C36B4D06182413A6C1CC48B3282C64FAD5D816968314C1E8CD194630F1010CD26030C561736232134D43158DCB7088
Malicious:	false
Preview:	..-.......................2.nj.!.<....QB..X.la..-.......................2.nj.!.<....QB..X.la........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9993011055956637
Encrypted:	false
SSDEEP:	48:x8zxam/2lO+3YcbX+Kn9VAKAFXX+z22VAKAFXX+TqxOqVAKAFXX+rnUYVAKAFXXI:qxalibNszCNsTgO5NsaNsDf
MD5:	BC7D88C164F7C0ED94C453D47212086B
SHA1:	487CDD52E158BF5D6D0E18EAFCCE281CD55D5482
SHA-256:	C799392312034C89E718F27A46FECB283841F8E06E051CBB4CAE812FF6BA05FF
SHA-512:	51D4CE211998F855EDF1523F0581184F9469F987970007E2CA3D148D9CB65E8738E28EB32218314E7FEBB5AE7BE6AB77E9C0C4C2FC47144AEB8FA49ABACF916C
Malicious:	false
Preview:	7....-...........<....Q..?..............<....QC.)..4s.SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.498078625270067
Encrypted:	false
SSDEEP:	48:gk8wSBSoQmPJHRHlxTIYjIYVzVqkEMYjMYzyGAlkfAlkq3N:q0oQAIYjIYVzVbEMYjMYzYcYH3N
MD5:	741B34FB2E278834A161841066E87FD6
SHA1:	A818ADAA9DF505F52A126BBF0237D71251C556DD
SHA-256:	5FB320A1B6547578A8124AF2896C5DCC771F80FE9453D5E0230EDDC225931D5C
SHA-512:	C498D1FDDE7EDD47B2A5E2EE16D738801FD456B43D95291BCDD2A7E65B46D975D0665E441407FD19CBD047C6620089CBCEB9341E51553332B38879496E577D40
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f...................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	301
Entropy (8bit):	5.258622578777382
Encrypted:	false
SSDEEP:	6:N5wW0pND1cNwi23oH+Tcwt0rl2KLlL5wW0qFN39+q2PcNwi23oH+Tcwt0rK+IFUv:NefZZYebeL1ef+mvLZYeb13FUv
MD5:	84BB88B13CAD0DD81E5749FDF6472F2A
SHA1:	1DFDA51855871571A04AD4AA536D51142BDFE2A4
SHA-256:	9EF399314BCD68E57F026452114EED0429D1A9DDE236BAD1381E0F3C11CCC4B1
SHA-512:	78427A1AB8D9408880D47696C0BE18612C81C6E820EDB8ECBC9BA31FADE430E2E038127752D25C5563BD16FD7F8963EEB35192986E8AE20EF23EAA8E2037F530
Malicious:	false
Preview:	2024/08/29-12:37:05.979 1c08 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/29-12:37:05.989 1c08 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.923555399679033
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Wu2XZmh/U/ct2b/GnIwmC8mvRW:G0nYUtypD3ROmhC/B3
MD5:	96C84FAD661AA45297C5D11D51DEEBEB
SHA1:	4D24C3554A3E924329F09749BD7FE35EFBD01EAC
SHA-256:	AF96A332354A65C7373DC29CC7C8AB3BF6B0538B6B7447D5089615B06D14948C
SHA-512:	EF0B8D70EA418AF73EB3D5A8ECE37B54BE780B63075AB3988BA5B73B2231B8CB0D0CFC22093FBD3B8BE6AEF6B01DF9C390C22A06B962E0661CB0E5415D07223F
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................20_........].................20_.....{a...................19_.....f.F..................18_.....7*X..................3_.....X....................4_.....eE,..................37_......0...................38_........'.................39_.....p.j..................9_......@o..................37_.....n5._.................38_.....LZa..................39_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.227836146962975
Encrypted:	false
SSDEEP:	6:N5wW0fFD1cNwi23oH+Tcwt0rzs52KLlL5wW0nl9+q2PcNwi23oH+Tcwt0rzAdIF2:NeffF5ZYeb99L1efnmvLZYebyFUv
MD5:	1847F5035146AC5013D0F128877074D5
SHA1:	71896D96C46DA9986032596F9689AE3A083CB51B
SHA-256:	09D6CC9AF2B121BD0DC1D20FAE46FDBF2CF17744BB049C0F9AD21DF16B60A0D7
SHA-512:	69E2765213B5C5E57D09B6A92AA5330097833B79D704A8B6A4A8FC203D676DD54A318A18999E8F27D98AF3049EB3E0E7775F23079B5B651B40F54F51CFBDADDE
Malicious:	false
Preview:	2024/08/29-12:37:05.384 1c08 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/29-12:37:05.977 1c08 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlGQ+l:Ls3GQ+l
MD5:	9E61306D9DEA6026EB3B527296ADF68E
SHA1:	877F5335AB30ACCA07776D638C80F145A6F9647A
SHA-256:	697F71ECFEEFC4B26FB845E099B66849B34DF119982ECC2923F8693729F38463
SHA-512:	A40D20180EDB5513DCAD53CAAC76E1557845C76D59D00F6719091D90B5EDE4AEC853CB444120843D2CE0EEC88F26E7C6345B527416631126B87E8D0D8C7BCE4D
Malicious:	false
Preview:	........................................<.Y^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlH:Ls3H
MD5:	A2592523D6FA2FC4C2AF70411474F033
SHA1:	DBD59B9DA2E761F0B871B1D2D31465BFD9711150
SHA-256:	1778EA4A3DBAB3F92D83351A0FD6243A87F1645120B35C95FE921D64CF338834
SHA-512:	87DA35AE5C91A8C1CB127080A9A0FC85F27356EAAB84BC104AEA3209199F7A29D62548915AC33F8D24C77EE9C02EC0256486B53BBC77CCFBBD76B76D9DEEB303
Malicious:	false
Preview:	.........................................9Z^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1e8a5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1e8b5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1ea6a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF1eaa9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF211b9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2599f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2d43e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF2fb5d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF344f9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNl6ull:Ls36u/
MD5:	311187E41FDB0BABC437B90452469A67
SHA1:	2FCDC59F72549E6EECDCB1FE7A8886AF23EB3BAD
SHA-256:	DF93F84B7E4A3606BE27725F1394A1A3B61B71AAD5D024EF4188872851AEE194
SHA-512:	BCBBF221C00610FA3931721FA5A72FE2C0F1B70629901B2C9308AB86CB569F5351E1D981C1EE62F584F155367042170C166A73784D37C6E3A29A78DDD895ADAC
Malicious:	false
Preview:	..........................................4^k./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\c19e4566-a6d8-4e18-ba9e-c805fbb19cfd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70489
Entropy (8bit):	6.072344147398705
Encrypted:	false
SSDEEP:	1536:XMGQ5XMBGFSHKIDPd7AkFDg0dqC3rGts/9QyWnp10e0QIflpZ:XMrJM8AHKanxr9/91CpmzQWfZ
MD5:	8CE8AA8286FA79D4DA26D9B4F7DC864A
SHA1:	105638F5F5FFC84B016F4CFF2B4E8974DADD2A21
SHA-256:	7DAAD57432526A38CA3E90A3DBDAF9EB65673F55A560D1F94AD36E41BC75BBEB
SHA-512:	4495838E596936033CCC6B800965800CE141E1823F94BD54E20F574A669C72AFBEC8ABD912DEBD27EB160106FC9EB0B59CBF259969832D23E01B1AE23C49D847
Malicious:	false
Preview:	{"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4yiCP35c3GslC7pbGWtdjepFQa8o4gNsBaDMhehaeQEDKO6AuQYO0uvD+5/wQXojHN6Y2SPI05Q0YrzvQdAR90ulreieqdtVSV

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\cf4b2502-ca5b-4701-98e8-37836f8db63f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.53409596767476
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtKJvGOgCul906yikHJdXBuBuwBraQbmNhBOX3QQRCYfYg:YuBqDPafAuOgtdygBzBrfbQBOQB0
MD5:	B7867D4D3D768EAC299A02004532C06D
SHA1:	82BCA57E779D18211126EE06D42DE4BCA3DC5C3C
SHA-256:	60A1DC46E10046F13B14B9A7817C27C45AEB84211DAA960EDA7EB881BE00CE66
SHA-512:	C66C481A928FA3DB45563DC9AB49D3F7DE7A9A655D8857663CBE63D5904AE9262805B755E98253CD762CE863AC0A8C65F19921DFA1D69BB057EEBB6098C2F8ED
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACH+3dFVX0/TYwtvvfjklDyEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAD6D0keWezfOivqtbA2CWb3fUs4uXevORHKBVHDQhQ33gAAAAAOgAAAAAIAACAAAADNYeNgw0KbdoXUh7JcsEcpo7E6BYhQiHMF6mD9HBeV3zAAAACEMJJN+SQzp0xaJjluzsbvC1U+LBVBbdh4mOhM37WTZbNwh7VkqKKied4kpy0RI11AAAAA3qmOyfxKtfTKrMGhPA2uJt1KJ/WktKAna2O5CIcbZqUgvtFdBXAD+0mihgtAE75XXnGCGnzLajxuWpZ+t4xtZw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369423024091089","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724949423"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\f2fd950d-e59c-4998-83b6-8ffc433e9cfd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24023
Entropy (8bit):	6.055476226790093
Encrypted:	false
SSDEEP:	384:dtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NGAO0mBbqdFVEQIflbRT9ljFgC:XMGQ7FCYXGIgtDAWtJ4nHBxQIflXx/
MD5:	11EED393B042675F77D4458B4174C784
SHA1:	A5150A1A581B8025DEA0DD44AF9A0440A4CC450F
SHA-256:	2A4738AB4630640343FDDE3BAA525E3288F3781BA08677922337BF21BBC3C3A7
SHA-512:	24A812FE00B2DF10A44275FD2C1DB151CD1A0AE457D1BDE598C74351173559CADCF2D81A2373D6B7D03590076B5E42113016A3A1D89C7501126AB0C6D05FAC3F
Malicious:	false
Preview:	{"domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4yiCP35c3GslC7pbGWtdjepFQa8o4gNsBaDMhehaeQEDKO6AuQYO0uvD+5/wQXojHN6Y2SPI05Q0YrzvQdAR90ulreieqdtVSV

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\6466ebb9-7c6c-4bb4-9383-317de9cfdbc5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57692
Entropy (8bit):	6.103698136615654
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yONPGWv/sxtwx7j7VLyMV/YoskFoz:z/0+zI7yOtv/4KxVeZoskG
MD5:	A4739B9D7E9953498DA792A2621BFE93
SHA1:	80ADD8AA3DEE74A3B80FB21ED5C5467A6441F58A
SHA-256:	1BA6D7CD86453CA2F25F86B14E159436598B7ABB8BB4F9FC471AC96A14AB32B0
SHA-512:	B81F2AE631F84DB7E9F05F05FD388CDFD60CA612413B3B3878E32737C7A205A0611A6855E893B9AC1B97B5894EA67280AA17EA53712E7C0A8EDE877F59A15067
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\70ea84a5-9902-4394-867f-6357ba4fef71.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57692
Entropy (8bit):	6.103979511535766
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOIPGWv/sxtwDj7VLyMV/YoskFoz:z/0+zI7yOcv/4KDVeZoskG
MD5:	A61295E3F6F75679F6D9F68904DE872C
SHA1:	40F9ACC4D592A1F3C18A038B142B7AF1F27EF1A3
SHA-256:	C7E17F3D1872759BFF8ED80370E86CE5158A5B1D6CB425390092CE7E8EC07902
SHA-512:	EDD924EA6669935E355E6F0B8500C1928586D494BF8104F971FB51FA5396AF397382289F5A69419A23C3B16446073A677F54B6C491998E6D4757A0C47A966721
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\7f1a0d9e-96b3-41ea-8427-7f8ee0703734.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57692
Entropy (8bit):	6.103698136615654
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yONPGWv/sxtwx7j7VLyMV/YoskFoz:z/0+zI7yOtv/4KxVeZoskG
MD5:	A4739B9D7E9953498DA792A2621BFE93
SHA1:	80ADD8AA3DEE74A3B80FB21ED5C5467A6441F58A
SHA-256:	1BA6D7CD86453CA2F25F86B14E159436598B7ABB8BB4F9FC471AC96A14AB32B0
SHA-512:	B81F2AE631F84DB7E9F05F05FD388CDFD60CA612413B3B3878E32737C7A205A0611A6855E893B9AC1B97B5894EA67280AA17EA53712E7C0A8EDE877F59A15067
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9972b95c-7deb-4d5c-8fe7-34b65c888089.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57691
Entropy (8bit):	6.103693678156088
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOOPGWv/sxtwc7j7VLyMV/YoskFoz:z/0+zI7yOqv/4KuVeZoskG
MD5:	0D537256241DD589F202006DFEA80087
SHA1:	9F4B75FFE76B4F95D1BF46BA94F1A9750A6CFEB9
SHA-256:	342D76A31AC8FC673BCC606DB95B1AB4740B83BB8A651357D2B329732D47BF76
SHA-512:	19D7346586C19EFDEBF697275DF732F993E687F881BA890AB32CA59CF047D298FA4AB3AF8899DE6F77B9C0140D54D841E9001DE64965C15791A7FEA815C25D80
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D0A3C2-19D0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1592708112336212
Encrypted:	false
SSDEEP:	1536:0EZLh/UHqgvrmoklRG1FsqAL8x7d44p5ORG:0sLZGqgvHkabsqAL644p5n
MD5:	920CD5ACD1E19D5CF0C61476848802F6
SHA1:	29A13438E0AA402D88A3C83815EC080B4B3F5979
SHA-256:	02F35A7BC56C07C5EE45CF61C72519D9B8C1BC4790F9DC7361D2587625EA7724
SHA-512:	37ACC6CF300CBFCBD9EF22C099E2B74B145A672481AB66934E82540779CEBD030C8C4FFE85D559A42E7BBC56DEF6BDC5286CA9D23C7D6D8CB382B7E7DC700AA3
Malicious:	false
Preview:	...@..@...@.....C.].....@...................8...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".kgobgb20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U].0r........>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.......y...... .2.........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D0BD80-1DD4.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1298884987806058
Encrypted:	false
SSDEEP:	1536:wRZqxuVX/xbgqSweSyZRGRS12Ofp0RRG:wHqxGX/xbgVSye4rfp0G
MD5:	954E023CDCBD26B11859966D1F5FF857
SHA1:	9283301AD4E79107962CAC6AF0EA5127AFF4D03A
SHA-256:	58C6B17B1D6E2AE7536EE3A8A0286676874434776A847B6C0E56F7540D85AC45
SHA-512:	6899491365E44C6BAF4804B57E91CCC11712D4875CE34F7E0AF8CCA83D44326E3024714B65A95AB600358A890D86C6DF6022E4D81E61E145D2F00092E433EAAF
Malicious:	false
Preview:	...@..@...@.....C.].....@................(..................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?.......".kgobgb20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@...............................0...w..U].0r........>.........."....."...24.."."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z....l....'@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2................. ....2......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.16517681506792
Encrypted:	false
SSDEEP:	3:FiWWltlrPYjpVjP9M4UcLH3RvwAH/llwBVP/Sh/Jzv/jSIHmsdJEU9VUn5lt:o1rPWVjWZq3RvtNlwBVsJDL7b/3U7
MD5:	C847567DEE0317368C1EC824DE025887
SHA1:	554098F22FEA9282FE1AAB35560849CD6FF546B1
SHA-256:	3CF2B1CBE4F4CCFC640BCF581FD4D9FC84254D2B3839C96EA4909B61AAF28932
SHA-512:	A976744405F6ABEBFB7513A3A6A776680334BB94A9E52AEEFE2B05259BCB3CF9781B1CCDA3655D8AA4C1E923143168F29EF3208F81ABCB93AFF5215ED3798219
Malicious:	false
Preview:	sdPC.....................!...W.F....+F."xDkc0HT9c2ekfj/3J+6x4yELW+Knys1OtBnWqRtJUmw="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................8889edf7-b09d-4a45-9ea5-adabbfd01bb9............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0e0750a8-166f-4118-bd83-2f754ddd55b9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\65e90864-a99a-4d13-bef4-09d189ed2f41.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.191851875135012
Encrypted:	false
SSDEEP:	6:N5wW2P1yq2PcNwi23oH+TcwtnG2tMsIFUt885wW2YNj1Zmw+85wW2YN1RkwOcNwL:NeSvLZYebn9GFUt88eU1/+8e254ZYebB
MD5:	3E923EA56D05A524A58BF44AE3BCD374
SHA1:	504D182CB7F5E9055C795819405498B50C408A8E
SHA-256:	C88C905B0AD84B907A335A8C5E1A2FD16D7845FC22BE4BBFD7C4A0FC6A30FF9B
SHA-512:	1A3A20A8B249CBE344300418CF02D4D91575BEC4EC9E883FCF4BA2C3837E7FD1547EC32CA0B2064F3B034EBF066BCF1D00D5FBE460160EAA855AA8973B43F97F
Malicious:	false
Preview:	2024/08/29-12:37:23.005 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-12:37:23.006 23a0 Recovering log #3.2024/08/29-12:37:23.006 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.191851875135012
Encrypted:	false
SSDEEP:	6:N5wW2P1yq2PcNwi23oH+TcwtnG2tMsIFUt885wW2YNj1Zmw+85wW2YN1RkwOcNwL:NeSvLZYebn9GFUt88eU1/+8e254ZYebB
MD5:	3E923EA56D05A524A58BF44AE3BCD374
SHA1:	504D182CB7F5E9055C795819405498B50C408A8E
SHA-256:	C88C905B0AD84B907A335A8C5E1A2FD16D7845FC22BE4BBFD7C4A0FC6A30FF9B
SHA-512:	1A3A20A8B249CBE344300418CF02D4D91575BEC4EC9E883FCF4BA2C3837E7FD1547EC32CA0B2064F3B034EBF066BCF1D00D5FBE460160EAA855AA8973B43F97F
Malicious:	false
Preview:	2024/08/29-12:37:23.005 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-12:37:23.006 23a0 Recovering log #3.2024/08/29-12:37:23.006 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF24feb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.191851875135012
Encrypted:	false
SSDEEP:	6:N5wW2P1yq2PcNwi23oH+TcwtnG2tMsIFUt885wW2YNj1Zmw+85wW2YN1RkwOcNwL:NeSvLZYebn9GFUt88eU1/+8e254ZYebB
MD5:	3E923EA56D05A524A58BF44AE3BCD374
SHA1:	504D182CB7F5E9055C795819405498B50C408A8E
SHA-256:	C88C905B0AD84B907A335A8C5E1A2FD16D7845FC22BE4BBFD7C4A0FC6A30FF9B
SHA-512:	1A3A20A8B249CBE344300418CF02D4D91575BEC4EC9E883FCF4BA2C3837E7FD1547EC32CA0B2064F3B034EBF066BCF1D00D5FBE460160EAA855AA8973B43F97F
Malicious:	false
Preview:	2024/08/29-12:37:23.005 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-12:37:23.006 23a0 Recovering log #3.2024/08/29-12:37:23.006 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.163506083124695
Encrypted:	false
SSDEEP:	6:N5wW2Z/+q2PcNwi23oH+Tcwt8aPrqIFUt885wW2yZZmw+85wW2yNVkwOcNwi23oD:NemvLZYebL3FUt88eY/+8eA54ZYebQJ
MD5:	014F13211BB31320D4097A6EF41B69B8
SHA1:	E5539F67A7008097B7246AA7BC4BFCFC46F22B10
SHA-256:	871E0CF94C457C54ABE965D05DAEB779BD769BF2B3F8A099659F905C81DFFBD3
SHA-512:	BC0C0A02ABCF66A130D484E81CCE4825398B2771523430C0353FC90AE7BAB304C8B77D385348816D4B3E86A1B906C7629DE16BE2F455457FF54CE38A8F602CE5
Malicious:	false
Preview:	2024/08/29-12:37:23.008 2388 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/29-12:37:23.009 2388 Recovering log #3.2024/08/29-12:37:23.009 2388 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.163506083124695
Encrypted:	false
SSDEEP:	6:N5wW2Z/+q2PcNwi23oH+Tcwt8aPrqIFUt885wW2yZZmw+85wW2yNVkwOcNwi23oD:NemvLZYebL3FUt88eY/+8eA54ZYebQJ
MD5:	014F13211BB31320D4097A6EF41B69B8
SHA1:	E5539F67A7008097B7246AA7BC4BFCFC46F22B10
SHA-256:	871E0CF94C457C54ABE965D05DAEB779BD769BF2B3F8A099659F905C81DFFBD3
SHA-512:	BC0C0A02ABCF66A130D484E81CCE4825398B2771523430C0353FC90AE7BAB304C8B77D385348816D4B3E86A1B906C7629DE16BE2F455457FF54CE38A8F602CE5
Malicious:	false
Preview:	2024/08/29-12:37:23.008 2388 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/29-12:37:23.009 2388 Recovering log #3.2024/08/29-12:37:23.009 2388 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.193532175272301
Encrypted:	false
SSDEEP:	6:N5wW2zN+q2PcNwi23oH+Tcwt865IFUt885wW2zZZmw+85wW2zNVkwOcNwi23oH+v:NelIvLZYeb/WFUt88elZ/+8elz54ZYev
MD5:	F3D3908B3971CDB92BD236883379EEA1
SHA1:	A0EE70EC56D3EA54DF0863E8B150499DBBEF259A
SHA-256:	2B2B6991108688AF4B991BA59D7AA765BD1054E856CB3A3331D361909FF291C5
SHA-512:	71B548A535FFBAC6E7C81B6E743467D4A9C5A98CF1867E6DC507A1AD90DF56605E531ABB793BE859B4287E519C60CC3F2E0D045DDF21D16505999AF69EC2FFD4
Malicious:	false
Preview:	2024/08/29-12:37:23.026 2388 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/29-12:37:23.026 2388 Recovering log #3.2024/08/29-12:37:23.026 2388 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.193532175272301
Encrypted:	false
SSDEEP:	6:N5wW2zN+q2PcNwi23oH+Tcwt865IFUt885wW2zZZmw+85wW2zNVkwOcNwi23oH+v:NelIvLZYeb/WFUt88elZ/+8elz54ZYev
MD5:	F3D3908B3971CDB92BD236883379EEA1
SHA1:	A0EE70EC56D3EA54DF0863E8B150499DBBEF259A
SHA-256:	2B2B6991108688AF4B991BA59D7AA765BD1054E856CB3A3331D361909FF291C5
SHA-512:	71B548A535FFBAC6E7C81B6E743467D4A9C5A98CF1867E6DC507A1AD90DF56605E531ABB793BE859B4287E519C60CC3F2E0D045DDF21D16505999AF69EC2FFD4
Malicious:	false
Preview:	2024/08/29-12:37:23.026 2388 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/29-12:37:23.026 2388 Recovering log #3.2024/08/29-12:37:23.026 2388 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.228004525571101
Encrypted:	false
SSDEEP:	6:N5iMtVVIq2PcNwi23oH+Tcwt8NIFUt885iMtVVZZmw+85iMvVkwOcNwi23oH+TcN:NhfevLZYebpFUt88hfn/+8hvV54ZYeb2
MD5:	5D79241FDDFE388B0ABE86D00BF84DB8
SHA1:	B172A9E901732C33DB473A6C236DFB79FE49A255
SHA-256:	BA9BD6AC2B11E2C5428D259C8FDF12C2391A7A1BC44A5AA58CB782FF77DF5CE1
SHA-512:	A000B19241F64BC9183C3E070FAAC9A8170CB1904EE0165B5F4C22704E28222454B01D7584E00DA76806B5C3901281345C5B49FBEA41AF92DEE2275F81C46174
Malicious:	false
Preview:	2024/08/29-14:27:13.242 1560 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-14:27:13.242 1560 Recovering log #3.2024/08/29-14:27:13.268 1560 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.228004525571101
Encrypted:	false
SSDEEP:	6:N5iMtVVIq2PcNwi23oH+Tcwt8NIFUt885iMtVVZZmw+85iMvVkwOcNwi23oH+TcN:NhfevLZYebpFUt88hfn/+8hvV54ZYeb2
MD5:	5D79241FDDFE388B0ABE86D00BF84DB8
SHA1:	B172A9E901732C33DB473A6C236DFB79FE49A255
SHA-256:	BA9BD6AC2B11E2C5428D259C8FDF12C2391A7A1BC44A5AA58CB782FF77DF5CE1
SHA-512:	A000B19241F64BC9183C3E070FAAC9A8170CB1904EE0165B5F4C22704E28222454B01D7584E00DA76806B5C3901281345C5B49FBEA41AF92DEE2275F81C46174
Malicious:	false
Preview:	2024/08/29-14:27:13.242 1560 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-14:27:13.242 1560 Recovering log #3.2024/08/29-14:27:13.268 1560 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF25049.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	330
Entropy (8bit):	5.228004525571101
Encrypted:	false
SSDEEP:	6:N5iMtVVIq2PcNwi23oH+Tcwt8NIFUt885iMtVVZZmw+85iMvVkwOcNwi23oH+TcN:NhfevLZYebpFUt88hfn/+8hvV54ZYeb2
MD5:	5D79241FDDFE388B0ABE86D00BF84DB8
SHA1:	B172A9E901732C33DB473A6C236DFB79FE49A255
SHA-256:	BA9BD6AC2B11E2C5428D259C8FDF12C2391A7A1BC44A5AA58CB782FF77DF5CE1
SHA-512:	A000B19241F64BC9183C3E070FAAC9A8170CB1904EE0165B5F4C22704E28222454B01D7584E00DA76806B5C3901281345C5B49FBEA41AF92DEE2275F81C46174
Malicious:	false
Preview:	2024/08/29-14:27:13.242 1560 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-14:27:13.242 1560 Recovering log #3.2024/08/29-14:27:13.268 1560 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\4821ed8d-cecd-463d-a9a2-05714c017d2e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\4891e647-d12e-4755-a269-b3d3c9f40c61.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.0884173004967455
Encrypted:	false
SSDEEP:	96:st+qKns1LbDhQomXKaCvlPm8zc2sY5eh6Cb7/x+6MhmuecmAeidDcWCML/EJ:st+nsYomaNPmkc2sY8bV+FiAPcWbLMJ
MD5:	6443792F6A017D592B9E267DE2691516
SHA1:	E6735C86E6849B4A897DDB2D17355BEF0B490FFC
SHA-256:	33F1E30968C125C16D09885AAA830F44FA76C6167EC42A524022F966E4C35502
SHA-512:	050708766E3A10B53C1EF37F228E10D6913BC74982B48F2AEEE37603EDE8B1BDFE1D7927D68E3BB61E012CFBC009A1C17E1910B723888514D1C5F7CC38CBB704
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423043102744","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340965216736509"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF250a6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7637
Entropy (8bit):	5.0884173004967455
Encrypted:	false
SSDEEP:	96:st+qKns1LbDhQomXKaCvlPm8zc2sY5eh6Cb7/x+6MhmuecmAeidDcWCML/EJ:st+nsYomaNPmkc2sY8bV+FiAPcWbLMJ
MD5:	6443792F6A017D592B9E267DE2691516
SHA1:	E6735C86E6849B4A897DDB2D17355BEF0B490FFC
SHA-256:	33F1E30968C125C16D09885AAA830F44FA76C6167EC42A524022F966E4C35502
SHA-512:	050708766E3A10B53C1EF37F228E10D6913BC74982B48F2AEEE37603EDE8B1BDFE1D7927D68E3BB61E012CFBC009A1C17E1910B723888514D1C5F7CC38CBB704
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423043102744","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340965216736509"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568670823882935
Encrypted:	false
SSDEEP:	768:H+AWdOWP+1fwn8F1+UoAYDCx9Tuqh0VfUC9xbog/OV4BDJRrwrpItuF:H+AWdOWP+1fwnu1jaNBJiutS
MD5:	1AD0E16D0A0D9101B5CD8D70B4698C84
SHA1:	2227A7A2E89E25EA9D8C83D6C328B040AC8936F2
SHA-256:	B38BB838AB77DC64BD9477426111DD5A80491C3C490414E9472A1823DBDC6E84
SHA-512:	9F87DB012A376E8539C7101D8B8D608B5AEEA2F423CCA93AD9C6110247FDA72E83D5A85A15EE42253EED969A42465CD97102FEE76A7C07F619D0E4996D9E55F7
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369423042694817","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369423042694817","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.134581261375153
Encrypted:	false
SSDEEP:	6:N5wW2yv1yq2PcNwi23oH+Tcwt7Uh2ghZIFUt885wW2DF3j1Zmw+85wW2DF31Rkwh:NeYAvLZYebIhHh2FUt88en1/+8en54Z0
MD5:	34F909327CF9ACC12E8055C31A897664
SHA1:	45F8629F089F0B42D9ACD1F754CB088CA2D667B5
SHA-256:	FA0DD1A96D87164BA14E523055D6D4D231D6AAAB5C757340036F2B0D26462174
SHA-512:	FD66826692A5048267EFA91A56F88F1141A14A2D7FE00BA61E3B433BB4F5D93599BDC43D39057AC82BFF6EA30A49DBB013845920EA885D5EBF41710A1C6F9EAE
Malicious:	false
Preview:	2024/08/29-12:37:22.997 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-12:37:22.998 23a0 Recovering log #3.2024/08/29-12:37:22.998 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.134581261375153
Encrypted:	false
SSDEEP:	6:N5wW2yv1yq2PcNwi23oH+Tcwt7Uh2ghZIFUt885wW2DF3j1Zmw+85wW2DF31Rkwh:NeYAvLZYebIhHh2FUt88en1/+8en54Z0
MD5:	34F909327CF9ACC12E8055C31A897664
SHA1:	45F8629F089F0B42D9ACD1F754CB088CA2D667B5
SHA-256:	FA0DD1A96D87164BA14E523055D6D4D231D6AAAB5C757340036F2B0D26462174
SHA-512:	FD66826692A5048267EFA91A56F88F1141A14A2D7FE00BA61E3B433BB4F5D93599BDC43D39057AC82BFF6EA30A49DBB013845920EA885D5EBF41710A1C6F9EAE
Malicious:	false
Preview:	2024/08/29-12:37:22.997 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-12:37:22.998 23a0 Recovering log #3.2024/08/29-12:37:22.998 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF25058.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.134581261375153
Encrypted:	false
SSDEEP:	6:N5wW2yv1yq2PcNwi23oH+Tcwt7Uh2ghZIFUt885wW2DF3j1Zmw+85wW2DF31Rkwh:NeYAvLZYebIhHh2FUt88en1/+8en54Z0
MD5:	34F909327CF9ACC12E8055C31A897664
SHA1:	45F8629F089F0B42D9ACD1F754CB088CA2D667B5
SHA-256:	FA0DD1A96D87164BA14E523055D6D4D231D6AAAB5C757340036F2B0D26462174
SHA-512:	FD66826692A5048267EFA91A56F88F1141A14A2D7FE00BA61E3B433BB4F5D93599BDC43D39057AC82BFF6EA30A49DBB013845920EA885D5EBF41710A1C6F9EAE
Malicious:	false
Preview:	2024/08/29-12:37:22.997 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-12:37:22.998 23a0 Recovering log #3.2024/08/29-12:37:22.998 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.213552531465926
Encrypted:	false
SSDEEP:	6:N5wW2k0Vq2PcNwi23oH+TcwtpIFUt885wW2EgZmw+85wW2EIkwOcNwi23oH+Tcwd:NeTvLZYebmFUt88eD/+8eZ54ZYebaUJ
MD5:	6866EF8A3A880B67E26E3146ACD6C3EF
SHA1:	A4803E14E0409251C732FD93AC9DEAF463A60165
SHA-256:	104F83EF01F686BDD9B58084E73019526E0BD4895618E9CB52FB34BE1CACD7D4
SHA-512:	3C7536E1BB0E0962D30352DE879179DFCCEA59582420986055154BE2C8AACBAA16F069D62AAC08E34F6E2D90177ABD26841708B2E2EBA2A6663E44C062643B85
Malicious:	false
Preview:	2024/08/29-12:37:23.087 2274 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-12:37:23.088 2274 Recovering log #3.2024/08/29-12:37:23.088 2274 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.213552531465926
Encrypted:	false
SSDEEP:	6:N5wW2k0Vq2PcNwi23oH+TcwtpIFUt885wW2EgZmw+85wW2EIkwOcNwi23oH+Tcwd:NeTvLZYebmFUt88eD/+8eZ54ZYebaUJ
MD5:	6866EF8A3A880B67E26E3146ACD6C3EF
SHA1:	A4803E14E0409251C732FD93AC9DEAF463A60165
SHA-256:	104F83EF01F686BDD9B58084E73019526E0BD4895618E9CB52FB34BE1CACD7D4
SHA-512:	3C7536E1BB0E0962D30352DE879179DFCCEA59582420986055154BE2C8AACBAA16F069D62AAC08E34F6E2D90177ABD26841708B2E2EBA2A6663E44C062643B85
Malicious:	false
Preview:	2024/08/29-12:37:23.087 2274 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-12:37:23.088 2274 Recovering log #3.2024/08/29-12:37:23.088 2274 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF24f7d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	334
Entropy (8bit):	5.213552531465926
Encrypted:	false
SSDEEP:	6:N5wW2k0Vq2PcNwi23oH+TcwtpIFUt885wW2EgZmw+85wW2EIkwOcNwi23oH+Tcwd:NeTvLZYebmFUt88eD/+8eZ54ZYebaUJ
MD5:	6866EF8A3A880B67E26E3146ACD6C3EF
SHA1:	A4803E14E0409251C732FD93AC9DEAF463A60165
SHA-256:	104F83EF01F686BDD9B58084E73019526E0BD4895618E9CB52FB34BE1CACD7D4
SHA-512:	3C7536E1BB0E0962D30352DE879179DFCCEA59582420986055154BE2C8AACBAA16F069D62AAC08E34F6E2D90177ABD26841708B2E2EBA2A6663E44C062643B85
Malicious:	false
Preview:	2024/08/29-12:37:23.087 2274 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-12:37:23.088 2274 Recovering log #3.2024/08/29-12:37:23.088 2274 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 9, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 9
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1224500839195235
Encrypted:	false
SSDEEP:	384:KdM2qOB1nxCktSAELyKOMq+8HKkjucswRv8p3:Kvq+n0y9ELyKOMq+8HKkjuczRv89
MD5:	CB766C9B54AAC37661533172E04871C9
SHA1:	7CF2E8C74F93251B97D2920E4C752BD749D4544E
SHA-256:	074B45EE68992A767F27D0BE09267383C85FF59EE1D401C6183F6C3FD096D5F9
SHA-512:	F95A7B8B2809629A4E423821C3FCE8D9C49A3AADEDF303D1ED7CF59366EC6C5FF3991814FC37AD4D2DA16AD1CAE2272AE4FCB8AE68002D556D04D94690679A4A
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\aebcf912-4c7c-4945-8575-7b98c139c744.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568670823882935
Encrypted:	false
SSDEEP:	768:H+AWdOWP+1fwn8F1+UoAYDCx9Tuqh0VfUC9xbog/OV4BDJRrwrpItuF:H+AWdOWP+1fwnu1jaNBJiutS
MD5:	1AD0E16D0A0D9101B5CD8D70B4698C84
SHA1:	2227A7A2E89E25EA9D8C83D6C328B040AC8936F2
SHA-256:	B38BB838AB77DC64BD9477426111DD5A80491C3C490414E9472A1823DBDC6E84
SHA-512:	9F87DB012A376E8539C7101D8B8D608B5AEEA2F423CCA93AD9C6110247FDA72E83D5A85A15EE42253EED969A42465CD97102FEE76A7C07F619D0E4996D9E55F7
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369423042694817","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369423042694817","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\c6a0ed54-9cba-4b31-a379-1b2f281ddd95.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\eeadeb4f-695d-4a06-a8a8-d353cca3b6df.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	7637
Entropy (8bit):	5.0884173004967455
Encrypted:	false
SSDEEP:	96:st+qKns1LbDhQomXKaCvlPm8zc2sY5eh6Cb7/x+6MhmuecmAeidDcWCML/EJ:st+nsYomaNPmkc2sY8bV+FiAPcWbLMJ
MD5:	6443792F6A017D592B9E267DE2691516
SHA1:	E6735C86E6849B4A897DDB2D17355BEF0B490FFC
SHA-256:	33F1E30968C125C16D09885AAA830F44FA76C6167EC42A524022F966E4C35502
SHA-512:	050708766E3A10B53C1EF37F228E10D6913BC74982B48F2AEEE37603EDE8B1BDFE1D7927D68E3BB61E012CFBC009A1C17E1910B723888514D1C5F7CC38CBB704
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369423043102744","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340965831357520","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340965216736509"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\f4bbacee-d4cf-4273-a05b-f6825bc5656e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049853797302745535
Encrypted:	false
SSDEEP:	6:Gd0VmH0Vw/CL9XCChslotGLNl0ml/XoQDeX:zcU66pEjVl/XoQ
MD5:	B887C3B344F41AE8E5D1C87A1E69FE2E
SHA1:	6E825A7C70667BAAB4BADC6497C14B6A7DC60359
SHA-256:	1DF0A503295E7C7643FE77610E74DDB87EC0CB7C660C21716662AC62C67379FA
SHA-512:	8E7E3C572B88059C6F5EA32605712E87F93FEF85FA28AB0F1247C04B279B4DC0D1D338E6050568282915DE3B509CD957B20C065F77D2345206EA229AC6D60D9B
Malicious:	false
Preview:	..-.....................B..".q.43.-......~.~v}..-.....................B..".q.43.-......~.~v}........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF23186.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF2331c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF23454.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF25029.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF25077.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF250a6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEflTRVKll:/M/xT02zh
MD5:	2AC043FFC3FB1489EB37C88AD37E8FC9
SHA1:	F630FBEA845C4A7E82D9CF69129185867D9A804C
SHA-256:	7496563BC0997748A353EEAE2387BAE31553E79B298C47D12B6172C11C10AE47
SHA-512:	58EA541FBDE756B3488E0C9FD3740ECB9153B01CDA6DAA98C2DBDA82130A431A673E3B77006DDA8ABB58182600A5931713DA064F2A85793F96DD83E791191DA0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQp:YQ3Kq9X0dMgAEiLIj
MD5:	8549C255650427D618EF18B14DFD2B56
SHA1:	8272585186777B344DB3960DF62B00F570D247F6
SHA-256:	40395D9CA4B65D48DEAC792844A77D4F8051F1CEF30DF561DACFEEED3C3BAE13
SHA-512:	E5BB8A0AD338372635C3629E306604E3DC5A5C26FB5547A3DD7E404E5261630612C07326E7EBF5B47ABAFADE8E555965A1A59A1EECFC496DCDD5003048898A8C
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\bed76ed2-7432-4783-9cf6-e7de0ec2d86d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	56066
Entropy (8bit):	6.103050230109318
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7ynOPGWv/sxtwB7VLyMV/YoskFoz:z/0+zI7ynqv/4K5VeZoskG
MD5:	74EB7FF874D4E30EA5DCECF3D8C772D4
SHA1:	976E49A1611C170841CFC9EFAFC79BE91C96D568
SHA-256:	A641389D4D055C76684D8C45C9D5F66F643456597445ED84338A8FC80F66006F
SHA-512:	8FB1BA6A154F222AC57EB9386A14248EBE0F50A40DE846D812A71A76B0CA08A79ABCFB3C403EF112995BC90FDE3D58449F7BBA985E65A92B6A8A4F3EFD494A5D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d0494b35-0c63-42ed-a7c8-3c39beed892d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	57692
Entropy (8bit):	6.103975140371109
Encrypted:	false
SSDEEP:	1536:z/Ps+wsI7yOIPGWv/sxtwAj7VLyMV/YoskFoz:z/0+zI7yOcv/4KKVeZoskG
MD5:	CA23C916EAB74F4DFD5B2597155C08D9
SHA1:	0C2F39E02B53E4F38263670129CEDE191E728129
SHA-256:	D3B4A68B16D01AC346E37354D51049F02E5A50E0FE673585E32E68E9269BDE12
SHA-512:	EFC4A66EACFD6229AAB959D76EF81AF55883E84E45BB493DD37B70C66F2756D3016FBC5B0CE1AF4E9119091239F67539F82807A111A9A878398D86B68B15E101
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.849123442467326
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxp6xl9Il8umwTeLrCWY17u3lpmx0M1Bd1rc:mNYQwT2qq37m2
MD5:	D0FE12C6A8A4F503D126922666E97D69
SHA1:	FE8AA73531EBD46046AD25010A33D983A78D6204
SHA-256:	A00CB78FEBADEE8DF465BAC4869F06D4586935B167878BBDB2BE78EA58A1473C
SHA-512:	5B6D41CDE478D6EA99B2517F37907AC4C1C8E954CB897BE0E119BC981FB32A260DE3F21088571E125510AD9163BF81180BB73C0B316276F0C93D4FC533E35A31
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.K.O.H.E.T.r.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.h./.t.3.R.V.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.002881638405989
Encrypted:	false
SSDEEP:	96:2Y7uGBDAVwo9KPIAEVm7gEnt01CBXBy7KOg:2hBwahAByi
MD5:	13050688A8E6A598B830792F31621FD5
SHA1:	6EA8B0FD565B97483D047FECB36E4D9849FAE62A
SHA-256:	94DA526E8B47193CB47A51BC770B2A735C714FA08D235B89B0529EAB777C5F81
SHA-512:	3884EE795CB25F78D9CE55C28606EE9D64FAA54F7069E87B1337958575CFF5A5CF4995DF8369D9884874E1F4A844AE367E5F9539B734B4E68C80491D8D9A2603
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".4.k.G.7.9.z.H.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.h./.t.3.R.V.

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping2712_851266713\manifest.fingerprint

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.87107305218322
Encrypted:	false
SSDEEP:	3:SddQLtQSnUunhU1mWrO2V:S/QZHThyay
MD5:	0C9218609241DBAA26EBA66D5AAF08AB
SHA1:	31F1437C07241E5F075268212C11A566CEB514EC
SHA-256:	52493422AC4C18918DC91EF5C4D0E50C130EA3AA99915FA542B890A79EA94F2B
SHA-512:	5D25A1FB8D9E902647673975F13D7CA11E1F00F3C19449973D6B466D333198768E777B8CAE5BECEF5C66C9A0C0EF320A65116B5070C66E3B9844461BB0FFA47F
Malicious:	false
Preview:	1.8BFD50D350D47445B57BB1D61BBDE41CEDA7AC43DC81FCE95BF1AC646D97D2A0

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping2712_851266713\manifest.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	134
Entropy (8bit):	4.405914533496662
Encrypted:	false
SSDEEP:	3:3FFhAWAUNhRKpEbXKS2XAXMWxQHJCzhiFfASvAcWxQHJCr2SkhSA:3FFWeRl2QIpCU4SvrpCSSkhSA
MD5:	58D3CA1189DF439D0538A75912496BCF
SHA1:	99AF5B6A006A6929CC08744D1B54E3623FEC2F36
SHA-256:	A946DB31A6A985BDB64EA9F403294B479571CA3C22215742BDC26EA1CF123437
SHA-512:	AFD7F140E89472D4827156EC1C48DA488B0D06DAAA737351C7BEC6BC12EDFC4443460C4AC169287350934CA66FB2F883347ED8084C62CAF9F883A736243194A2
Malicious:	false
Preview:	{.. "description" : "AutoLaunch Protocols Preregistration",.. "name" : "Protocol Preregistration",.. "version" : "1.0.0.8"..}

C:\Users\user\AppData\Local\Temp\chrome_PuffinComponentUnpacker_BeginUnzipping2712_851266713\protocols.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3164
Entropy (8bit):	4.532278538438865
Encrypted:	false
SSDEEP:	48:O//uidcRcrcNc0cTc8cs+PcrcNc0cTc8csLcrcNc0cTc8cstcrcNc0cTc8csH:O//uWJ2UH
MD5:	6BBB18BB210B0AF189F5D76A65F7AD80
SHA1:	87B804075E78AF64293611A637504273FADFE718
SHA-256:	01594D510A1BBC016897EC89402553ECA423DFDC8B82BAFBC5653BF0C976F57C
SHA-512:	4788EDCFA3911C3BB2BE8FC447166C330E8AC389F74E8C44E13238EAD2FA45C8538AEE325BD0D1CC40D91AD47DEA1AA94A92148A62983144FDECFF2130EE120D
Malicious:	false
Preview:	{.. "allow": [.. {.. "origins": [.. "https://.get.microsoft.com",.. "https://.apps.microsoft.com".. ],.. "protocol": "ms-windows-store".. },.. {.. "origins": [.. "https://.onedrive.com",.. "https://.onedrive.live.com",.. "https://sharepoint.com".. ],.. "protocol": "ms-word".. },.. {.. "origins": [.. "https://[a-z1-9-]word-edit.officeapps.live.com",.. "https://[a-z1-9-]word-view.officeapps.live.com",.. "https://[a-z1-9-]onenote.officeapps.live.com",.. "https://[a-z1-9-]eap.officeapps.live.com",.. "https://[a-z1-9-]shared.officeapps.live.com",.. "https://[a-z1-9-]afhs.officeapps.live.com",.. "https://[a-z1-9-]vhs.officeapps.live.com",.. "https://[a-z1-9-]optin.online.office.com".. ],.. "use_regex": true,.. "protocol": "ms-word".. },.. {.. "origins": [.. "https://.onedrive.com",.. "https://.onedrive.li

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1190
Entropy (8bit):	5.382050655699954
Encrypted:	false
SSDEEP:	24:YK0bl5r75riCe0qW+5Ua02EHP5IKL0jZ5JwbX/B+L0QMoI9x0h:YK0bl5r75riN0qW+5Ua02sP5IKL0jZ5J
MD5:	F0F44C94EBAB63B333BCCEF673E35095
SHA1:	17D5B47B41DD9ABB6C6174A2437D4F0428DA21C0
SHA-256:	75CF2A8710A100E9CAD229E70C19C0B29476E8E71119BA9E424F98E760FFEC72
SHA-512:	419C7F4BFBAA5EF549152BE4A1C9DE2ECBF4FD78B409201F4A7FD16B802EA8BF388C8D953E7DBA74E09EBFBC0EFE7159EA6A641A985F9EE70D77F587066CB3F5
Malicious:	false
Preview:	{"logTime": "1005/074019", "correlationVector":"Jzai6BfByv5amZ45/NBe5r","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"eO8FwRQNRwFtIUhPNa0yBN","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/074027", "correlationVector":"DFCC0B139A2547CAA3433B33892C7FE6","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075031", "correlationVector":"bWXPYvVSVVANvrGBV6dHxn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075032", "correlationVector":"4CD8E3A1D096444AAB77DA6A690C4356","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075123", "correlationVector":"t3DmiSvoNTibe+/mLDIMfl","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075124", "correlationVector":"B2B504519464422FA5C6E610072CF270","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/075313", "correlationVector":"/q9eTq3f/ZawbQrLDVWKju","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/075314", "correlationVector":"138D0C7D

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5146919610241607
Encrypted:	false
SSDEEP:	48:lEOcHdOxJ8BsJGrxfzBdLXuH6kDpz2AxGdOxoBsJGrxfzngdLXuH6k+21:7a3uakDsFnIuakz
MD5:	95B58F8D2B122C9CBF4E57AF2160325F
SHA1:	ED8427D02C68736371A9EC5A1A433F6F16A0B3F1
SHA-256:	0A7B914A1D35A1939FBFE9942A5C0ECD0FFB5FCE16DF68659F30394800BA6461
SHA-512:	55BA09ADD61F74D0EDC2806905C0B94FB0FDCBFB808FDA6DA504A6D3B6906E33341D596FDC310041B847BA26081E20F97F4FD878B24552FB6F83E4FAF1E509D2
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....+..1....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.>..PROGRA~2.........O.IEW.>....................V......7s.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y............................45..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW98...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............&.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HF6MJNJ8ATUJK83V4LF7.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5146919610241607
Encrypted:	false
SSDEEP:	48:lEOcHdOxJ8BsJGrxfzBdLXuH6kDpz2AxGdOxoBsJGrxfzngdLXuH6k+21:7a3uakDsFnIuakz
MD5:	95B58F8D2B122C9CBF4E57AF2160325F
SHA1:	ED8427D02C68736371A9EC5A1A433F6F16A0B3F1
SHA-256:	0A7B914A1D35A1939FBFE9942A5C0ECD0FFB5FCE16DF68659F30394800BA6461
SHA-512:	55BA09ADD61F74D0EDC2806905C0B94FB0FDCBFB808FDA6DA504A6D3B6906E33341D596FDC310041B847BA26081E20F97F4FD878B24552FB6F83E4FAF1E509D2
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....+..1....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.>..PROGRA~2.........O.IEW.>....................V......7s.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y............................45..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.EW98...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............&.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IE22EI202G9AI34E7M0B.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.51408442821307
Encrypted:	false
SSDEEP:	48:lExGdOxoBsJGrxfzBdLXuH6kDpz2AxGdOxoBsJGrxfzngdLXuH6k+21:b3uakDsFnIuakz
MD5:	4D16890FEF18891558CDC6CCB08A756F
SHA1:	EDF8BB782742903DADFD8450F72DEB461E72CB10
SHA-256:	BFDC619BFEA1A571B8C42E2694396055F41720EA5053B06B9C44A2B4038CAAFC
SHA-512:	E4920020227E2B83A57E9F912768BC941A1583F49A7A412E23B6DB9F4F97CB3961FDEA69A2068D885A615C9FC47943F520326D90D20A4BA4C4DEFFB60AD4483C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....+..1....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y............................45..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y.............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............&.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.51408442821307
Encrypted:	false
SSDEEP:	48:lExGdOxoBsJGrxfzBdLXuH6kDpz2AxGdOxoBsJGrxfzngdLXuH6k+21:b3uakDsFnIuakz
MD5:	4D16890FEF18891558CDC6CCB08A756F
SHA1:	EDF8BB782742903DADFD8450F72DEB461E72CB10
SHA-256:	BFDC619BFEA1A571B8C42E2694396055F41720EA5053B06B9C44A2B4038CAAFC
SHA-512:	E4920020227E2B83A57E9F912768BC941A1583F49A7A412E23B6DB9F4F97CB3961FDEA69A2068D885A615C9FC47943F520326D90D20A4BA4C4DEFFB60AD4483C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K....+..1....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.>..MICROS~1..D......(Ux..Y............................45..M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y.............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............&.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579769091695255
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	0f3a98cdf618c29f848e577fd8cd3a3f
SHA1:	8077c4c97b939f4aa69ac29a8e2a725e2ddcc223
SHA256:	ee254e08302538c5a0e7b2724757a4f51bac47618fd2012e93bc4b08b5ca5579
SHA512:	15b3262307a0f4cc717ac032708af0ede861bedaa57e32f184e5553fd7c1e79f227a9d319ccf1b02af69b9a2d6f02f2973bd58ad7a0359c56512741493504449
SSDEEP:	12288:FqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTf:FqDEvCTbMWu7rQYlBQcBiT6rprG8asf
TLSH:	3C159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D0A32F [Thu Aug 29 16:34:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F501CE2EAD3h
jmp 00007F501CE2E3DFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F501CE2E5BDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F501CE2E58Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F501CE3117Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F501CE311C8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F501CE311B1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	2ba32296be083791c8aa754b1aa58d88	False	0.28705729166666666	data	5.165678345622366	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 18:36:59.647533894 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 18:37:00.616364956 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:00.620346069 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:00.803850889 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:02.053858995 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 18:37:06.543673992 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:06.854334116 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 18:37:06.913075924 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:07.663563967 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:09.210433960 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:10.222908974 CEST	49674	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:10.222925901 CEST	49675	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:10.408658981 CEST	49672	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:10.875973940 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:10.875991106 CEST	443	49717	51.104.136.2	192.168.2.7
Aug 29, 2024 18:37:10.876094103 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:10.879040956 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:10.879055023 CEST	443	49717	51.104.136.2	192.168.2.7
Aug 29, 2024 18:37:11.644711971 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:11.644740105 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:11.644793987 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:11.645440102 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:11.645452976 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:11.736372948 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.736391068 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:11.736506939 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.736751080 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.736757994 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:11.736850977 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.737104893 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.737118959 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:11.737246037 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.737257957 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:11.737464905 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.737507105 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:11.737602949 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.737771988 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:11.737780094 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:11.737858057 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:11.738076925 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:11.738096952 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:11.738210917 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:11.738223076 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:11.780447960 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:11.780476093 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:11.780539989 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:11.780735970 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:11.780741930 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:11.787450075 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:11.787471056 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:11.787662029 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:11.789263964 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:11.789278030 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:11.817050934 CEST	443	49717	51.104.136.2	192.168.2.7
Aug 29, 2024 18:37:11.817138910 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:11.820852041 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:11.820859909 CEST	443	49717	51.104.136.2	192.168.2.7
Aug 29, 2024 18:37:11.821203947 CEST	443	49717	51.104.136.2	192.168.2.7
Aug 29, 2024 18:37:11.912986040 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:12.225492001 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:12.240206003 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.240535021 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.240565062 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.241713047 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.241776943 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.247199059 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.247226954 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.247347116 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.247544050 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.247570992 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.247673035 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.247682095 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.248688936 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.248753071 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.248759985 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.248831987 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.249032021 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.249041080 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.250077009 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.250106096 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.250140905 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.250169039 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.250276089 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.250289917 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.251015902 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.251024008 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.251171112 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.251246929 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.251347065 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.251409054 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.251801968 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.251810074 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.252290964 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.252352953 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.252417088 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.261605024 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.261795044 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.261802912 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.262787104 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.262859106 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.263720989 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.263786077 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.263868093 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.263873100 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.296500921 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.332879066 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.332880020 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.332904100 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.337598085 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.337831020 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.337838888 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.339219093 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.339282036 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.340434074 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.340507030 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.340761900 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.340771914 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.377964973 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.378036022 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.378098011 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.378381014 CEST	49724	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.378401041 CEST	443	49724	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.380702019 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.380959988 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.381140947 CEST	49723	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.381150007 CEST	443	49723	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.381474018 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.381556034 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.381814957 CEST	49722	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.381815910 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.381834984 CEST	443	49722	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.381887913 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.382374048 CEST	49721	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:12.382380962 CEST	443	49721	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:12.392328024 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.392433882 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.392709017 CEST	49726	443	192.168.2.7	162.159.61.3
Aug 29, 2024 18:37:12.392730951 CEST	443	49726	162.159.61.3	192.168.2.7
Aug 29, 2024 18:37:12.438455105 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.438740015 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.438769102 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.439781904 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.439847946 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.440248013 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.440310955 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.440568924 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.440577984 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.446722984 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.446768999 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.446799040 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.446814060 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.446826935 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.446851015 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.446878910 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.448412895 CEST	49718	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.448429108 CEST	443	49718	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.508059978 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.547405005 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547429085 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547436953 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547462940 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547477007 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547488928 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547499895 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.547532082 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.547548056 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.547581911 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.629641056 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.629664898 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.629741907 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.629762888 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.629781008 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.629812002 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.632291079 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.632308006 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.632374048 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.632385015 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.632433891 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.689659119 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:12.689759016 CEST	443	49717	51.104.136.2	192.168.2.7
Aug 29, 2024 18:37:12.689855099 CEST	49717	443	192.168.2.7	51.104.136.2
Aug 29, 2024 18:37:12.745457888 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.745481968 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.745630026 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.745656013 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.745716095 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.753173113 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.753256083 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.753315926 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.754394054 CEST	49725	443	192.168.2.7	13.107.246.73
Aug 29, 2024 18:37:12.754436970 CEST	443	49725	13.107.246.73	192.168.2.7
Aug 29, 2024 18:37:12.866388083 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 29, 2024 18:37:12.866568089 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:12.910577059 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:12.910619020 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:12.910711050 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:12.911752939 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:12.911767006 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.147028923 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:13.147073984 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:13.147147894 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:13.152069092 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:13.152086020 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:13.579802990 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.579888105 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.638406992 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.638433933 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.638823986 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.689670086 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.732502937 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.881685019 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.881759882 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.882050991 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.882169962 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.882196903 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.882216930 CEST	49732	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.882225037 CEST	443	49732	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.931713104 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.931744099 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:13.931888103 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.932153940 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.932192087 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:13.932390928 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.932782888 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.932794094 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:13.932921886 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.932930946 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:13.953330040 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:13.953449011 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:13.988676071 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.988720894 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.990578890 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.990889072 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:13.990902901 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:13.998087883 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:13.998114109 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:13.998450041 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:13.999887943 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.000051022 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.000081062 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.380548000 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.380583048 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.380739927 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.380830050 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.380836964 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.381097078 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.381108999 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.381128073 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.381520033 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.381526947 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.387999058 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.388379097 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.388616085 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.395385027 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.395620108 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.395649910 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.395941019 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.396235943 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.396291971 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.401082039 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.401309013 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.401319027 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.401643038 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.401958942 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.402021885 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.423863888 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.423891068 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.423902035 CEST	49733	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.423908949 CEST	443	49733	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.600508928 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.601020098 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.604948044 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.626162052 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.626247883 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:14.628796101 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.628833055 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.629472971 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.662606955 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.662628889 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.673778057 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:14.673796892 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.674016953 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.675594091 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:14.694399118 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:14.694439888 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:14.694504023 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:14.694962025 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:14.694978952 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:14.720496893 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.817074060 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.817110062 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.817178965 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.817363024 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:14.817378998 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:14.866607904 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.867136002 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.867153883 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.867476940 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.867539883 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.868144035 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.868202925 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.869813919 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.869898081 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.870098114 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.870102882 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.882848978 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.883083105 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.883090019 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.883445978 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.883505106 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.884150028 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.884201050 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.884404898 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.884453058 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.884905100 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:14.884908915 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:14.903076887 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.903143883 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.903192043 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:14.904087067 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:14.904109001 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.904123068 CEST	49736	443	192.168.2.7	184.28.90.27
Aug 29, 2024 18:37:14.904128075 CEST	443	49736	184.28.90.27	192.168.2.7
Aug 29, 2024 18:37:14.924165010 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.007728100 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.041902065 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.042754889 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.042799950 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.043823957 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.043839931 CEST	443	49737	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.043848038 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.043884993 CEST	49737	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.073729992 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.073790073 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.073837042 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.074843884 CEST	49738	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.074851036 CEST	443	49738	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.170803070 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.171103954 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.171128035 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.171983004 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.172063112 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.174350977 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.174411058 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.175086021 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.175093889 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.264533043 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.273034096 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.273072004 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.273128033 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.273144007 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.275990963 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.276046991 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.276053905 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.276118994 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.276165962 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.276398897 CEST	49740	443	192.168.2.7	142.251.40.164
Aug 29, 2024 18:37:15.276417017 CEST	443	49740	142.251.40.164	192.168.2.7
Aug 29, 2024 18:37:15.351238012 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.351272106 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.351344109 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.352786064 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.352797031 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.382924080 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.382960081 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.383023024 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.383403063 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.383415937 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.432708979 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.433394909 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.433419943 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.441469908 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.441477060 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.441509962 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.441518068 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.788363934 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.790952921 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.791022062 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.796400070 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.817307949 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.817308903 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.817336082 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.817352057 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.817389965 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.817404032 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.845160961 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.855452061 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.855482101 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.855529070 CEST	49739	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:15.855535030 CEST	443	49739	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:15.857217073 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.857239008 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.857611895 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.857748985 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.858221054 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.858338118 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.860352039 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.860416889 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.863759995 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.876358032 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.876379013 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.876703024 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.877299070 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.877332926 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.877346039 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.880356073 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.884357929 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.884422064 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.920352936 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.920361042 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:16.022327900 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:16.022327900 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:16.022346973 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:16.069276094 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:16.506774902 CEST	49671	443	192.168.2.7	204.79.197.203
Aug 29, 2024 18:37:18.178545952 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:18.861320972 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:18.861349106 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:18.861363888 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:18.861479998 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:18.861504078 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:18.861519098 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:18.861581087 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:18.862565041 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:18.862565994 CEST	49741	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:18.862586975 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:18.862595081 CEST	443	49741	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:19.051673889 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:19.051727057 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:19.051795959 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:19.052015066 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:19.052031040 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:19.844099045 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:19.845300913 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:19.845329046 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:19.846240044 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:19.846245050 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:19.846292973 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:19.846299887 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.601682901 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.601715088 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.601757050 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.601784945 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.601799965 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.601818085 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.601820946 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.601866961 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.648487091 CEST	49744	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.648509979 CEST	443	49744	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.892908096 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.892957926 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:20.893090963 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.995208979 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:20.995249987 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:21.205089092 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:21.205140114 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:21.205214977 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:21.207123041 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:21.207151890 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:21.302139997 CEST	49698	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:21.303097963 CEST	49747	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:21.303147078 CEST	443	49747	104.98.116.138	192.168.2.7
Aug 29, 2024 18:37:21.303215981 CEST	49747	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:21.314183950 CEST	49747	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:37:21.314202070 CEST	443	49747	104.98.116.138	192.168.2.7
Aug 29, 2024 18:37:21.321732998 CEST	443	49698	104.98.116.138	192.168.2.7
Aug 29, 2024 18:37:21.808057070 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:21.808948040 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:21.808974981 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:21.809771061 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:21.809777021 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:21.809823036 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:21.809830904 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:21.947925091 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:21.948010921 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:21.950149059 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:21.950159073 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:21.950401068 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:21.991792917 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.020546913 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.064510107 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264688969 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264724970 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264731884 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264740944 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264756918 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264801979 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.264832020 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.264853954 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.264879942 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.267962933 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.268028021 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.268029928 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.268088102 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.276210070 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.276238918 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.276251078 CEST	49746	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:22.276257992 CEST	443	49746	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:22.287132978 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.287153959 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.287188053 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.287225008 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.287241936 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.287261009 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.287307978 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.287638903 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.287658930 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.287668943 CEST	49745	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.287673950 CEST	443	49745	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.385185957 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.385241985 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.385330915 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.386015892 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.386035919 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.419203997 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.419250965 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:22.419390917 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.419970036 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:22.419986010 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:23.177819967 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:23.225286007 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:23.225465059 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:23.225759983 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:23.596906900 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:23.596930981 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:23.599103928 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:23.599104881 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:23.599112988 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:23.599126101 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013329029 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013355017 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013362885 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013395071 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013427973 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.013453007 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013469934 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.013473034 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.013549089 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.031095982 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.031146049 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.031491995 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.045792103 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.045834064 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.045847893 CEST	49748	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.045855045 CEST	443	49748	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.073154926 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.087078094 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.087239027 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.087270021 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.420211077 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.420233011 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.420291901 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.420326948 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.420902967 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.420955896 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.441579103 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.441580057 CEST	49749	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.441603899 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.441613913 CEST	443	49749	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.938299894 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.938349962 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.938615084 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.938987017 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:24.939002037 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:24.999511957 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:24.999557972 CEST	443	49751	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:25.000205994 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:25.000570059 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:25.000583887 CEST	443	49751	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:25.714209080 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:25.714993954 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:25.715020895 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:25.715982914 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:25.715987921 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:25.716131926 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:25.716141939 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:25.791659117 CEST	443	49751	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:25.791743994 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:25.862477064 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:25.862500906 CEST	443	49751	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:25.862832069 CEST	443	49751	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:25.913434029 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.025979996 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.026077032 CEST	443	49751	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:26.026144981 CEST	49751	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.113840103 CEST	49752	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.113888025 CEST	443	49752	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:26.113957882 CEST	49752	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.114593029 CEST	49752	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.114612103 CEST	443	49752	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:26.455045938 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.455073118 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.455106974 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.455151081 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.455187082 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.455204964 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.455209970 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.455245018 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.455785990 CEST	49750	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.455804110 CEST	443	49750	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.538804054 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.538866997 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.538942099 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.539635897 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:26.539654970 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:26.837035894 CEST	49752	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.944216013 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.944271088 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:26.944499969 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.944771051 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:26.944788933 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.593097925 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:27.593766928 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:27.593794107 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:27.594922066 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:27.594928026 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:27.595050097 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:27.595061064 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:27.770349979 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.770458937 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.771790028 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.771807909 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.772042990 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.773509979 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.773551941 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.773684025 CEST	443	49754	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.773749113 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.773770094 CEST	49754	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.864402056 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.864459991 CEST	443	49755	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:27.864661932 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.864936113 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:27.864953041 CEST	443	49755	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:28.102581024 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:28.102605104 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:28.102647066 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:28.102715015 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:28.102720976 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:28.102787018 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:28.104603052 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:28.104621887 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:28.104635954 CEST	49753	443	192.168.2.7	20.190.159.71
Aug 29, 2024 18:37:28.104640961 CEST	443	49753	20.190.159.71	192.168.2.7
Aug 29, 2024 18:37:28.650084019 CEST	443	49755	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:28.650187016 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:28.652733088 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:28.652741909 CEST	443	49755	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:28.652992010 CEST	443	49755	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:28.655015945 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:28.655055046 CEST	443	49755	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:28.655111074 CEST	49755	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.025648117 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.025711060 CEST	443	49756	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:29.025834084 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.026485920 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.026500940 CEST	443	49756	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:29.304063082 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:29.304127932 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:29.304191113 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:29.312397003 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:29.312494993 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:29.312637091 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:29.858922958 CEST	443	49756	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:29.859036922 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.860280991 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.860299110 CEST	443	49756	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:29.860551119 CEST	443	49756	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:29.861648083 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:29.861685038 CEST	443	49756	40.127.240.158	192.168.2.7
Aug 29, 2024 18:37:29.861746073 CEST	49756	443	192.168.2.7	40.127.240.158
Aug 29, 2024 18:37:30.084871054 CEST	49677	443	192.168.2.7	20.50.201.200
Aug 29, 2024 18:37:48.736148119 CEST	55455	53	192.168.2.7	162.159.36.2
Aug 29, 2024 18:37:48.741115093 CEST	53	55455	162.159.36.2	192.168.2.7
Aug 29, 2024 18:37:48.741347075 CEST	55455	53	192.168.2.7	162.159.36.2
Aug 29, 2024 18:37:48.746710062 CEST	53	55455	162.159.36.2	192.168.2.7
Aug 29, 2024 18:37:49.209419966 CEST	55455	53	192.168.2.7	162.159.36.2
Aug 29, 2024 18:37:49.216526031 CEST	53	55455	162.159.36.2	192.168.2.7
Aug 29, 2024 18:37:49.216578960 CEST	55455	53	192.168.2.7	162.159.36.2
Aug 29, 2024 18:37:49.273149967 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:49.273188114 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:49.273258924 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:49.273679972 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:49.273690939 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:49.991396904 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:49.991599083 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.019593000 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.019613981 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.020051003 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.021245003 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.064517021 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.267178059 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.267209053 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.267224073 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.267287970 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.267306089 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.267335892 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.267363071 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.290853024 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.290896893 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.290920973 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.290937901 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.290947914 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.290958881 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.291002989 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.291040897 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.291058064 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:37:50.291066885 CEST	55457	443	192.168.2.7	13.85.23.86
Aug 29, 2024 18:37:50.291073084 CEST	443	55457	13.85.23.86	192.168.2.7
Aug 29, 2024 18:38:00.929285049 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:38:00.929307938 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:38:01.023519039 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:38:01.023539066 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:38:04.373661995 CEST	443	49747	104.98.116.138	192.168.2.7
Aug 29, 2024 18:38:04.373764038 CEST	49747	443	192.168.2.7	104.98.116.138
Aug 29, 2024 18:38:05.934899092 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:05.934937000 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:05.935004950 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:05.935188055 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:05.935210943 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:05.935266018 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:05.935451031 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:05.935463905 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:05.935595036 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:05.935606956 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.429280043 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.429589987 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.429615021 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.429997921 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.431020021 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.431116104 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.446126938 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.452138901 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.452147961 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.453182936 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.477005959 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.480369091 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.480743885 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.523876905 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.436418056 CEST	60320	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:38:08.442321062 CEST	53	60320	1.1.1.1	192.168.2.7
Aug 29, 2024 18:38:08.442400932 CEST	60320	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:38:08.448079109 CEST	53	60320	1.1.1.1	192.168.2.7
Aug 29, 2024 18:38:08.634059906 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.634083986 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:08.634152889 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.634392977 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.634401083 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:08.634459019 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.634587049 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.634597063 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:08.634744883 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.634754896 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.085645914 CEST	60320	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:38:09.131097078 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.134128094 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.174778938 CEST	60320	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:38:09.178097010 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.178117990 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.178236961 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.178248882 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.178704023 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.178716898 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.187341928 CEST	53	60320	1.1.1.1	192.168.2.7
Aug 29, 2024 18:38:09.187406063 CEST	60320	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:38:09.225440025 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.225440025 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.358936071 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.359169960 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.360529900 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.360671043 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.361973047 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:09.362014055 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:09.362098932 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:09.362261057 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:09.362277031 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:09.408221006 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.408221006 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:10.188916922 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:10.192154884 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:10.192183018 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:10.193290949 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:10.193341970 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:10.194346905 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:10.194423914 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:10.194515944 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:10.194526911 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:10.247350931 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.332094908 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.332181931 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.332277060 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.332588911 CEST	60324	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.332607985 CEST	443	60324	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.333355904 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.333394051 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.333460093 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.333671093 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.333679914 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.816699982 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.817125082 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.817154884 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.817488909 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.817795038 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.817856073 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:12.817970991 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:12.864509106 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:14.383120060 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:14.383133888 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:14.383152008 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:14.383153915 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:14.757246017 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:14.757689953 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:14.757711887 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:14.757739067 CEST	443	60325	23.44.133.38	192.168.2.7
Aug 29, 2024 18:38:14.757755041 CEST	60325	443	192.168.2.7	23.44.133.38
Aug 29, 2024 18:38:21.338176012 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:21.338274002 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:21.338375092 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:21.347583055 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:21.347661018 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:21.347731113 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:24.021459103 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:24.021553040 CEST	443	60322	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:24.021624088 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:24.029515028 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:24.029573917 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:24.029670000 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:24.077706099 CEST	55460	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:24.077735901 CEST	443	55460	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:24.077765942 CEST	55461	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:24.077790022 CEST	443	55461	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:45.929625988 CEST	49742	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:38:45.929651976 CEST	443	49742	142.250.81.238	192.168.2.7
Aug 29, 2024 18:38:46.024900913 CEST	49743	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:38:46.024916887 CEST	443	49743	142.250.81.238	192.168.2.7
Aug 29, 2024 18:38:59.538772106 CEST	49735	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:59.538816929 CEST	443	49735	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:59.538841963 CEST	49734	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:59.538881063 CEST	443	49734	172.64.41.3	192.168.2.7
Aug 29, 2024 18:39:09.040031910 CEST	60321	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:39:09.040070057 CEST	443	60321	172.64.41.3	192.168.2.7
Aug 29, 2024 18:39:09.119913101 CEST	60322	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:39:09.119956017 CEST	443	60322	172.64.41.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 18:37:07.358155012 CEST	53	55152	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:08.628443003 CEST	59536	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:08.628443003 CEST	64867	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:09.757817984 CEST	53	55714	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:09.766086102 CEST	53	65255	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:10.848867893 CEST	123	123	192.168.2.7	13.95.65.251
Aug 29, 2024 18:37:11.633079052 CEST	123	123	13.95.65.251	192.168.2.7
Aug 29, 2024 18:37:11.718560934 CEST	51717	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.718930960 CEST	56128	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.719338894 CEST	63379	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.719841003 CEST	60805	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.720201969 CEST	65396	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.720596075 CEST	57720	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.721091986 CEST	63761	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.721339941 CEST	56319	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.732841015 CEST	53	51717	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.735807896 CEST	53	56128	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.735819101 CEST	53	63379	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.735829115 CEST	53	65396	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.735838890 CEST	53	57720	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.736608982 CEST	53	63761	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.736619949 CEST	53	56319	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.736629009 CEST	53	60805	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.776357889 CEST	53058	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.776506901 CEST	52208	53	192.168.2.7	1.1.1.1
Aug 29, 2024 18:37:11.786890030 CEST	53	53058	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:11.786901951 CEST	53	52208	1.1.1.1	192.168.2.7
Aug 29, 2024 18:37:12.383805990 CEST	123	123	192.168.2.7	13.95.65.251
Aug 29, 2024 18:37:12.553555965 CEST	123	123	13.95.65.251	192.168.2.7
Aug 29, 2024 18:37:13.615871906 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:13.931056023 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.068274975 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.068656921 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.068669081 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.070219040 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.070231915 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.070467949 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.072204113 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.072767973 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.072877884 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.073419094 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.073649883 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.171447992 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.171649933 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.171664953 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.171674967 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.171684980 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.172147036 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.172271967 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.174264908 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.174276114 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.174817085 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.175762892 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.269813061 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.271534920 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.271735907 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.375556946 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.378521919 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.378784895 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.379205942 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.583492041 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.583817959 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:14.691338062 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.692589045 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.692883968 CEST	443	57455	172.64.41.3	192.168.2.7
Aug 29, 2024 18:37:14.693559885 CEST	57455	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:37:15.045805931 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.350707054 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.511385918 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.511523962 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.512027979 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.520302057 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.520898104 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.520910978 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.521066904 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.522150040 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.523169041 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.524276018 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.524414062 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.524993896 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.525023937 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.538057089 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.787895918 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.788897038 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.788908005 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.788916111 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.789052010 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.790734053 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.856355906 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.856698990 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.856733084 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.857219934 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.905725002 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.936372995 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:15.961800098 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.963635921 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:15.975333929 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:16.007546902 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:16.099232912 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:23.328639030 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:23.465759993 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:23.583882093 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:23.584110975 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:23.758523941 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:23.759090900 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:23.759417057 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:23.882746935 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:44.338191032 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.338340998 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.433876991 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:44.460692883 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.511967897 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:44.512526035 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.513864040 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:44.554451942 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.634134054 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:44.901133060 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.901133060 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:44.999001026 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:45.085656881 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:45.087006092 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:45.129153967 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:45.165210962 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:45.249706030 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:46.954129934 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:47.075970888 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:47.102343082 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:47.129439116 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:47.129908085 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:47.133780956 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:47.165513992 CEST	63663	443	192.168.2.7	142.250.81.238
Aug 29, 2024 18:37:47.253815889 CEST	443	63663	142.250.81.238	192.168.2.7
Aug 29, 2024 18:37:48.735172033 CEST	53	49257	162.159.36.2	192.168.2.7
Aug 29, 2024 18:37:49.233179092 CEST	53	64160	1.1.1.1	192.168.2.7
Aug 29, 2024 18:38:05.934654951 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.242959023 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.397777081 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.398363113 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.398400068 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.399104118 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.400770903 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.400808096 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.403623104 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.405333042 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.405704021 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.405833006 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.406169891 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.406339884 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.514415026 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.514592886 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.514622927 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.514651060 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.514842033 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.514920950 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.517697096 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.518095970 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.518603086 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.518749952 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:06.561367989 CEST	138	138	192.168.2.7	192.168.2.255
Aug 29, 2024 18:38:06.626796961 CEST	443	53740	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:06.685014963 CEST	53740	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:08.435987949 CEST	53	65301	1.1.1.1	192.168.2.7
Aug 29, 2024 18:38:08.633837938 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.002774954 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.135746956 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.136537075 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.137698889 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.137710094 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.139718056 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.175884008 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.177465916 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.177788973 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.177900076 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.178489923 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.178596973 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.290241003 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.290945053 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.290956020 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.290963888 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.291282892 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.291806936 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.361012936 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.361097097 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.361231089 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:09.471075058 CEST	443	60792	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:09.513848066 CEST	60792	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.282561064 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.282752991 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.283019066 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.283111095 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.307213068 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.307320118 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.649646044 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.745809078 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.746495962 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.747334957 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.747345924 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.747354984 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.753608942 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.753665924 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.754369020 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.754837990 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.755075932 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.850121021 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.850933075 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.851180077 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.949572086 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.950212002 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.950489998 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.950846910 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.950856924 CEST	443	64381	172.64.41.3	192.168.2.7
Aug 29, 2024 18:38:16.955101013 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.956576109 CEST	64381	443	192.168.2.7	172.64.41.3
Aug 29, 2024 18:38:16.957920074 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:16.958059072 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:16.958868027 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:16.958981037 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.367456913 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.666996002 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.667675018 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.667676926 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.667689085 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.668060064 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.668076038 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.668193102 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.668210983 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.669161081 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.669173002 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.669446945 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.669492960 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.671576977 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.671590090 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.671598911 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.672435045 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.672758102 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.674129009 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.674299955 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.766278982 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.766613960 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.766664028 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.766957045 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.767258883 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.767326117 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.767584085 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.774272919 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.778307915 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.778575897 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.778934002 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.779093981 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.779814005 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.809086084 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.809241056 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.838368893 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.839793921 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.839804888 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:17.850783110 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.851010084 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.851495981 CEST	53955	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:38:17.853805065 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.856101990 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.870234966 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.870589018 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.872509956 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.899024963 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:17.969649076 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:17.982167959 CEST	443	53955	142.251.179.84	192.168.2.7
Aug 29, 2024 18:38:46.431772947 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.536063910 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:46.544666052 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.544770956 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.555125952 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:46.572671890 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.643114090 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:46.679063082 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.722460985 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:46.722875118 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.763150930 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:46.788851976 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:46.871679068 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:48.744333029 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:48.880995989 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:48.915045023 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:48.939582109 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:38:48.939897060 CEST	57317	443	192.168.2.7	142.251.40.110
Aug 29, 2024 18:38:49.068830013 CEST	443	57317	142.251.40.110	192.168.2.7
Aug 29, 2024 18:39:13.259618998 CEST	53036	443	192.168.2.7	142.251.179.84
Aug 29, 2024 18:39:13.765850067 CEST	443	53036	142.251.179.84	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 18:37:08.628443003 CEST	192.168.2.7	1.1.1.1	0xb7d2	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:08.628443003 CEST	192.168.2.7	1.1.1.1	0x21e4	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 29, 2024 18:37:11.718560934 CEST	192.168.2.7	1.1.1.1	0x476b	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.718930960 CEST	192.168.2.7	1.1.1.1	0x23b8	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 18:37:11.719338894 CEST	192.168.2.7	1.1.1.1	0x44c5	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.719841003 CEST	192.168.2.7	1.1.1.1	0xba94	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 18:37:11.720201969 CEST	192.168.2.7	1.1.1.1	0x5572	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.720596075 CEST	192.168.2.7	1.1.1.1	0x3c19	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 18:37:11.721091986 CEST	192.168.2.7	1.1.1.1	0x4b51	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.721339941 CEST	192.168.2.7	1.1.1.1	0x26ef	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 18:37:11.776357889 CEST	192.168.2.7	1.1.1.1	0x96ae	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.776506901 CEST	192.168.2.7	1.1.1.1	0x9554	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 18:37:08.640500069 CEST	1.1.1.1	192.168.2.7	0x21e4	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 18:37:08.642209053 CEST	1.1.1.1	192.168.2.7	0xb7d2	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 18:37:11.644021988 CEST	1.1.1.1	192.168.2.7	0x2f6e	No error (0)	shed.dual-low.s-part-0045.t-0009.t-msedge.net	s-part-0045.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 18:37:11.644021988 CEST	1.1.1.1	192.168.2.7	0x2f6e	No error (0)	s-part-0045.t-0009.t-msedge.net		13.107.246.73	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.732841015 CEST	1.1.1.1	192.168.2.7	0x476b	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.732841015 CEST	1.1.1.1	192.168.2.7	0x476b	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.735807896 CEST	1.1.1.1	192.168.2.7	0x23b8	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 18:37:11.735819101 CEST	1.1.1.1	192.168.2.7	0x44c5	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.735819101 CEST	1.1.1.1	192.168.2.7	0x44c5	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.735829115 CEST	1.1.1.1	192.168.2.7	0x5572	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.735829115 CEST	1.1.1.1	192.168.2.7	0x5572	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.735838890 CEST	1.1.1.1	192.168.2.7	0x3c19	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 18:37:11.736608982 CEST	1.1.1.1	192.168.2.7	0x4b51	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.736608982 CEST	1.1.1.1	192.168.2.7	0x4b51	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.736619949 CEST	1.1.1.1	192.168.2.7	0x26ef	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 18:37:11.736629009 CEST	1.1.1.1	192.168.2.7	0xba94	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 18:37:11.786890030 CEST	1.1.1.1	192.168.2.7	0x96ae	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.786890030 CEST	1.1.1.1	192.168.2.7	0x96ae	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 18:37:11.786901951 CEST	1.1.1.1	192.168.2.7	0x9554	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

chrome.cloudflare-dns.com

edgeassetservice.azureedge.net

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

bzib.nelreports.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49724	162.159.61.3	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 16:37:12 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 16:37:12 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8badf6e009a56a59-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 16:37:12 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 aa 00 04 8e fa 50 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPc)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49722	172.64.41.3	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 16:37:12 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 16:37:12 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8badf6e00bfac3eb-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 16:37:12 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1f 00 04 8e fa 50 43 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPC)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49723	172.64.41.3	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 16:37:12 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 16:37:12 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8badf6e0092a41b4-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 16:37:12 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 6e 00 04 8e fb 28 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomn()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49721	172.64.41.3	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 16:37:12 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 16:37:12 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8badf6e0090f4232-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 16:37:12 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 a9 00 04 8e fa 50 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPc)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49726	162.159.61.3	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 16:37:12 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 16:37:12 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8badf6e02b7a8c63-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 16:37:12 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1f 00 04 8e fb 28 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49718	13.107.246.73	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 16:37:12 UTC	559	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 903262f1-801e-001b-4826-f94695000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240829T163712Z-16579567576j7nvvu5n0ytgs1c00000002b000000000ahzk Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-29 16:37:12 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49725	13.107.246.73	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:12 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 16:37:12 UTC	583	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 16:37:12 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 66f87118-601e-001a-2116-f94768000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240829T163712Z-16579567576kv75wmks9m65qec00000002dg000000000bxw Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-29 16:37:12 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-29 16:37:12 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-08-29 16:37:12 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-08-29 16:37:12 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-08-29 16:37:12 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49732	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:13 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-29 16:37:13 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=147580 Date: Thu, 29 Aug 2024 16:37:13 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49733	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:13 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 16:37:13 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:14 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:14 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: 73c2ad98-8cf4-4d44-9605-e488af3a1c07 PPServer: PPV: 30 H: PH1PEPF00018BFB V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:13 GMT Connection: close Content-Length: 1276
2024-08-29 16:37:14 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49736	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:14 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-29 16:37:14 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=147532 Date: Thu, 29 Aug 2024 16:37:14 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-29 16:37:14 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49737	142.250.81.238	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:14 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 16:37:15 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 29 Aug 2024 16:37:14 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49738	142.250.81.238	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:14 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 16:37:15 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 29 Aug 2024 16:37:14 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49740	142.251.40.164	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:15 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 16:37:15 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 29 Aug 2024 14:51:55 GMT Expires: Fri, 06 Sep 2024 14:51:55 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 6320 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-29 16:37:15 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-29 16:37:15 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-29 16:37:15 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-29 16:37:15 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-29 16:37:15 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49739	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:15 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 16:37:15 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:15 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:15 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: 38f0f77c-2a9c-42b2-8bde-302952b205bb PPServer: PPV: 30 H: PH1PEPF00011CFC V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:15 GMT Connection: close Content-Length: 1276
2024-08-29 16:37:15 UTC	1276	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49741	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:15 UTC	446	OUT	POST /ppsecure/deviceaddcredential.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 7642 Host: login.live.com
2024-08-29 16:37:15 UTC	7642	OUT	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 61 68 63 63 62 6b 63 79 7a 63 6c 61 63 66 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 65 72 60 73 7a 6a 30 6c 57 7a 5f 43 7a 75 73 3f 57 63 53 71 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 71 74 6c 74 6e 74 63 62 72 65 71 75 61 6a 3c 2f 4f 6c 64 4d Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02ahccbkcyzclacf</Membername><Password>er`szj0lWz_Czus?WcSq</Password></Authentication><OldMembername>02qtltntcbrequaj</OldM
2024-08-29 16:37:18 UTC	542	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: text/xml Expires: Thu, 29 Aug 2024 16:36:16 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C526_BAY x-ms-request-id: 0f45236d-6794-4e92-a57a-fabf1faae39d PPServer: PPV: 30 H: PH1PEPF00011DA5 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:18 GMT Connection: close Content-Length: 17166
2024-08-29 16:37:18 UTC	15842	IN	Data Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 34 30 31 30 38 34 36 30 33 30 45 38 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 39 33 37 62 63 33 35 36 2d 62 61 35 37 2d 34 63 34 37 2d 39 34 39 61 2d 39 66 39 64 37 33 62 38 62 34 39 30 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>00184010846030E8</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="937bc356-ba57-4c47-949a-9f9d73b8b490" LicenseID="3252b20c-d425-4711
2024-08-29 16:37:18 UTC	1324	IN	Data Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66 Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49744	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:19 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 16:37:19 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:20 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:20 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C517_BAY x-ms-request-id: 505cc20e-7e0c-4082-be81-981762a277aa PPServer: PPV: 30 H: PH1PEPF00011DA3 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:20 GMT Connection: close Content-Length: 11389
2024-08-29 16:37:20 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49745	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:21 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-08-29 16:37:21 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:22 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:22 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C517_BAY x-ms-request-id: 4217aebf-d8a7-47e0-a6b1-1886c01e9cea PPServer: PPV: 30 H: PH1PEPF00018373 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:21 GMT Connection: close Content-Length: 11389
2024-08-29 16:37:22 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49746	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:22 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=oF7u3vXeOAtHhAh&MD=DLKkyNWD HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-29 16:37:22 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: a984c21a-63d7-4835-989a-27361db06756 MS-RequestId: 6a2db262-fd56-40ae-bc62-4bd2624aa0e6 MS-CV: WOcbgPhVdUmzYDkq.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 29 Aug 2024 16:37:22 GMT Connection: close Content-Length: 24490
2024-08-29 16:37:22 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-29 16:37:22 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49748	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:23 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4710 Host: login.live.com
2024-08-29 16:37:23 UTC	4710	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:24 UTC	656	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:23 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=5&213=292991&215=0&315=1&215=0&315=1&214=30&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C517_BAY x-ms-request-id: cb40c5c5-efe6-42eb-ac4b-564f8a800d92 PPServer: PPV: 30 H: PH1PEPF00011D9E V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:23 GMT Connection: close Content-Length: 10173
2024-08-29 16:37:24 UTC	10173	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49749	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:24 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-29 16:37:24 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:24 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:24 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BL2 x-ms-request-id: e08523e3-d006-4587-ab14-a2b43b580b8a PPServer: PPV: 30 H: BL02EPF000270D2 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:24 GMT Connection: close Content-Length: 1918
2024-08-29 16:37:24 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49750	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:25 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-29 16:37:25 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:26 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:25 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C517_BAY x-ms-request-id: 3676152c-ce5d-4fb9-8c06-c4bd6a9b788b PPServer: PPV: 30 H: PH1PEPF00011DA2 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:26 GMT Connection: close Content-Length: 11409
2024-08-29 16:37:26 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49753	20.190.159.71	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:27 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-08-29 16:37:27 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-08-29 16:37:28 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Thu, 29 Aug 2024 16:36:27 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C517_BAY x-ms-request-id: e90b70ae-8851-452d-93fc-c6fcad1a90af PPServer: PPV: 30 H: PH1PEPF00018373 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Thu, 29 Aug 2024 16:37:27 GMT Connection: close Content-Length: 11409
2024-08-29 16:37:28 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	55457	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:37:50 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=oF7u3vXeOAtHhAh&MD=DLKkyNWD HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-29 16:37:50 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 01300ba3-6985-4847-b849-6fe115cb8346 MS-RequestId: 77a3768b-29dc-4689-9e01-e12e1496d51e MS-CV: 6482CPCYzU6o/eJC.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 29 Aug 2024 16:37:49 GMT Connection: close Content-Length: 30005
2024-08-29 16:37:50 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-29 16:37:50 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	60324	23.44.133.38	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:38:10 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 16:38:12 UTC	360	IN	HTTP/1.1 200 OK Content-Length: 0 Access-Control-Allow-Headers: content-type Date: Thu, 29 Aug 2024 16:38:12 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.26862c17.1724949490.71c3f8d Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	60325	23.44.133.38	443	7232	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 16:38:12 UTC	382	OUT	POST /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Content-Length: 938 Content-Type: application/reports+json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 16:38:12 UTC	938	OUT	Data Raw: 5b 7b 22 61 67 65 22 3a 36 30 30 31 32 2c 22 62 6f 64 79 22 3a 7b 22 65 6c 61 70 73 65 64 5f 74 69 6d 65 22 3a 37 34 32 2c 22 6d 65 74 68 6f 64 22 3a 22 47 45 54 22 2c 22 70 68 61 73 65 22 3a 22 61 70 70 6c 69 63 61 74 69 6f 6e 22 2c 22 70 72 6f 74 6f 63 6f 6c 22 3a 22 68 74 74 70 2f 31 2e 31 22 2c 22 72 65 66 65 72 72 65 72 22 3a 22 22 2c 22 73 61 6d 70 6c 69 6e 67 5f 66 72 61 63 74 69 6f 6e 22 3a 31 2e 30 2c 22 73 65 72 76 65 72 5f 69 70 22 3a 22 31 33 2e 31 30 37 2e 36 2e 31 35 38 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 34 30 31 2c 22 74 79 70 65 22 3a 22 68 74 74 70 2e 65 72 72 6f 72 22 7d 2c 22 74 79 70 65 22 3a 22 6e 65 74 77 6f 72 6b 2d 65 72 72 6f 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 62 69 6e 67 Data Ascii: [{"age":60012,"body":{"elapsed_time":742,"method":"GET","phase":"application","protocol":"http/1.1","referrer":"","sampling_fraction":1.0,"server_ip":"13.107.6.158","status_code":401,"type":"http.error"},"type":"network-error","url":"https://business.bing
2024-08-29 16:38:14 UTC	358	IN	HTTP/1.1 200 OK Content-Length: 21 Content-Type: text/plain; charset=utf-8 Date: Thu, 29 Aug 2024 16:38:14 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.26862c17.1724949492.71c4bc3 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *
2024-08-29 16:38:14 UTC	21	IN	Data Raw: 50 72 6f 63 65 73 73 65 64 20 74 68 65 20 72 65 71 75 65 73 74 Data Ascii: Processed the request

Target ID:	0
Start time:	12:37:03
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x230000
File size:	917'504 bytes
MD5 hash:	0F3A98CDF618C29F848E577FD8CD3A3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:37:03
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:37:04
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,7710264983636281153,5119054965228980513,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:37:04
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:37:04
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	12:37:09
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3324 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:37:09
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6256 --field-trial-handle=2100,i,1885348496410649633,9285471005895090872,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:37:22
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:37:23
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:37:24
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2104 --field-trial-handle=2140,i,6801917156771722209,6087489757711729190,262144 /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	14:27:12
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	14:27:13
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:3
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	14:27:13
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3520 --field-trial-handle=2916,i,18081880558006340176,11351080329175143396,262144 /prefetch:8
Imagebase:	0x7ff7fb980000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1401
Total number of Limit Nodes:	54

Executed Functions

Function 002342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0023430D

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

GetCurrentProcess.KERNEL32(?,002CCB64,00000000,?,?), ref: 00234422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00234429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00234454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00234466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00234474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0023447B
GetSystemInfo.KERNEL32(?,?,?), ref: 002344A0

Strings

|O, xrefs: 002736F8
GetNativeSystemInfo, xrefs: 00234460
kernel32.dll, xrefs: 0023444F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 70c39d11938c15fb78678359f4b3e12f7e709d31a70db7bb738e19d0fd58bfc6
Instruction ID: e50e067e372e3a4f7baecdbb7eb79cfbd0403aaf9dccf186ceab770029b36f6f
Opcode Fuzzy Hash: 70c39d11938c15fb78678359f4b3e12f7e709d31a70db7bb738e19d0fd58bfc6
Instruction Fuzzy Hash: A7A1F8AEA2B2C0CFC717DB797CA15957FEC7B26300F1884EBE14593A22D2704915DB21

Function 002342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002350AA,?,?,00000000,00000000), ref: 002342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002350AA,?,?,00000000,00000000), ref: 002342C9
LoadResource.KERNEL32(?,00000000,?,?,002350AA,?,?,00000000,00000000,?,?,?,?,?,?,00234F20), ref: 002735BE
SizeofResource.KERNEL32(?,00000000,?,?,002350AA,?,?,00000000,00000000,?,?,?,?,?,?,00234F20), ref: 002735D3
LockResource.KERNEL32(002350AA,?,?,002350AA,?,?,00000000,00000000,?,?,?,?,?,?,00234F20,?), ref: 002735E6

Strings

SCRIPT, xrefs: 002342BF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: de345bf0b1e248f8f6ce2d1ef83355974cdf3c29982e574763c55810be475671
Instruction ID: b4168ffc7d75e81ffbc6e4c95e7859bab93dd2b56851b0eddcc15e73b45945ba
Opcode Fuzzy Hash: de345bf0b1e248f8f6ce2d1ef83355974cdf3c29982e574763c55810be475671
Instruction Fuzzy Hash: 8D1170B0210701BFD7219F65EC48F677BBDEBC6B51F24416AF81A96550DB71EC108A21

Function 00272BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00232B6B

Part of subcall function 00233A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00301418,?,00232E7F,?,?,?,00000000), ref: 00233A78

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,002F2224), ref: 00272C10
ShellExecuteW.SHELL32(00000000,?,?,002F2224), ref: 00272C17

Strings

runas, xrefs: 00272C0B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 46152c9c65112bd9493187bf7898167d237009184d5aa30bae86703563ec5dcf
Instruction ID: bf81b63965b79d386f09d1b69718f763ef7e7fd81042c7e5616870fe60db2ad4
Opcode Fuzzy Hash: 46152c9c65112bd9493187bf7898167d237009184d5aa30bae86703563ec5dcf
Instruction Fuzzy Hash: 361103B1228345AAC705FF60E855EBEB7A99B92344F04542DF186020A2CF708A6ECF52

Function 0029DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00275222), ref: 0029DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0029DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0029DBEE
FindClose.KERNEL32(00000000), ref: 0029DBFA

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 91b56c0a48cdea72461fac6bfc7267e185e3f344ad0f0161fece4d83a9fe0ca0
Instruction ID: 4b857214024698635eda27520f08de75322ffaae2763793cb5737fe69be63833
Opcode Fuzzy Hash: 91b56c0a48cdea72461fac6bfc7267e185e3f344ad0f0161fece4d83a9fe0ca0
Instruction Fuzzy Hash: 52F0A030820910578A206F7CEC0D8AA776C9E01334BA44703F83AC20E0EBB0596596D6

Function 002BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 002BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002BB1D4
_wcslen.LIBCMT ref: 002BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002BB236
_wcslen.LIBCMT ref: 002BB332

Part of subcall function 002A05A7: GetStdHandle.KERNEL32(000000F6), ref: 002A05C6

_wcslen.LIBCMT ref: 002BB34B
_wcslen.LIBCMT ref: 002BB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002BB3B6
GetLastError.KERNEL32(00000000), ref: 002BB407
CloseHandle.KERNEL32(?), ref: 002BB439
CloseHandle.KERNEL32(00000000), ref: 002BB44A
CloseHandle.KERNEL32(00000000), ref: 002BB45C
CloseHandle.KERNEL32(00000000), ref: 002BB46E
CloseHandle.KERNEL32(?), ref: 002BB4E3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: ea6a9b6b5c9d2a14037bc45afcf800820eb422fb9739bec0a3d903f88b29294b
Instruction ID: 4aea071bdf8b19f7fbd68d2a4dc0ccc1d990d3e02710129a18478bd4ef52182e
Opcode Fuzzy Hash: ea6a9b6b5c9d2a14037bc45afcf800820eb422fb9739bec0a3d903f88b29294b
Instruction Fuzzy Hash: DDF1BF715243419FCB25EF24C891B6EBBE4AF85350F14885DF8994B2A2CB71EC54CF52

Function 0023D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0023D807
timeGetTime.WINMM ref: 0023DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0023DB28
TranslateMessage.USER32(?), ref: 0023DB7B
DispatchMessageW.USER32(?), ref: 0023DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0023DB9F
Sleep.KERNELBASE(0000000A), ref: 0023DBB1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 79106610b077cc4362d4ea3d4baaa33bc8fd728751d2b1f1536d6a676a3e1516
Instruction ID: 7833ad564dd57b23aad311611f58cca6b235ce54b393447b374a0d033e491ae2
Opcode Fuzzy Hash: 79106610b077cc4362d4ea3d4baaa33bc8fd728751d2b1f1536d6a676a3e1516
Instruction Fuzzy Hash: 734232B4629342DFD729DF24D884B6AB7E4FF46304F14855AE456872E1C7B0E868CF82

Function 00232CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00232D07
RegisterClassExW.USER32(00000030), ref: 00232D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00232D42
InitCommonControlsEx.COMCTL32(?), ref: 00232D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00232D6F
LoadIconW.USER32(000000A9), ref: 00232D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00232D94

Strings

TaskbarCreated, xrefs: 00232D37
0, xrefs: 00232CE9
+, xrefs: 00232CF0
AutoIt v3 GUI, xrefs: 00232D23

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dfc7066f17b4347a0af77e0fa1f6f65644df75fdacbda1059094ef51bdf11f70
Instruction ID: 14b069bb9b24a5f231aa07e2723c88825d234636cdbd21722b664d455a990bf5
Opcode Fuzzy Hash: dfc7066f17b4347a0af77e0fa1f6f65644df75fdacbda1059094ef51bdf11f70
Instruction Fuzzy Hash: B821C0B5D52318EFDB01DFA4E899BDDBBB8FB08700F20811AF619A62A0D7B14544CF91

Function 0027065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0027039A: CreateFileW.KERNELBASE(00000000,00000000,?,00270704,?,?,00000000,?,00270704,00000000,0000000C), ref: 002703B7

GetLastError.KERNEL32 ref: 0027076F
__dosmaperr.LIBCMT ref: 00270776
GetFileType.KERNELBASE(00000000), ref: 00270782
GetLastError.KERNEL32 ref: 0027078C
__dosmaperr.LIBCMT ref: 00270795
CloseHandle.KERNEL32(00000000), ref: 002707B5
CloseHandle.KERNEL32(?), ref: 002708FF
GetLastError.KERNEL32 ref: 00270931
__dosmaperr.LIBCMT ref: 00270938

Strings

H, xrefs: 002708BD

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: fb59824d88a49f01bf6cdb60490996405e743e2e837ae58035af9e6268bd0b86
Instruction ID: 1bc216bce6dce233cc545c25b4a34b2b5e00ece7e7099b2701f53e24ff23292b
Opcode Fuzzy Hash: fb59824d88a49f01bf6cdb60490996405e743e2e837ae58035af9e6268bd0b86
Instruction Fuzzy Hash: C4A12932A20145CFDF19EF68D891BAD7BA4AB46320F14415DF819DB3D1DB319C2ACB91

Function 0023344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00233A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00301418,?,00232E7F,?,?,?,00000000), ref: 00233A78

Part of subcall function 00233357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00233379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0023356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0027318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002731CE
RegCloseKey.ADVAPI32(?), ref: 00273210
_wcslen.LIBCMT ref: 00273277
_wcslen.LIBCMT ref: 00273286

Strings

\, xrefs: 0027328C
Software\AutoIt v3\AutoIt, xrefs: 00233560
\Include\, xrefs: 00233527
Include, xrefs: 00273184, 002731C5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 4d1b3f543d5c0ce9a213b4c0c4accb474e33d1615bad8a096e70e3c732bb0794
Instruction ID: dd11e696218dff96a239aab75cedbef54c2289c1ceae8a1e484dfbba679c073e
Opcode Fuzzy Hash: 4d1b3f543d5c0ce9a213b4c0c4accb474e33d1615bad8a096e70e3c732bb0794
Instruction Fuzzy Hash: 0671DDB14253019EC305EF25EC9A96BBBE8FF85340F50486EF589931A0EB309A58CF52

Function 00232B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00232B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00232B9D
LoadIconW.USER32(00000063), ref: 00232BB3
LoadIconW.USER32(000000A4), ref: 00232BC5
LoadIconW.USER32(000000A2), ref: 00232BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00232BEF
RegisterClassExW.USER32(?), ref: 00232C40

Part of subcall function 00232CD4: GetSysColorBrush.USER32(0000000F), ref: 00232D07
Part of subcall function 00232CD4: RegisterClassExW.USER32(00000030), ref: 00232D31
Part of subcall function 00232CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00232D42
Part of subcall function 00232CD4: InitCommonControlsEx.COMCTL32(?), ref: 00232D5F
Part of subcall function 00232CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00232D6F
Part of subcall function 00232CD4: LoadIconW.USER32(000000A9), ref: 00232D85
Part of subcall function 00232CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00232D94

Strings

0, xrefs: 00232C0F
#, xrefs: 00232C16
AutoIt v3, xrefs: 00232C2F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0db42be2a75c0828cafcc1c0d1976293402f362b17b90790cb3b68226850db54
Instruction ID: 9024c7c0346a28c9e19420803cc521e9d2c13ed41963ebaad01c952d8d43a015
Opcode Fuzzy Hash: 0db42be2a75c0828cafcc1c0d1976293402f362b17b90790cb3b68226850db54
Instruction Fuzzy Hash: E1214C78E52314ABDB129FA5EC69BA9BFF8FB08B50F14009BF504A66A0D3B10554CF90

Function 0023B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0023BB4E

Strings

p%0, xrefs: 0023BB32
p#0, xrefs: 0023BA72
x#0, xrefs: 00280168
x#0, xrefs: 00280207
p%0, xrefs: 0023B8DC
p#0, xrefs: 0023BB6B
p#0, xrefs: 0028024F
p#0, xrefs: 00280263

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#0$p#0$p#0$p#0$p%0$p%0$x#0$x#0
API String ID: 1385522511-1193804831
Opcode ID: bb33e26b602cda5d627fbcd3c25ca38074e4c725065421b92ae3ca5d48ce2229
Instruction ID: 9a8b2c516c40bb955a4a1a582ea671075263033fb3c642b865cccf85df492bb5
Opcode Fuzzy Hash: bb33e26b602cda5d627fbcd3c25ca38074e4c725065421b92ae3ca5d48ce2229
Instruction Fuzzy Hash: 1632E3B8A2020ADFDB15DF54C898BBEB7B9EF44310F148059EE05AB291C7B4AD65CF50

Function 00233170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0023316A,?,?), ref: 002331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0023316A,?,?), ref: 00233204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00233227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0023316A,?,?), ref: 00233232
CreatePopupMenu.USER32 ref: 00233246
PostQuitMessage.USER32(00000000), ref: 00233267

Strings

TaskbarCreated, xrefs: 0023322D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d708e28fc8f035aa4a4e519ca176df05a1dfa8f5386defa2d6056fbde33cfc04
Instruction ID: 4403cb9a83445dc9d0927af1c6990c94eca73c306447232c9799a633f35da8b7
Opcode Fuzzy Hash: d708e28fc8f035aa4a4e519ca176df05a1dfa8f5386defa2d6056fbde33cfc04
Instruction Fuzzy Hash: F9416AB5630201EBDB169F789C2DB7A3A1DE705300F144126F94E862E1CBB09F759BA1

Function 00232C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00232C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00232CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00231CAD,?), ref: 00232CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00231CAD,?), ref: 00232CCF

Strings

edit, xrefs: 00232CAC
AutoIt v3, xrefs: 00232C89, 00232C8E, 00232C8F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 307c79f8914bac4e04239abdbe30ace79a5bb5c26a22634d41fdb1653cb16d7d
Instruction ID: 3a3633fd7f1369efc8369c8b4ae512a114d5c59072b848adc6369b5c154e2b4e
Opcode Fuzzy Hash: 307c79f8914bac4e04239abdbe30ace79a5bb5c26a22634d41fdb1653cb16d7d
Instruction Fuzzy Hash: C2F0DA79541390BBEB321717AC1CE776EBDD7C6F50F10109EF904A25A4C6B11855DAB0

Function 0029E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0029E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0029E9A5
Sleep.KERNEL32(00000000), ref: 0029E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0029E9B7
Sleep.KERNELBASE ref: 0029E9F3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b74e412bf290d09d5ff8c824d6b0ba4e1d27d90c184b91ac6e0ef7eebccc42d9
Instruction ID: bafaf835af2fc2f84eb9b08d97bc3ffe351566b6766a3f1e05ee48968ad6e67e
Opcode Fuzzy Hash: b74e412bf290d09d5ff8c824d6b0ba4e1d27d90c184b91ac6e0ef7eebccc42d9
Instruction Fuzzy Hash: 0F015B31C11529DBDF00DFE5EC5DADDBB78FB08300F160566E906B2141CB7099648BA2

Function 00233B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00233B0F,SwapMouseButtons,00000004,?), ref: 00233B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00233B0F,SwapMouseButtons,00000004,?), ref: 00233B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00233B0F,SwapMouseButtons,00000004,?), ref: 00233B83

Strings

Control Panel\Mouse, xrefs: 00233B3E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 59b50bd3521a6f07a46b37b0f3d7cb366e31d61a5fe33aebbc8c8a8a84d97d17
Instruction ID: 2738603d6cd94e5c26e33338bd7883c8958de44562f67c17bebfeab105778fd3
Opcode Fuzzy Hash: 59b50bd3521a6f07a46b37b0f3d7cb366e31d61a5fe33aebbc8c8a8a84d97d17
Instruction Fuzzy Hash: B4112AB5520209FFDB20CFA5DC48EAEB7B9EF04748F104459E805D7210D2719F509760

Function 00233923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002733A2

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00233A04

Strings

Line: , xrefs: 002733EB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 464dee2f87dcfc1ac8c173df5146420466d9d3c8718be6469719e2d8973a0790
Instruction ID: c437072b9d24e29a8368d1aa104a51608f97a283eb794ffccdf2b4c5e3697fb3
Opcode Fuzzy Hash: 464dee2f87dcfc1ac8c173df5146420466d9d3c8718be6469719e2d8973a0790
Instruction Fuzzy Hash: 1431D4B1429300ABC325EB20DC49BEBB7ECAB41714F10856EF599930D1DB7097A9CBC2

Function 00232DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00272C8C

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

Part of subcall function 00232DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00232DC4

Strings

`e/, xrefs: 00272C85
X, xrefs: 00272C5A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e/
API String ID: 779396738-446505701
Opcode ID: 7a0d56d5703a2de090ff586d50d035ccd04d87db3c22ef9a56512728b75c85da
Instruction ID: 2996f5186694c54417b423ff86d5e19163b372446a09b1c0dfaf8daf64e9fb1a
Opcode Fuzzy Hash: 7a0d56d5703a2de090ff586d50d035ccd04d87db3c22ef9a56512728b75c85da
Instruction Fuzzy Hash: 9521A8B1A2025C9FCB01EF94C849BEEBBFC9F49704F00805AE505B7241DBB4565D8FA1

Function 0024FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00250668

Part of subcall function 002532A4: RaiseException.KERNEL32(?,?,?,0025068A,?,00301444,?,?,?,?,?,?,0025068A,00231129,002F8738,00231129), ref: 00253304

__CxxThrowException@8.LIBVCRUNTIME ref: 00250685

Strings

Unknown exception, xrefs: 00250692

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c3a12749e73d2e808c24b15728d346002b90a93943309631fdf4ce313b1b7269
Instruction ID: 76624b5059e26973cd394191addb71f10182b26c21bd8b0710b970f46111926c
Opcode Fuzzy Hash: c3a12749e73d2e808c24b15728d346002b90a93943309631fdf4ce313b1b7269
Instruction Fuzzy Hash: CCF02234D2020EB3CB04BAA4DC86CAEB76C6E40341BA04531BD14C2491FFB1DA7DC988

Function 002310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00231BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00231BF4
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00231BFC
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00231C07
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00231C12
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00231C1A
Part of subcall function 00231BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00231C22

Part of subcall function 00231B4A: RegisterWindowMessageW.USER32(00000004,?,002312C4), ref: 00231BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0023136A
OleInitialize.OLE32 ref: 00231388
CloseHandle.KERNEL32(00000000,00000000), ref: 002724AB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4188700cb8ffc3604ed64f9c1f5186d311bf7739e7ba8de37492ce622cfcfbb5
Instruction ID: 59c940786e6c7f04a5dcc381f5f84830cdefd7e446e2976bbc142a5569bd997d
Opcode Fuzzy Hash: 4188700cb8ffc3604ed64f9c1f5186d311bf7739e7ba8de37492ce622cfcfbb5
Instruction Fuzzy Hash: 5171CFB49232048FC386DF7AAC756563AE8FB8A344F54822FE44ADB2B1EB304515CF44

Function 0029C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00233923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00233A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0029C259
KillTimer.USER32(?,00000001,?,?), ref: 0029C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0029C270

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6686e21427e91f9088ce470d3d8bf86c3b0307958d43851a7827154d5a405e59
Instruction ID: 4911f746b37e5c5ecd1c1d7b2739988e08aeae91390cefd7b92bfb9542b3935e
Opcode Fuzzy Hash: 6686e21427e91f9088ce470d3d8bf86c3b0307958d43851a7827154d5a405e59
Instruction Fuzzy Hash: 07319370914384AFEF32DF649859BE7BBECAB06308F10449AD5DE97241C7745A88CB51

Function 002686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,002685CC,?,002F8CC8,0000000C), ref: 00268704
GetLastError.KERNEL32(?,002685CC,?,002F8CC8,0000000C), ref: 0026870E
__dosmaperr.LIBCMT ref: 00268739

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: cb04a51b5ddec8b5cb27cc99b57a8e4b6494544a9ae2cc6b1cdec7b1ba897edd
Instruction ID: 29a39f30df735ecf94d566da4522bc039fd284ef6bb35b6313e74e3bccb92d59
Opcode Fuzzy Hash: cb04a51b5ddec8b5cb27cc99b57a8e4b6494544a9ae2cc6b1cdec7b1ba897edd
Instruction Fuzzy Hash: 5D018933A3527166D2356B34E849B7E674D4B82B74F380399F9088B2D2DEF0CCE18590

Function 0023DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0023DB7B
DispatchMessageW.USER32(?), ref: 0023DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0023DB9F
Sleep.KERNELBASE(0000000A), ref: 0023DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00281CC9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 60bf3e3852e06cfe98551e5e53960f18e07f4ef4da6b51f367e89ea1c466fdb4
Instruction ID: 6e6c5a800f06bc714abcceacd2b0e3245048549da2435917260adfea3bf917ad
Opcode Fuzzy Hash: 60bf3e3852e06cfe98551e5e53960f18e07f4ef4da6b51f367e89ea1c466fdb4
Instruction Fuzzy Hash: 14F05E716553419BEB30DB60EC99FAAB3ADEB44310F104919E61A830C0DB30A469CB16

Function 00241310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002417F6

Strings

CALL, xrefs: 002417C6

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 683a3aaa41e3043a9716be120bf2e6576472ede09731d479a552df96ae08c7c1
Instruction ID: 357bf75921685a249a9a3122d38c5f313fbe8035cc36a5c15d1160f906312e59
Opcode Fuzzy Hash: 683a3aaa41e3043a9716be120bf2e6576472ede09731d479a552df96ae08c7c1
Instruction Fuzzy Hash: F8229B746282029FC718DF14C494B2ABBF5BF85314F28895DF4968B3A1D771E8A5CF82

Function 00233837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00233908

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e12c7d81ad3c1a8b01303833949c8b0385e49bd49bc96970d0d4e408822721d0
Instruction ID: 97a7272d3f83be3ddcda19cab8100a36a2210a46ab55b96fb0584e24052d6d8e
Opcode Fuzzy Hash: e12c7d81ad3c1a8b01303833949c8b0385e49bd49bc96970d0d4e408822721d0
Instruction Fuzzy Hash: B031A2B0515301DFD721DF24D895797BBE8FB49709F00096EF99983280E7B1AA54CB92

Function 0024F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0024F661

Part of subcall function 0023D730: GetInputState.USER32 ref: 0023D807

Sleep.KERNEL32(00000000), ref: 0028F2DE

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 8d462e7a019364b98367ba407e889d862dbdda5d15c15d188d0c920caeb74d2c
Instruction ID: 2b3e6ed7df70703e6cb64a66a5a874affe28b0d8155abbcf9bd0bccd43be83a7
Opcode Fuzzy Hash: 8d462e7a019364b98367ba407e889d862dbdda5d15c15d188d0c920caeb74d2c
Instruction Fuzzy Hash: B7F08C752506059FD354EF79E549F6AB7E8EF45760F00002AE85DC72A0DBB0A820CF90

Function 002C2598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 002C2649

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: e3d5852a568e834a7f848851243ef4ed0478329438e677e188aa3fe5121312fe
Instruction ID: 730e1be76989a6bd1fe016369dc08af8a7f99e719e35ac23cf70986a84a6e336
Opcode Fuzzy Hash: e3d5852a568e834a7f848851243ef4ed0478329438e677e188aa3fe5121312fe
Instruction Fuzzy Hash: 5321B374210216EFD714DF14C8D0E36B799EB44368B64825DE8568B392CF71ED55CBA0

Function 002C13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 002C1420

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 28a13e656233a2fb484215c0112547a57736ef056d0eaea1af8e7216130c0f37
Instruction ID: 51d8f3ec570764adee549da649702072085d21dc0f0a8563c0e28b78b5e358af
Opcode Fuzzy Hash: 28a13e656233a2fb484215c0112547a57736ef056d0eaea1af8e7216130c0f37
Instruction Fuzzy Hash: 6C319170624202AFD728DF25C496F69B7A2FF45324F14826DE81A4B292DB71EC65CFD0

Function 00234ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00234E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E9C
Part of subcall function 00234E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00234EAE
Part of subcall function 00234E90: FreeLibrary.KERNEL32(00000000,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234EFD

Part of subcall function 00234E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E62
Part of subcall function 00234E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00234E74
Part of subcall function 00234E59: FreeLibrary.KERNEL32(00000000,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E87

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8739a91358e83b136198d13581df7ee0c55fa84cfa4d6b9ef963b10401efc8cd
Instruction ID: 60c0a07d94279c7369ce3673ce288d4d22841fb3d90f02171323a7c5435c7601
Opcode Fuzzy Hash: 8739a91358e83b136198d13581df7ee0c55fa84cfa4d6b9ef963b10401efc8cd
Instruction Fuzzy Hash: C1110172630205AACB14FF64D802FAD77A5AF40714F24846EF446A61C1EEB4EA259F50

Function 00268402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00268440

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: c588100f21b227b156b932841d7746fb083d629e7a5fdfb82e9a095da59761fe
Instruction ID: d08ad2cf5e5c065ff78a536df3ef6790979d524ae4789a50676009cf67b1f758
Opcode Fuzzy Hash: c588100f21b227b156b932841d7746fb083d629e7a5fdfb82e9a095da59761fe
Instruction Fuzzy Hash: F711187590410AAFCB05DF58E981A9A7BF9EF48314F104199F808AB312DA31DA21CBA5

Function 00265000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00264C7D: RtlAllocateHeap.NTDLL(00000008,00231129,00000000,?,00262E29,00000001,00000364,?,?,?,0025F2DE,00263863,00301444,?,0024FDF5,?), ref: 00264CBE

_free.LIBCMT ref: 0026506C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 4ae0f3dda07cc34eeee61dda791e8b06d92a8923919abce60fcd7e91c1d5a8ac
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 07012672214705ABE3218F65D881A5AFBE8FB89370F25051DE18483280EA70A845CAB4

Function 002C29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,002C14B5,?), ref: 002C2A01

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a153f2c19fe2b60c0bde62f2b174e4ea9b29cce4efc0272236d0cc38cab9d70a
Instruction ID: 407297f789c10a3410569a43f3dfd8a578cfa6689e2eb707198b698949b2f991
Opcode Fuzzy Hash: a153f2c19fe2b60c0bde62f2b174e4ea9b29cce4efc0272236d0cc38cab9d70a
Instruction Fuzzy Hash: A6019236720A42EFD324CA2DC454F227792EB85314F39866CC04B8B251DF32EC56C790

Function 0025E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 820540e2f770c5d0867916c6b6c5a796574271a16c4d2c2a09f5770fc1654e66
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 9BF04432530A10DACB353E298C05B5A338D8F523B3F110716FC20921C2CBB0D92E8EAD

Function 002C149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 002C14EB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 56d08ad6238f0b8019d66da5ea52aaf2111e933e7a55b5be03dec797ddfc300d
Instruction ID: 1be5406b85d392f3b435f481b181a5fb983c8f64979699f3d48a3a38ac9ead5b
Opcode Fuzzy Hash: 56d08ad6238f0b8019d66da5ea52aaf2111e933e7a55b5be03dec797ddfc300d
Instruction Fuzzy Hash: 430124353042419F9334CF69C441E26FB95FF82324724815DE84A8B703D632DCA2CB80

Function 00264C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00231129,00000000,?,00262E29,00000001,00000364,?,?,?,0025F2DE,00263863,00301444,?,0024FDF5,?), ref: 00264CBE

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 978aa34f3fd47a18c82f04e03f64de4f49452ee28695381f28534cfd64770c78
Instruction ID: 1e32860adbdd646d21a10631b9a5a1be4ea81e4221a53ef83ba9f6e97f1a39f9
Opcode Fuzzy Hash: 978aa34f3fd47a18c82f04e03f64de4f49452ee28695381f28534cfd64770c78
Instruction Fuzzy Hash: EEF0E931633225A7DB217F669C09F5A7788BF817A1B144123FC99E6390CA70D8B186E0

Function 00263820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9cfd5f0c9ecf725e2dda02b7946fd955f96805d3d381de8a0f4d6fb44a227e07
Instruction ID: a597e7d813759c5aec99ed0e8bfa4161b905df53e362ca1058511bd04eed3c29
Opcode Fuzzy Hash: 9cfd5f0c9ecf725e2dda02b7946fd955f96805d3d381de8a0f4d6fb44a227e07
Instruction Fuzzy Hash: 22E0E53213122656E6216E679D05BDA764AAB427B1F150022BC0593891CB60DDA186E4

Function 00234F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234F6D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5eba68cb7fc56c1a873eaf344a36a7ca8ea651b141ac2335cac7c714913c450c
Instruction ID: 01670cdd9169754fb686f65bf36256f89064573a9582951c1c51b0fbd2d31a86
Opcode Fuzzy Hash: 5eba68cb7fc56c1a873eaf344a36a7ca8ea651b141ac2335cac7c714913c450c
Instruction Fuzzy Hash: EDF030B1125752CFDB38AF65D494812B7E4FF1431972889FEE1DA82A11C771A854DF10

Function 002C2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002C2A66

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8eb6a1f307747260c3b2652b9d4cddceb2f905f6e516b4693c2184ffb094c6fe
Instruction ID: e236d8ee338504b503ddb660e3774e85694f308ee35708a7060b04e5d77d98c8
Opcode Fuzzy Hash: 8eb6a1f307747260c3b2652b9d4cddceb2f905f6e516b4693c2184ffb094c6fe
Instruction Fuzzy Hash: 56E04F36374116EADB14EB34EC80EFA735CEB50395B10463AED1AD2100DF3099B99AA0

Function 00232DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00232DC4

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e5336c20904fee134ea6f265908ca6e552512a74f1983b700941eaab176fe896
Instruction ID: 40d79190c312b6d273181db94d9e11f812e0143d77ed3add89657b721550b7d0
Opcode Fuzzy Hash: e5336c20904fee134ea6f265908ca6e552512a74f1983b700941eaab176fe896
Instruction Fuzzy Hash: DEE0CD72A002245BC72092589C09FDA77DDDFC8790F044071FD0DE7248D970AD908A91

Function 00232B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00233837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00233908

Part of subcall function 0023D730: GetInputState.USER32 ref: 0023D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00232B6B

Part of subcall function 002330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0023314E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 291dc507bf871bfddb39a1e54306560456b1af843f8cd8d9291832ffac6fd809
Instruction ID: f3dcf703d08e0f777a1de53a1c63ccb84152f19d6cffe6d3710ec32fd47e152b
Opcode Fuzzy Hash: 291dc507bf871bfddb39a1e54306560456b1af843f8cd8d9291832ffac6fd809
Instruction Fuzzy Hash: 84E026A131424402C608FB31A82256DE3598BD1311F40043EF142831A2CF2086694A11

Function 00293D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00293D18

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 148effc2f4bcf6aedaef7bb68d6d3bffc8715c16b4d707fef9ef799c5285b7ff
Instruction ID: 7380d1dcd797d8de78e8e3d6293e953f44c1b5a2d32420ecba516992a8db60dd
Opcode Fuzzy Hash: 148effc2f4bcf6aedaef7bb68d6d3bffc8715c16b4d707fef9ef799c5285b7ff
Instruction Fuzzy Hash: DBD08CF0AA03087EFB0087719D0BEBB339CC356E85F204BA4BE02D64C1D9A0DE080230

Function 0027039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00270704,?,?,00000000,?,00270704,00000000,0000000C), ref: 002703B7

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1907d01733494086b6aaff0391acb9a8a46619a2b2ed26f5cb1d96ccb610cb7c
Instruction ID: da86b126051c30b6552ae05b6c73937df8c8e0b8b783353df18e7cbfbbf5944a
Opcode Fuzzy Hash: 1907d01733494086b6aaff0391acb9a8a46619a2b2ed26f5cb1d96ccb610cb7c
Instruction Fuzzy Hash: CFD06C3204010DBBDF028F85ED06EDA3BAAFB48714F114000FE1C56020C772E821AB90

Function 00231CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00231CBC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0e8b6ba011513cd400f58d731549e7b8105fc8c1d2e45564c3b45e2764d21d7a
Instruction ID: 03324f204a327f10b6fd8aad5f0a4562aa5f3a20c3c83a43b3921aabe3b05332
Opcode Fuzzy Hash: 0e8b6ba011513cd400f58d731549e7b8105fc8c1d2e45564c3b45e2764d21d7a
Instruction Fuzzy Hash: 3CC0923A281304AFF3168B80BC6EF11B768E348B00F548002F60DA95E3C3A22821EB54

Non-executed Functions

Function 002C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 002C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002C96C9
SendMessageW.USER32 ref: 002C96F2
GetKeyState.USER32(00000011), ref: 002C978B
GetKeyState.USER32(00000009), ref: 002C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002C97AE
GetKeyState.USER32(00000010), ref: 002C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002C97E9
SendMessageW.USER32 ref: 002C9810
SendMessageW.USER32(?,00001030,?,002C7E95), ref: 002C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002C9941
SetCapture.USER32(?), ref: 002C994A
ClientToScreen.USER32(?,?), ref: 002C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002C99D6
ReleaseCapture.USER32 ref: 002C99E1
GetCursorPos.USER32(?), ref: 002C9A19
ScreenToClient.USER32(?,?), ref: 002C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 002C9A80
SendMessageW.USER32 ref: 002C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 002C9AEB
SendMessageW.USER32 ref: 002C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002C9B4A
GetCursorPos.USER32(?), ref: 002C9B68
ScreenToClient.USER32(?,?), ref: 002C9B75
GetParent.USER32(?), ref: 002C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 002C9BFA
SendMessageW.USER32 ref: 002C9C2B
ClientToScreen.USER32(?,?), ref: 002C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 002C9CDE
SendMessageW.USER32 ref: 002C9D01
ClientToScreen.USER32(?,?), ref: 002C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002C9D82

Part of subcall function 00249944: GetWindowLongW.USER32(?,000000EB), ref: 00249952

GetWindowLongW.USER32(?,000000F0), ref: 002C9E05

Strings

p#0, xrefs: 002C9990
@GUI_DRAGID, xrefs: 002C997D
F, xrefs: 002C9D07

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#0
API String ID: 3429851547-3453007137
Opcode ID: f6634c705b998fa0b0f9b3057ec721b05eae91ae422ef48ecf9063373236498b
Instruction ID: 78e64853ec64ab1f2a50dfc1332f3494b6b9b7b8c374309017c2e0bc5edb3ed0
Opcode Fuzzy Hash: f6634c705b998fa0b0f9b3057ec721b05eae91ae422ef48ecf9063373236498b
Instruction Fuzzy Hash: B6428C74625201AFD725CF24CC58FAABBE9FF89310F20061EF599972A1D771A9A0CF41

Function 002C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 002C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 002C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 002C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 002C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 002C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 002C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 002C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 002C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 002C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 002C4A7E
IsMenu.USER32(?), ref: 002C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002C4B20
GetWindowLongW.USER32(?,000000F0), ref: 002C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 002C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 002C4C82
wsprintfW.USER32 ref: 002C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 002C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 002C4D5A

Strings

%d/%02d/%02d, xrefs: 002C4CA8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: c5f434e4af13f21fd39bbdfea29ed03b7479553409fa97ef3711498960233b48
Instruction ID: 119bbfc832a94fe9df669a9f6378a5b81d9f8720f5ea4165f19d2adea887489d
Opcode Fuzzy Hash: c5f434e4af13f21fd39bbdfea29ed03b7479553409fa97ef3711498960233b48
Instruction Fuzzy Hash: D9121271620215ABEB28AF24DC59FAF7BF8EF85310F20421DF91ADA2E0D7749950CB50

Function 0024F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0024F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028F474
IsIconic.USER32(00000000), ref: 0028F47D
ShowWindow.USER32(00000000,00000009), ref: 0028F48A
SetForegroundWindow.USER32(00000000), ref: 0028F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028F4AA
GetCurrentThreadId.KERNEL32 ref: 0028F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0028F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0028F4DE
SetForegroundWindow.USER32(00000000), ref: 0028F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F4F6
keybd_event.USER32(00000012,00000000), ref: 0028F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F50B
keybd_event.USER32(00000012,00000000), ref: 0028F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F519
keybd_event.USER32(00000012,00000000), ref: 0028F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0028F528
keybd_event.USER32(00000012,00000000), ref: 0028F52D
SetForegroundWindow.USER32(00000000), ref: 0028F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0028F557

Strings

Shell_TrayWnd, xrefs: 0028F46F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a7fee4fa548417fa6950aa0c0b716925a554892a05ee85c81212d1a809415563
Instruction ID: 86c53e207399e96dcd9900aafb4a94555e86d7c864b8bf1319997fadef7c3fac
Opcode Fuzzy Hash: a7fee4fa548417fa6950aa0c0b716925a554892a05ee85c81212d1a809415563
Instruction Fuzzy Hash: 6D315EB5A50218BAEB206FB55D4EFBF7E6CEB44B50F20002AFA05F61D1C6B45910AB60

Function 00291201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 002916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029170D
Part of subcall function 002916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029173A
Part of subcall function 002916C3: GetLastError.KERNEL32 ref: 0029174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00291286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 002912A8
CloseHandle.KERNEL32(?), ref: 002912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002912D1
GetProcessWindowStation.USER32 ref: 002912EA
SetProcessWindowStation.USER32(00000000), ref: 002912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00291310

Part of subcall function 002910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002911FC), ref: 002910D4
Part of subcall function 002910BF: CloseHandle.KERNEL32(?,?,002911FC), ref: 002910E9

Strings

winsta0, xrefs: 002912CC
default, xrefs: 0029130B
, xrefs: 0029125A
Z/, xrefs: 00291392

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z/
API String ID: 22674027-1478175429
Opcode ID: 120f56d355fb3dca5f11be02748b405572deabbb32c083c6457f835a0951ba09
Instruction ID: 49ad67f864a9d795c3779d46c258cf6ac8d7c7b37040d9874dd6b512689f97ad
Opcode Fuzzy Hash: 120f56d355fb3dca5f11be02748b405572deabbb32c083c6457f835a0951ba09
Instruction Fuzzy Hash: E681A07191020AAFEF119FA5DD49FEE7BB9EF08704F244129F915A61A0D7718974CF20

Function 00290B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00291114
Part of subcall function 002910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291120
Part of subcall function 002910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 0029112F
Part of subcall function 002910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291136
Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0029114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00290BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00290C00
GetLengthSid.ADVAPI32(?), ref: 00290C17
GetAce.ADVAPI32(?,00000000,?), ref: 00290C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00290C6D
GetLengthSid.ADVAPI32(?), ref: 00290C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00290C8C
HeapAlloc.KERNEL32(00000000), ref: 00290C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00290CB4
CopySid.ADVAPI32(00000000), ref: 00290CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00290CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00290D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00290D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290D45
HeapFree.KERNEL32(00000000), ref: 00290D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290D55
HeapFree.KERNEL32(00000000), ref: 00290D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290D65
HeapFree.KERNEL32(00000000), ref: 00290D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00290D78
HeapFree.KERNEL32(00000000), ref: 00290D7F

Part of subcall function 00291193: GetProcessHeap.KERNEL32(00000008,00290BB1,?,00000000,?,00290BB1,?), ref: 002911A1
Part of subcall function 00291193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00290BB1,?), ref: 002911A8
Part of subcall function 00291193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00290BB1,?), ref: 002911B7

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: eb4f1ba3eb3244b828278f4c01b32110dc79a9b14384b2170709e4672dbb832f
Instruction ID: bbbb05cdc4bdf331dfc4a5224d71491f55d967a4615320f393e5fe9e7dca656c
Opcode Fuzzy Hash: eb4f1ba3eb3244b828278f4c01b32110dc79a9b14384b2170709e4672dbb832f
Instruction Fuzzy Hash: 99714B7291020AAFDF10DFA5EC88FAEBBBCFF04314F144525E919A6291D771A915CBB0

Function 002AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(002CCC08), ref: 002AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 002AEB37
GetClipboardData.USER32(0000000D), ref: 002AEB43
CloseClipboard.USER32 ref: 002AEB4F
GlobalLock.KERNEL32(00000000), ref: 002AEB87
CloseClipboard.USER32 ref: 002AEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 002AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 002AEBC9
GetClipboardData.USER32(00000001), ref: 002AEBD1
GlobalLock.KERNEL32(00000000), ref: 002AEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 002AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 002AEC38
GetClipboardData.USER32(0000000F), ref: 002AEC44
GlobalLock.KERNEL32(00000000), ref: 002AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 002AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002AECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 002AECF3
CountClipboardFormats.USER32 ref: 002AED14
CloseClipboard.USER32 ref: 002AED59

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: c5276168987027d0ebabbda226ffd7e268c17687ff5c0f57125690ec2f9bef4c
Instruction ID: e18a6ec869eace3f93f18d16fba6017403fe1ab5631ef31a5167c33c3c867621
Opcode Fuzzy Hash: c5276168987027d0ebabbda226ffd7e268c17687ff5c0f57125690ec2f9bef4c
Instruction Fuzzy Hash: EF610274214302AFD700EF24D888F2AB7A8BF85714F25495DF85A872A1CF70DD56CB62

Function 002A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002A69BE
FindClose.KERNEL32(00000000), ref: 002A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002A6A75

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 002A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 002A6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 002A6B6A
%02d, xrefs: 002A6C00, 002A6C0A, 002A6C5A, 002A6CAA, 002A6CFA, 002A6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 002A6B32
%4d, xrefs: 002A6BB1
%03d, xrefs: 002A6DA2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ba528d58aa12be71bb00d2c1bec776651129c620e084998a7b7bd572cd130621
Instruction ID: 2e82e6bb9630be7b2af1bd1cf56572d4892c07bfb8c08acba05e17e2f2695bb3
Opcode Fuzzy Hash: ba528d58aa12be71bb00d2c1bec776651129c620e084998a7b7bd572cd130621
Instruction Fuzzy Hash: 87D170B2518300AFC714EFA0C985EABB7ECAF89704F04491DF589D7291EB74DA54CB62

Function 002A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 002A9663
GetFileAttributesW.KERNEL32(?), ref: 002A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 002A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 002A96D3
FindClose.KERNEL32(00000000), ref: 002A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 002A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 002A974A
SetCurrentDirectoryW.KERNEL32(002F6B7C), ref: 002A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 002A9772
FindClose.KERNEL32(00000000), ref: 002A977F
FindClose.KERNEL32(00000000), ref: 002A978F

Strings

*.*, xrefs: 002A96F5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 23c453b28bd58262b21ea7d6c33e6e7ef2fa4dd204f657c1e3803fb2a2ce391c
Instruction ID: affdfd18d7b36fe25a61afd83bc330e820926f7f41970157ed1758790b61d266
Opcode Fuzzy Hash: 23c453b28bd58262b21ea7d6c33e6e7ef2fa4dd204f657c1e3803fb2a2ce391c
Instruction Fuzzy Hash: 4131C57252021A6BDB14DFB5EC0CEEEB7ACDF4A361F1041A5F905E2090DF30D9948E64

Function 002A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 002A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 002A9819
FindClose.KERNEL32(00000000), ref: 002A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 002A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 002A9890
SetCurrentDirectoryW.KERNEL32(002F6B7C), ref: 002A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 002A98B8
FindClose.KERNEL32(00000000), ref: 002A98C5
FindClose.KERNEL32(00000000), ref: 002A98D5

Part of subcall function 0029DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0029DB00

Strings

*.*, xrefs: 002A983B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 10a6ca5879da0dae67ac0cb275be8e07be04aaa38f8635a15cff5495fba4d924
Instruction ID: 0bb773e039b748154a83fc7e27d35d5b5b0adbe7f76b77480e1a70335cb8c19a
Opcode Fuzzy Hash: 10a6ca5879da0dae67ac0cb275be8e07be04aaa38f8635a15cff5495fba4d924
Instruction Fuzzy Hash: 7B31A03152121A6FDB10EFA5EC48EEE77ACDF07320F2041A5E914A2090DF35DAA5CF64

Function 002BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 002BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 002BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 002BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 002BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002BC382
RegCloseKey.ADVAPI32(00000000), ref: 002BC38F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: bf69998f21aca2af912c0d7d1ac1954da91d5da193f46c08a7f1302be10cd700
Instruction ID: 2ed030b23cee8b6b7adc55e75f93064c5d740a4096ca81ce823683ea3ce843a2
Opcode Fuzzy Hash: bf69998f21aca2af912c0d7d1ac1954da91d5da193f46c08a7f1302be10cd700
Instruction Fuzzy Hash: 5B026B71614201AFC714CF28C894E6ABBE5AF89358F58C49DF84ADB2A2D731EC52CF51

Function 002A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 002A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8395

Strings

*.*, xrefs: 002A839B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e1d7bc27143b991a7cd89a8b817f55771016942dbfa587bccabf84a50a1fdcd9
Instruction ID: 1f50ba309336cbea5d94a1b3a3077a9523d80fa842acf808abc720762f7357fa
Opcode Fuzzy Hash: e1d7bc27143b991a7cd89a8b817f55771016942dbfa587bccabf84a50a1fdcd9
Instruction Fuzzy Hash: 4F618CB25243459FCB10EF60C844AAEB3E8FF89310F14495EF98997251DB31E965CF92

Function 0029D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

Part of subcall function 0029E199: GetFileAttributesW.KERNEL32(?,0029CF95), ref: 0029E19A

FindFirstFileW.KERNEL32(?,?), ref: 0029D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0029D1DD
MoveFileW.KERNEL32(?,?), ref: 0029D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0029D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0029D237

Part of subcall function 0029D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0029D21C,?,?), ref: 0029D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0029D253
FindClose.KERNEL32(00000000), ref: 0029D264

Strings

\*.*, xrefs: 0029D0CD, 0029D0D6, 0029D0EB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 63a4669d6f8656339caec954181fe5b1a1bdd9f83d0e1fcffdc801025533c215
Instruction ID: ebc06ca2866ee5ec175ff4ef0cb67e4f685858c854031e0aeb9e855c0695cf2d
Opcode Fuzzy Hash: 63a4669d6f8656339caec954181fe5b1a1bdd9f83d0e1fcffdc801025533c215
Instruction Fuzzy Hash: B7617A71C1510DAACF05EFE0DA929EDB7B5AF55300F204065E806771A2EB30AF69DF61

Function 002AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002AED91
EmptyClipboard.USER32 ref: 002AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 002AEDAC
CloseClipboard.USER32 ref: 002AEEA3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f064d8f46af9fce36f5d7f0991c30c6cbef74faf67ea9ffd0d548326c7473040
Instruction ID: 75ece35598dbde4e5dc9917f97f7b8f2815db4928e861a6b9817fa2cebc6e40d
Opcode Fuzzy Hash: f064d8f46af9fce36f5d7f0991c30c6cbef74faf67ea9ffd0d548326c7473040
Instruction Fuzzy Hash: 7C41E1752146129FDB10CF15E888F19BBE4EF45329F25C09DE4198B662CB71EC42CF90

Function 0029E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029170D
Part of subcall function 002916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029173A
Part of subcall function 002916C3: GetLastError.KERNEL32 ref: 0029174A

ExitWindowsEx.USER32(?,00000000), ref: 0029E932

Strings

@, xrefs: 0029E925
SeShutdownPrivilege, xrefs: 0029E902
, xrefs: 0029E95C
, xrefs: 0029E920

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 01216effec1672aeadac11363e7f2977c797f0c4cc35dafd2641037c6a09efd4
Instruction ID: 06e0963d6a89586b90068fe471fdf5c4759b7474956f74977dfeb46f6f7ad578
Opcode Fuzzy Hash: 01216effec1672aeadac11363e7f2977c797f0c4cc35dafd2641037c6a09efd4
Instruction Fuzzy Hash: 9301F972A30212AFFF54A6B5AC8AFBF726CAB14750F260421FD03E31D2D9A15C608590

Function 002B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002B1276
WSAGetLastError.WSOCK32 ref: 002B1283
bind.WSOCK32(00000000,?,00000010), ref: 002B12BA
WSAGetLastError.WSOCK32 ref: 002B12C5
closesocket.WSOCK32(00000000), ref: 002B12F4
listen.WSOCK32(00000000,00000005), ref: 002B1303
WSAGetLastError.WSOCK32 ref: 002B130D
closesocket.WSOCK32(00000000), ref: 002B133C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 215b6049cde31376c00a5bfb37efb320133201be1022907e0a7cbddfe6acb23f
Instruction ID: f3f6872f5f7e64365437f93602929388e46c89fa7be8c9191c487aa84d6f5ec1
Opcode Fuzzy Hash: 215b6049cde31376c00a5bfb37efb320133201be1022907e0a7cbddfe6acb23f
Instruction Fuzzy Hash: F941D271A101119FD710DF24D498B6ABBE5BF46358F688188E8568F3D6C771EC91CBE0

Function 0026B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0026B9D4
_free.LIBCMT ref: 0026B9F8
_free.LIBCMT ref: 0026BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002D3700), ref: 0026BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0030121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0026BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00301270,000000FF,?,0000003F,00000000,?), ref: 0026BC36
_free.LIBCMT ref: 0026BD4B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: cebc5fdb15e51c0564e21cd685076c9924b3cb25f9c5c960d4e39253c7ab6f80
Instruction ID: ba7ab67521d3916aebdb063dd78cc19e2b5e87bfaf238f068c19286d9ed770ba
Opcode Fuzzy Hash: cebc5fdb15e51c0564e21cd685076c9924b3cb25f9c5c960d4e39253c7ab6f80
Instruction Fuzzy Hash: 83C12871A24206EFCB22DF78DC51AAA7BBDEF41350F24419AE894D7251E7308EE1CB50

Function 0029D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

Part of subcall function 0029E199: GetFileAttributesW.KERNEL32(?,0029CF95), ref: 0029E19A

FindFirstFileW.KERNEL32(?,?), ref: 0029D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0029D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0029D481
FindClose.KERNEL32(00000000), ref: 0029D498
FindClose.KERNEL32(00000000), ref: 0029D4A1

Strings

\*.*, xrefs: 0029D3F2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 2a17a9ca9b7c855a076472c834a102d3c92ae48509e92eeb1e6078f829026b44
Instruction ID: e2ed01cc488e238bef3dc99573ebf15a91184645f8ffae3193a02faaea7c613a
Opcode Fuzzy Hash: 2a17a9ca9b7c855a076472c834a102d3c92ae48509e92eeb1e6078f829026b44
Instruction Fuzzy Hash: B631837102C3459FC700EF64D8558AFB7E8BE92310F445A2DF4D553191EB30AA29DB63

Function 0026E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0026E645

Strings

1#SNAN, xrefs: 0026F844
1#QNAN, xrefs: 0026F84B
1#IND, xrefs: 0026F83D
1#INF, xrefs: 0026F852

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a992fcb44982d8fe5aa2e7c6b9eed1ea99420e9d203dfa4c04ef7e599fed7386
Instruction ID: e674e170a261150c27d2ae2f22468654747b72a58cf796645437e55c38cbb239
Opcode Fuzzy Hash: a992fcb44982d8fe5aa2e7c6b9eed1ea99420e9d203dfa4c04ef7e599fed7386
Instruction Fuzzy Hash: F0C24971E286298FDF65CE28DD407EAB7B9EB44305F1541EAD80EE7240E774AE918F40

Function 002A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A64DC
CoInitialize.OLE32(00000000), ref: 002A6639
CoCreateInstance.OLE32(002CFCF8,00000000,00000001,002CFB68,?), ref: 002A6650
CoUninitialize.OLE32 ref: 002A68D4

Strings

.lnk, xrefs: 002A64BA, 002A6524, 002A65E0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: ebbadad7714a111dea4cca7280023747e953429a8377d9b773727b862b7c8639
Instruction ID: 2c364d21d46b95f676fab79e5c117807003c4e676cd855c0bdf2dd7691826911
Opcode Fuzzy Hash: ebbadad7714a111dea4cca7280023747e953429a8377d9b773727b862b7c8639
Instruction Fuzzy Hash: 0DD179B1528201AFC314EF24C885D6BB7E8FF99304F54492DF5958B2A1EB70E919CF92

Function 002B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 002B22E8

Part of subcall function 002AE4EC: GetWindowRect.USER32(?,?), ref: 002AE504

GetDesktopWindow.USER32 ref: 002B2312
GetWindowRect.USER32(00000000), ref: 002B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 002B2355
GetCursorPos.USER32(?), ref: 002B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002B23DF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 4ece22c13cb11a0c238a5ff72d54d67b3cac6807903d7d0e107a77cb2fddb4ce
Instruction ID: ae01f4da629be9bc134a3715151f87ff15a2d5831c2aadfacd44b1d877eb35a5
Opcode Fuzzy Hash: 4ece22c13cb11a0c238a5ff72d54d67b3cac6807903d7d0e107a77cb2fddb4ce
Instruction Fuzzy Hash: 33310372504305AFDB20DF14D849F9BB7E9FF88350F100919F989A7191DB34E919CB92

Function 002A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 002A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 002A9C8B

Part of subcall function 002A3874: GetInputState.USER32 ref: 002A38CB
Part of subcall function 002A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 002A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002A9C75

Strings

*.*, xrefs: 002A9B5D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 3012d0127856775320231d615d68a61a9065dccf41221645b414e3c0ba889965
Instruction ID: dd32493236e69bf667dbed6f0c30e06afc820b25a0c1f1aacb1d846ac1cfd848
Opcode Fuzzy Hash: 3012d0127856775320231d615d68a61a9065dccf41221645b414e3c0ba889965
Instruction Fuzzy Hash: 0241847191460A9FCF14DFA5CC49AEEBBB5EF0A310F244156E805A3191DB709FA4CF60

Function 0024997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00249A4E
GetSysColor.USER32(0000000F), ref: 00249B23
SetBkColor.GDI32(?,00000000), ref: 00249B36

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 37c7771d2263ec42cbb9616bd168e5863fb73dbc2e087a10189e8e4317eeb827
Instruction ID: 21fe42d4ba0d7a52a99e9db27c7da722dfbcc0b2cf515dd98b3e1353f64a4fff
Opcode Fuzzy Hash: 37c7771d2263ec42cbb9616bd168e5863fb73dbc2e087a10189e8e4317eeb827
Instruction Fuzzy Hash: 9BA1387013A425AEE72DEE3C8C98E7B2A9DEB42344F244309F402C66D1CA65DDB1C772

Function 002B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002B307A
Part of subcall function 002B304E: _wcslen.LIBCMT ref: 002B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002B185D
WSAGetLastError.WSOCK32 ref: 002B1884
bind.WSOCK32(00000000,?,00000010), ref: 002B18DB
WSAGetLastError.WSOCK32 ref: 002B18E6
closesocket.WSOCK32(00000000), ref: 002B1915

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 8922e3d1a0a79e6739fed1f07435202b976c67bc361ea34fab30e5c4e670b900
Instruction ID: 70a4999886171801e2729eba3970f319d9fc5df714046e1b0e3701d2ac7a3493
Opcode Fuzzy Hash: 8922e3d1a0a79e6739fed1f07435202b976c67bc361ea34fab30e5c4e670b900
Instruction Fuzzy Hash: E451E6B5A102006FEB10AF24C896F6A77E5AB44718F54805CFA065F3D3C771AD618FA1

Function 002C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002C1CC0
IsWindowEnabled.USER32 ref: 002C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 002C1CDB
IsIconic.USER32 ref: 002C1CE9
IsZoomed.USER32 ref: 002C1CF7

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: dcf0389e9841ad8e88bf088ec3f8c6421796ef49cf73ac1b11c018398c48d76d
Instruction ID: 5f7d646ef591d132da742f329bb25fee4a35fa4deea853ca1ad46e4f5cadca07
Opcode Fuzzy Hash: dcf0389e9841ad8e88bf088ec3f8c6421796ef49cf73ac1b11c018398c48d76d
Instruction Fuzzy Hash: F821F6317502015FD3208F1AD885F267BA4EF86314F28815DF84A8B352CB71DD62CB91

Function 00238060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 002383E8
VUUU, xrefs: 0023843C
VUUU, xrefs: 002383FA
ERCP, xrefs: 0023813C
VUUU, xrefs: 00275DF0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: a23b591979b1c104768559b38596833240f4dbda02969dbf525e5585b105fce2
Instruction ID: d73feb39846bfe8a98a0dad4131386f1c02a49fdfef9244e3537e671252f4d3d
Opcode Fuzzy Hash: a23b591979b1c104768559b38596833240f4dbda02969dbf525e5585b105fce2
Instruction Fuzzy Hash: 95A274B1E2062ACBDF24CF58C8457AEB7B1BF54314F24819AE819AB345DB709DA1CF50

Function 0029D5EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D608
DeviceIoControl.KERNEL32(00000000,pow,?,0000000C,?,00000028,?,00000000), ref: 0029D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D650

Strings

pow, xrefs: 0029D63F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: pow
API String ID: 33631002-2276729525
Opcode ID: d65b42228b541342b4fdf7d0c9de030962182f38ae1d5bb77cc03fae55bce015
Instruction ID: 90576f49fcb9ba6d0c2e97bd0d94d068bacac42cdfcf838a3221d64578b09ec2
Opcode Fuzzy Hash: d65b42228b541342b4fdf7d0c9de030962182f38ae1d5bb77cc03fae55bce015
Instruction Fuzzy Hash: 64116175E05228BFDB108F95EC49FAFBFBCEB45B50F108155F908E7290D6B04A059BA1

Function 00298298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002982AA

Strings

tb/, xrefs: 002984F4
(, xrefs: 002982F0
|, xrefs: 002982DA

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb/$|
API String ID: 1659193697-4214508366
Opcode ID: 023e3926fca929c720f6d45436dc7833a79afd92261667c5b547ce268424b4fb
Instruction ID: d691ed89c79789e90fecd07298ccd0de11204dd6d3c1b894cfe151539cd91749
Opcode Fuzzy Hash: 023e3926fca929c720f6d45436dc7833a79afd92261667c5b547ce268424b4fb
Instruction Fuzzy Hash: 81324675A10606DFCB28CF59C480A6AB7F0FF48710B15C46EE99ADB3A1EB70E951CB44

Function 002BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 002BA6BA

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Process32NextW.KERNEL32(00000000,?), ref: 002BA79C
CloseHandle.KERNEL32(00000000), ref: 002BA7AB

Part of subcall function 0024CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00273303,?), ref: 0024CE8A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2c4a3813ee6b3ebfa9055913662135d0aaa1e7ff12d3bd52381a581c3ba03f13
Instruction ID: dc2813d385264a5d9d192f2daf051f13299f3cab2b3560d627eece971dfedcef
Opcode Fuzzy Hash: 2c4a3813ee6b3ebfa9055913662135d0aaa1e7ff12d3bd52381a581c3ba03f13
Instruction Fuzzy Hash: 7A516BB1518300AFD710EF24C886A6BBBE8FF89754F00892DF58997261EB70D914CF92

Function 0029AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0029AAAC
SetKeyboardState.USER32(00000080), ref: 0029AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0029AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0029AB88

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 91d11ca946075b65e72ed9efa6bd1e509fa70c100dda7c81f6d59b987d8511e5
Instruction ID: c7b129257cd2423f7961aca3a77cd12f7630d20b332312c2adf7683381840988
Opcode Fuzzy Hash: 91d11ca946075b65e72ed9efa6bd1e509fa70c100dda7c81f6d59b987d8511e5
Instruction Fuzzy Hash: D6315D30A60309AFFF35CF68CC15BFA77A6AB64328F14421AF585521D0D77489A1C7D2

Function 002ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 002ACE89
GetLastError.KERNEL32(?,00000000), ref: 002ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 002ACEFE

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 95f15fda6dfa5d2654a3b16a5224ea0122b3c6d1a1ce043ca9e9a6ad7d74b7c2
Instruction ID: b711fce5705d3b91d2ef2b31f397d5245c1b7c3799d875982bb2c134f7fe1649
Opcode Fuzzy Hash: 95f15fda6dfa5d2654a3b16a5224ea0122b3c6d1a1ce043ca9e9a6ad7d74b7c2
Instruction Fuzzy Hash: BD21EDB1520306AFEB20CF65DA48BA6B7FCEB11354F20442EE646D2551EB70EE18CF94

Function 002A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 002A5D17
FindClose.KERNEL32(?), ref: 002A5D5F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f0209813b63f2c66073eae6bdedfc46a94089340d3a78716988e2fc53bd1092c
Instruction ID: 499cdb0d9f5f2a1f4948fd7f56e72f22e944a3203228df6ab463fe00fc489e41
Opcode Fuzzy Hash: f0209813b63f2c66073eae6bdedfc46a94089340d3a78716988e2fc53bd1092c
Instruction Fuzzy Hash: F451BD74624A029FC714CF28C498E96B7E4FF4A324F14855EE95A8B3A1CB30ED24CF91

Function 00262622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0026271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00262724
UnhandledExceptionFilter.KERNEL32(?), ref: 00262731

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0a94d8ecd157604bbba69ba2e4acfe409c07e67f16e1840a3664c038e266c48c
Instruction ID: 619f81b85c34b6b3a8827551634f68a11a753cba842ee0ac78084ee797521f82
Opcode Fuzzy Hash: 0a94d8ecd157604bbba69ba2e4acfe409c07e67f16e1840a3664c038e266c48c
Instruction Fuzzy Hash: 1C31B57491121DABCB21DF64DD89BDDB7B8AF08310F5041EAE81CA7261E7309F958F45

Function 002A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002A5238
SetErrorMode.KERNEL32(00000000), ref: 002A52A1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ddd727dadfcb6d2b4aeae9f00840c13d1f58b8993fab16bc64a5fd268b2a325b
Instruction ID: 1eba98e519071b8308c8157b3ab866c757a1cceb8f0d0cf29895ad483e302711
Opcode Fuzzy Hash: ddd727dadfcb6d2b4aeae9f00840c13d1f58b8993fab16bc64a5fd268b2a325b
Instruction Fuzzy Hash: 9B314D75A10518DFDB00DF55D888EAEBBB4FF49314F188099E809AB362DB71E855CB90

Function 002916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0024FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00250668
Part of subcall function 0024FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00250685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0029170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0029173A
GetLastError.KERNEL32 ref: 0029174A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e6513fef209c45e5558149bdf17fd219e12c9971573e8ee34e2616c4da84a04c
Instruction ID: 602aac166740becea931c6da4a439086d8009dee311af5992c5f3aefb013f36f
Opcode Fuzzy Hash: e6513fef209c45e5558149bdf17fd219e12c9971573e8ee34e2616c4da84a04c
Instruction Fuzzy Hash: 271194B2814306AFD7189F54EC86D6AB7BDEF44714B24852EE05A57241EB70BC518A20

Function 00291663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0029168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002916A1
FreeSid.ADVAPI32(?), ref: 002916B1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 45eebdd58f1bf0df39b916bf9c61b39b3e4d0f45b6f7cbddb324b887a9de0722
Instruction ID: bf31fa74142f50e87dfa1471c6a91fa506236127a76e1ab46bc1f90e73486b5f
Opcode Fuzzy Hash: 45eebdd58f1bf0df39b916bf9c61b39b3e4d0f45b6f7cbddb324b887a9de0722
Instruction Fuzzy Hash: C9F0F471950309FBDF00DFE49C89EAEBBBCFB08604F504565E901E2181E774AA448A54

Function 00254CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(002628E9,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002,00000000,?,002628E9), ref: 00254D09
TerminateProcess.KERNEL32(00000000,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002,00000000,?,002628E9), ref: 00254D10
ExitProcess.KERNEL32 ref: 00254D22

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6fb049413a9cf292a268f7f5a16c06339bdf826cdb0fdcb0fcc140258f246d65
Instruction ID: 7770608be9e6c18cca4c0236e67b022e743e67a288e8b634a2a4ebfc8333a6dd
Opcode Fuzzy Hash: 6fb049413a9cf292a268f7f5a16c06339bdf826cdb0fdcb0fcc140258f246d65
Instruction Fuzzy Hash: F1E0B671411188ABCF11BF54EE0DE587B79FB45786B244058FC098B122CB76DDA6CA94

Function 0026C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0026C36C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f2bfaa76557a99fa8e28b0c99ab0b22e1b5604bd58e9f46ccba5b69e95cf1d0e
Instruction ID: be41660d760e67c9cce3986fd6da5185038c821e87f3687b7e9a3427b532f970
Opcode Fuzzy Hash: f2bfaa76557a99fa8e28b0c99ab0b22e1b5604bd58e9f46ccba5b69e95cf1d0e
Instruction Fuzzy Hash: B9413872910219ABCB24EFB9DC48EBB7778EB84314F2042A9FD45C7280E6709D918B50

Function 0028D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0028D28C

Strings

X64, xrefs: 0028D2A8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 269bf81206cb729e99d9ce307108e328dbc12d360b2c3a6aa38eea6b9eb40c20
Instruction ID: 92cb430d75858ec50a99ac4a8fad3e51410d9625bd028a1c9ebe53f541ab08e2
Opcode Fuzzy Hash: 269bf81206cb729e99d9ce307108e328dbc12d360b2c3a6aa38eea6b9eb40c20
Instruction Fuzzy Hash: 51D0C9B482511DEBCB94DB90EC88DD9B37CBB04305F100151F506A2040D7B095588F10

Function 0025CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d9e1681aff0968c5a9be5dfe73433ac498c94dbe1de01ba7bac72d101fc21f62
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: C8023C71E102199FDF14CFA9C8806ADBBF1EF48325F25816AD819E7380E730AA55CB84

Function 0023CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#0, xrefs: 0023CF7F
Variable is not of type 'Object'., xrefs: 00280C40

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#0
API String ID: 0-1997178753
Opcode ID: ede097dffdfeb56d13f52211134fde8f4c9862e4f69ffdc93ea820c5ae09305d
Instruction ID: 6031b7dd5228d86584d243319981a8368faec627a693fe20a769ddf37f1764f0
Opcode Fuzzy Hash: ede097dffdfeb56d13f52211134fde8f4c9862e4f69ffdc93ea820c5ae09305d
Instruction Fuzzy Hash: F8329DB4930219DBCF14EF94C885AEDB7B5BF05304F24406AE806BB292D775AD69CF50

Function 002A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002A6918
FindClose.KERNEL32(00000000), ref: 002A6961

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ef3a3dcaa4422ac3243d14524877ee42757ea3b03c22e5823ea52758336aff9a
Instruction ID: 77feb69db3111c96f2c897b15e83fbf8f409a22fdcdd92c2d535e80edcfbdb93
Opcode Fuzzy Hash: ef3a3dcaa4422ac3243d14524877ee42757ea3b03c22e5823ea52758336aff9a
Instruction Fuzzy Hash: B31190756142019FC710DF29D488A16BBE5FF89328F18C699E8698F6A2CB30EC15CF91

Function 002A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002B4891,?,?,00000035,?), ref: 002A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002B4891,?,?,00000035,?), ref: 002A37F4

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 23f692595562d166157752f01a27b8c94d10dd1d2371632756ac1aef3b91cef9
Instruction ID: 9352e727f94f2b8ad2a9dc5603b3ef9457715b59fb0b4121a66f3719e77e2803
Opcode Fuzzy Hash: 23f692595562d166157752f01a27b8c94d10dd1d2371632756ac1aef3b91cef9
Instruction Fuzzy Hash: 95F055B06143282BE72057669C4CFEB7AAEEFC5760F100161F50CD2280D9A08900CAB0

Function 0029B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0029B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0029B270

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 74b7af2e36d679419a2f7e7ea9239bb396d7d4d50ba259ec2ec8791cea0511f1
Instruction ID: bbfeefa582820417dc6dbb9f0db9b71d2e358259828a6a1a766caca3895f3ccb
Opcode Fuzzy Hash: 74b7af2e36d679419a2f7e7ea9239bb396d7d4d50ba259ec2ec8791cea0511f1
Instruction Fuzzy Hash: 48F01D7181424EABDF059FA0D809BAE7BB4FF04305F10801AF955A5191C3799615DF94

Function 002910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002911FC), ref: 002910D4
CloseHandle.KERNEL32(?,?,002911FC), ref: 002910E9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 451c5f5463724c52bd975433a77b117c36c312203ef47031c6bd70d7182d74e9
Instruction ID: e8581e428c7ab1eaeb69f62d8272f72603a7583f6b79189269ab56824fbac866
Opcode Fuzzy Hash: 451c5f5463724c52bd975433a77b117c36c312203ef47031c6bd70d7182d74e9
Instruction Fuzzy Hash: 2AE04F32028601EEE7292B11FD09E7377A9EB04310B24882DF4AA804B1DB626CA0DB10

Function 0026676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00266766,?,?,00000008,?,?,0026FEFE,00000000), ref: 00266998

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b59d5ee295f4f974c6966bfc34341b7a00c926722fc5480b0152508a2c09b12e
Instruction ID: 7e5de12e24911a67279f91095a8ebf7e0ccc87f3257ba1cb1b23307f36aca147
Opcode Fuzzy Hash: b59d5ee295f4f974c6966bfc34341b7a00c926722fc5480b0152508a2c09b12e
Instruction Fuzzy Hash: F6B14B31620609DFD719CF28C48AB657BE0FF45364F298658E899CF2A2C335EDA5CB40

Function 0024B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0028851F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aef99ea4447a3105970f8e4963da8c4d80747e7cd6e21029a6da1450b3799836
Instruction ID: 76341e93258225c8961ea712861771e81df6892f1f8dca441f0a92e7addc2ada
Opcode Fuzzy Hash: aef99ea4447a3105970f8e4963da8c4d80747e7cd6e21029a6da1450b3799836
Instruction Fuzzy Hash: 5E128075D202299BCB19DF58C8806EEB7B5FF48710F50819AE809EB291DB709E91CF90

Function 002AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002AEABD

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 73849cc35f4911a58579d59ce86057744b960adad6820f1650293be7a02d3257
Instruction ID: b2d35c29609fbe8172958c3738a56f93cf7979f392d0ca64f6044ddda6889b40
Opcode Fuzzy Hash: 73849cc35f4911a58579d59ce86057744b960adad6820f1650293be7a02d3257
Instruction Fuzzy Hash: 38E01A762202049FC710EF69D804E9AB7E9AF99760F11841AFD49DB361DAB0EC518B90

Function 002509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,002503EE), ref: 002509DA

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 01a79e8d9da474a03df7b6aa38db0dd9d16d8e010538d736bb48ad3d02de6796
Instruction ID: f0f102ae11dfbe57f65d4c287722318d3f4554b7798acbe46c7919b379dc191a
Opcode Fuzzy Hash: 01a79e8d9da474a03df7b6aa38db0dd9d16d8e010538d736bb48ad3d02de6796
Instruction Fuzzy Hash:

Function 0025781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0025798B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 63c1561cfd9633a037bdd06207e224889a7edcfce00d257f7ddd575b68c33dfd
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 7B5158716FC6075ADB384D68A85D7BE23899B12302F180519DC82D7282C671DE3DE76E

Function 002A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&0, xrefs: 002A2053

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: 0&0
API String ID: 0-1043173130
Opcode ID: ac24701fbc05ff0d4b4c22be5bef66eda092b28b798f0977096dac7df91d95d3
Instruction ID: 7c8fedf5474bed06edadfeb9899967d509f6fd0507c9cd0012860d6c937ec70c
Opcode Fuzzy Hash: ac24701fbc05ff0d4b4c22be5bef66eda092b28b798f0977096dac7df91d95d3
Instruction Fuzzy Hash: CC21BB326215158BD728CF79C82367F73E9A764310F15862EE4A7C37D1DE76A904CB44

Function 00266DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e95f32a89753df1096c48ac3c89608c23df4160aba7bd256f0e65b3b98cad2
Instruction ID: c883862b88dd4728620f07432f5698d9b0fd984315aa492f1d41976725e62f51
Opcode Fuzzy Hash: 37e95f32a89753df1096c48ac3c89608c23df4160aba7bd256f0e65b3b98cad2
Instruction Fuzzy Hash: 1B321321D3AF418DD7239634E826335A749AFB73C9F25D737E81AB59A5EB29C8C34100

Function 0024CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbd9032c08b1d2e03aabc46e5f30efed5472918f82c49d86f613179cf7db01a
Instruction ID: dd69b00e6e696810000c4ec2333f9bf2fcb42ae3a3cbca1e7d7af479c4f12d15
Opcode Fuzzy Hash: cfbd9032c08b1d2e03aabc46e5f30efed5472918f82c49d86f613179cf7db01a
Instruction Fuzzy Hash: D1322439A361168BCF2CEE28C4D467D77A1EB45314F38816BD55A8B2E1D330DDA1DB60

Function 00237920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f946e26db2bea3b7068fda8276c5b70177308088899a9eb5481dd23696b68b90
Instruction ID: da8051d54ee7bb988b72ddfe63451528b4e6586376662b9afe70dfa101b22b24
Opcode Fuzzy Hash: f946e26db2bea3b7068fda8276c5b70177308088899a9eb5481dd23696b68b90
Instruction Fuzzy Hash: 5322D3B0A2461ADFDF14CF64C981AAEF3F6FF44300F108569E816A7291EB75AD64CB50

Function 002391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06168560f968161088a3fcecfa09f0f81273cc2b1b6629fd5b16211608ebe2e
Instruction ID: 9e7e0068be18c5a0d89a24173a4defd89120c748ed10686ed9624c743e289c9b
Opcode Fuzzy Hash: a06168560f968161088a3fcecfa09f0f81273cc2b1b6629fd5b16211608ebe2e
Instruction Fuzzy Hash: EC02C9B1E20106EBDF05DF54D981AAEB7B5FF48304F1181A9E81A9B290E771DA70CF91

Function 00269EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541d124e6728337f4d9d050f209c36bbe919091534655fff5924e22f9c4bf45c
Instruction ID: a4f113c84e66011beab79e506bc9b46db1cdfc6586aa2c61af1d28f4ec5fefbe
Opcode Fuzzy Hash: 541d124e6728337f4d9d050f209c36bbe919091534655fff5924e22f9c4bf45c
Instruction Fuzzy Hash: 5FB1F120D2AF414DC2639639D935336B75CAFBB2D5F91D31BFC1674D22EB2289834181

Function 00251C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 57252c05d0d6bc15ebdd33412d1e188f47aa51952eed2330f80e22a16aba0102
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BE9177321290A349DB294A39853567DFFF15A523A371A079EDCF2CA1C5EE30897CD624

Function 002519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6f2f92ec24040254187199bb06eb35e51b19ee571db2b9cf20ebb8e3d32e8e82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5E9188722290A34ADB2E467A857413DFFE15A923A731A079ED8F2CA1C1FD34C57CD624

Function 00257A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de787b27e37bb6a04f6fd7a373cf466f66a560c117b304156af5bb4d635b3752
Instruction ID: 245572f3855b39ad865b21db0ad5fa7c354dfbae5b47a667f75e4738ae8d1546
Opcode Fuzzy Hash: de787b27e37bb6a04f6fd7a373cf466f66a560c117b304156af5bb4d635b3752
Instruction Fuzzy Hash: C76169706F830B57DA345D287895BBE2394DF4130BF14091AEC42DB281D9B19E6E871D

Function 00257CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89742a7a5f97b3a685cd2223378b60b1957c584a50c80e8df46e5e4e3e433fa7
Instruction ID: b0fc8a045f1e71d06b6d6b94304e53d2cb188ef85cb13cb95d2aea4e2a585814
Opcode Fuzzy Hash: 89742a7a5f97b3a685cd2223378b60b1957c584a50c80e8df46e5e4e3e433fa7
Instruction Fuzzy Hash: 9A617A712F870B56DA384D287856BBE23A89F42703F100959EC43DB281E7B2DD7E865D

Function 00251706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e1c4b35007b0110fea2d8a346112c8019afae46ca359a0f2df338d383308014d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 538199325280A309EB2D463D853457EFFE15A923A371A079DD8F2CA1C1EE34C97CD624

Function 0024D065 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343f9247746acb2885f3203d884419597a962342ec505fce3ad7cfb1bb898b3c
Instruction ID: 1d7377b74fe3da2afec1c864264caf561dc6eb68167a03c96a68b8f75125b154
Opcode Fuzzy Hash: 343f9247746acb2885f3203d884419597a962342ec505fce3ad7cfb1bb898b3c
Instruction Fuzzy Hash: DC5118A284FBC1AFDB074B71886E0447F70ED6765031E4ACFC0C08F1A7E6A41959CB66

Function 002B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002B2B30
DeleteObject.GDI32(00000000), ref: 002B2B43
DestroyWindow.USER32 ref: 002B2B52
GetDesktopWindow.USER32 ref: 002B2B6D
GetWindowRect.USER32(00000000), ref: 002B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 002B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 002B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2CF8
GetClientRect.USER32(00000000,?), ref: 002B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2DA8
GlobalFree.KERNEL32(00000000), ref: 002B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,002CFC38,00000000), ref: 002B2DDB
GlobalFree.KERNEL32(00000000), ref: 002B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 002B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 002B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002B303F

Strings

static, xrefs: 002B2D3A, 002B2E91
, xrefs: 002B2FC5
AutoIt v3, xrefs: 002B2CF2
DISPLAY, xrefs: 002B2EA2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b6afecfae9c80e5202805d9a514089c884318c409570698c999644501b5e4089
Instruction ID: 295196fee4b5ccf262580922e355e13689d1828f655fc271b4b33c5485054f00
Opcode Fuzzy Hash: b6afecfae9c80e5202805d9a514089c884318c409570698c999644501b5e4089
Instruction Fuzzy Hash: E0029AB5910209EFDB14DF64DC89EAE7BB9EF48310F148158F919AB2A1CB70AD15CF60

Function 002C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002C712F
GetSysColorBrush.USER32(0000000F), ref: 002C7160
GetSysColor.USER32(0000000F), ref: 002C716C
SetBkColor.GDI32(?,000000FF), ref: 002C7186
SelectObject.GDI32(?,?), ref: 002C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 002C71C0
GetSysColor.USER32(00000010), ref: 002C71C8
CreateSolidBrush.GDI32(00000000), ref: 002C71CF
FrameRect.USER32(?,?,00000000), ref: 002C71DE
DeleteObject.GDI32(00000000), ref: 002C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 002C7230
FillRect.USER32(?,?,?), ref: 002C7262
GetWindowLongW.USER32(?,000000F0), ref: 002C7284

Part of subcall function 002C73E8: GetSysColor.USER32(00000012), ref: 002C7421
Part of subcall function 002C73E8: SetTextColor.GDI32(?,?), ref: 002C7425
Part of subcall function 002C73E8: GetSysColorBrush.USER32(0000000F), ref: 002C743B
Part of subcall function 002C73E8: GetSysColor.USER32(0000000F), ref: 002C7446
Part of subcall function 002C73E8: GetSysColor.USER32(00000011), ref: 002C7463
Part of subcall function 002C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002C7471
Part of subcall function 002C73E8: SelectObject.GDI32(?,00000000), ref: 002C7482
Part of subcall function 002C73E8: SetBkColor.GDI32(?,00000000), ref: 002C748B
Part of subcall function 002C73E8: SelectObject.GDI32(?,?), ref: 002C7498
Part of subcall function 002C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 002C74B7
Part of subcall function 002C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002C74CE
Part of subcall function 002C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 002C74DB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6d79a13ef15c70fb29bbeb684bdba8d9c7b613be10ead5d92042571ca8d3a728
Instruction ID: a5a94c703aea2b5d8a11b69824a2fe5a64f59736541986936e984130bee1f327
Opcode Fuzzy Hash: 6d79a13ef15c70fb29bbeb684bdba8d9c7b613be10ead5d92042571ca8d3a728
Instruction Fuzzy Hash: 22A19072418302AFD7019F60EC4CE5B7BA9FB89320F240B19F96AA61E1D771E954CF52

Function 00248D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00248E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00286AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00286AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00286F43

Part of subcall function 00248F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00248BE8,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 00248FC5

SendMessageW.USER32(?,00001053), ref: 00286F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00286F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00286FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00286FB7

Strings

0, xrefs: 00286DCF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 78a37be903bb22ee1c7cb8ef53c1ff4cd133a87a37c87f268080680026f063d6
Instruction ID: 1b33837a285a0a02870528aadcf8629cea8595eb8e2790c366c6723fc8461fa2
Opcode Fuzzy Hash: 78a37be903bb22ee1c7cb8ef53c1ff4cd133a87a37c87f268080680026f063d6
Instruction Fuzzy Hash: 1112C038622202DFD72AEF14D858FAAB7E5FB44300F144469F5899B6A1CB31EC61CF91

Function 002B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 002B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 002B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 002B2900
GetClientRect.USER32(00000000,?), ref: 002B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 002B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002B2964
GetStockObject.GDI32(00000011), ref: 002B2974
SelectObject.GDI32(00000000,00000000), ref: 002B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 002B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002B2991
DeleteDC.GDI32(00000000), ref: 002B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 002B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 002B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 002B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 002B2A77
GetStockObject.GDI32(00000011), ref: 002B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 002B2A97

Strings

static, xrefs: 002B294F, 002B2A71
msctls_progress32, xrefs: 002B2A13
AutoIt v3, xrefs: 002B28F8
DISPLAY, xrefs: 002B295A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 797e68ffd3f81bce2da8caf4333b0d708827deb1c250e29d45fbf662290e6e44
Instruction ID: 141e4be3ea8d79c5db74d6639eb411d4855cd3a241fbaa90decf147b22c54582
Opcode Fuzzy Hash: 797e68ffd3f81bce2da8caf4333b0d708827deb1c250e29d45fbf662290e6e44
Instruction Fuzzy Hash: 32B16DB6A10205AFEB14DF68DC49FAFBBA9EB48710F104155FA14E7290D770AD50CFA4

Function 002A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A4AED
GetDriveTypeW.KERNEL32(?,002CCB68,?,\\.\,002CCC08), ref: 002A4BCA
SetErrorMode.KERNEL32(00000000,002CCB68,?,\\.\,002CCC08), ref: 002A4D36

Strings

MMC, xrefs: 002A4CDE
Unknown, xrefs: 002A4BED, 002A4C83
RAID, xrefs: 002A4CBB
SAS, xrefs: 002A4CC9
Fixed, xrefs: 002A4C09
SSA, xrefs: 002A4CA6
Removable, xrefs: 002A4C10, 002A4C15
SSD, xrefs: 002A4C4A
ATAPI, xrefs: 002A4C91
1394, xrefs: 002A4C9F
ATA, xrefs: 002A4C98
USB, xrefs: 002A4CB4
CDROM, xrefs: 002A4BFB
SATA, xrefs: 002A4CD0
RAMDisk, xrefs: 002A4BF4
Virtual, xrefs: 002A4CE5
FileBackedVirtual, xrefs: 002A4CEC
Network, xrefs: 002A4C02
SCSI, xrefs: 002A4C8A
iSCSI, xrefs: 002A4CC2
Fibre, xrefs: 002A4CAD
\\.\, xrefs: 002A4B3F
PhysicalDrive, xrefs: 002A4B76

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3b0d52180abe2e62112d48bf2b92b560c1d98dffd8d17802084c33ae670c2e7b
Instruction ID: 136ac9044b03e446612921d5d9ee87159a1fcb121f62bc2bb6bb971efc45408b
Opcode Fuzzy Hash: 3b0d52180abe2e62112d48bf2b92b560c1d98dffd8d17802084c33ae670c2e7b
Instruction Fuzzy Hash: 3261E33063120A9BCB04EF24C985978B7B2EB87394B244527F90AAB651CFF1DD71DB51

Function 002C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002C7421
SetTextColor.GDI32(?,?), ref: 002C7425
GetSysColorBrush.USER32(0000000F), ref: 002C743B
GetSysColor.USER32(0000000F), ref: 002C7446
CreateSolidBrush.GDI32(?), ref: 002C744B
GetSysColor.USER32(00000011), ref: 002C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002C7471
SelectObject.GDI32(?,00000000), ref: 002C7482
SetBkColor.GDI32(?,00000000), ref: 002C748B
SelectObject.GDI32(?,?), ref: 002C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 002C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 002C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 002C7572
DrawFocusRect.USER32(?,?), ref: 002C757D
GetSysColor.USER32(00000011), ref: 002C758E
SetTextColor.GDI32(?,00000000), ref: 002C7596
DrawTextW.USER32(?,002C70F5,000000FF,?,00000000), ref: 002C75A8
SelectObject.GDI32(?,?), ref: 002C75BF
DeleteObject.GDI32(?), ref: 002C75CA
SelectObject.GDI32(?,?), ref: 002C75D0
DeleteObject.GDI32(?), ref: 002C75D5
SetTextColor.GDI32(?,?), ref: 002C75DB
SetBkColor.GDI32(?,?), ref: 002C75E5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 728c726935a325ed44b8f5805f85f8bc873790b54ebe9071983b5143a044d1bd
Instruction ID: 53c5edcc01ce933cd04161d5799cef2a5f338ceea69d18ce9014273431050c03
Opcode Fuzzy Hash: 728c726935a325ed44b8f5805f85f8bc873790b54ebe9071983b5143a044d1bd
Instruction Fuzzy Hash: EC617F72900219AFDF159FA4EC49EEE7FB9EB08360F244215F919BB2A1D7709950CF90

Function 002C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002C1128
GetDesktopWindow.USER32 ref: 002C113D
GetWindowRect.USER32(00000000), ref: 002C1144
GetWindowLongW.USER32(?,000000F0), ref: 002C1199
DestroyWindow.USER32(?), ref: 002C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 002C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 002C1245
IsWindowVisible.USER32(00000000), ref: 002C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 002C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 002C12D0
GetWindowRect.USER32(00000000,?), ref: 002C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 002C130E
GetMonitorInfoW.USER32(00000000,?), ref: 002C1328
CopyRect.USER32(?,?), ref: 002C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 002C13AA

Strings

(, xrefs: 002C131B
0, xrefs: 002C10D3
tooltips_class32, xrefs: 002C11E6

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 38f07bd15ae109cd8e07e95f2059b2f10c0490d98f9911bc4785fea04211d727
Instruction ID: c49b0ebcc330e1300fc119e4f739d0af3539cd26b6fb02eebcc1855521686f99
Opcode Fuzzy Hash: 38f07bd15ae109cd8e07e95f2059b2f10c0490d98f9911bc4785fea04211d727
Instruction Fuzzy Hash: 31B18971614341AFD704DF64C889F6ABBE4FF85344F108A1CF9999B2A2C771E864CB92

Function 002C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002C02E5
_wcslen.LIBCMT ref: 002C031F
_wcslen.LIBCMT ref: 002C0389
_wcslen.LIBCMT ref: 002C03F1
_wcslen.LIBCMT ref: 002C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002C0504

Part of subcall function 0024F9F2: _wcslen.LIBCMT ref: 0024F9FD

Part of subcall function 0029223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00292258
Part of subcall function 0029223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0029228A

Strings

GETITEMCOUNT, xrefs: 002C0316, 002C0337
SELECTALL, xrefs: 002C0515
GETSUBITEMCOUNT, xrefs: 002C0384, 002C039F
FINDITEM, xrefs: 002C0627
GETTEXT, xrefs: 002C03EC, 002C0407
SELECT, xrefs: 002C0548
ISSELECTED, xrefs: 002C04DD
SELECTCLEAR, xrefs: 002C052D
GETSELECTEDCOUNT, xrefs: 002C0470, 002C048B
SELECTINVERT, xrefs: 002C057E
VIEWCHANGE, xrefs: 002C0675
DESELECT, xrefs: 002C059C
GETSELECTED, xrefs: 002C05E1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f590c71d936a0fa4dabfd4162e8c1152ea6130afb60d6742a25520ac48650edc
Instruction ID: 7613522eeb351558a5588966715a1db671b50c33b4116129720165c382275a67
Opcode Fuzzy Hash: f590c71d936a0fa4dabfd4162e8c1152ea6130afb60d6742a25520ac48650edc
Instruction Fuzzy Hash: 10E1AF71228241CBCB28DF24C590E2AB3E5BFC8754F64466DF8969B2A1DB30ED65CB41

Function 00248891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00248968
GetSystemMetrics.USER32(00000007), ref: 00248970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0024899B
GetSystemMetrics.USER32(00000008), ref: 002489A3
GetSystemMetrics.USER32(00000004), ref: 002489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00248A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00248A3C
GetClientRect.USER32(00000000,000000FF), ref: 00248A5A
GetStockObject.GDI32(00000011), ref: 00248A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00248A81

Part of subcall function 0024912D: GetCursorPos.USER32(?), ref: 00249141
Part of subcall function 0024912D: ScreenToClient.USER32(00000000,?), ref: 0024915E
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000001), ref: 00249183
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000002), ref: 0024919D

SetTimer.USER32(00000000,00000000,00000028,002490FC), ref: 00248AA8

Strings

AutoIt v3 GUI, xrefs: 00248A20

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 955b24657823a0a7feb648f5bc64318bc16e02ae2f56c7b20f82e25d28fd08cb
Instruction ID: 5700cbf9ce28c771d8865edf0f6034310003fe319fc068b758d3950889e189c9
Opcode Fuzzy Hash: 955b24657823a0a7feb648f5bc64318bc16e02ae2f56c7b20f82e25d28fd08cb
Instruction Fuzzy Hash: C7B18C35A2120A9FDB14DFA8DC59FAE7BB5FB48314F104229FA19A72D0DB70A950CF50

Function 00290D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00291114
Part of subcall function 002910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291120
Part of subcall function 002910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 0029112F
Part of subcall function 002910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291136
Part of subcall function 002910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0029114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00290DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00290E29
GetLengthSid.ADVAPI32(?), ref: 00290E40
GetAce.ADVAPI32(?,00000000,?), ref: 00290E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00290E96
GetLengthSid.ADVAPI32(?), ref: 00290EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00290EB5
HeapAlloc.KERNEL32(00000000), ref: 00290EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00290EDD
CopySid.ADVAPI32(00000000), ref: 00290EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00290F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00290F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00290F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290F6E
HeapFree.KERNEL32(00000000), ref: 00290F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290F7E
HeapFree.KERNEL32(00000000), ref: 00290F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00290F8E
HeapFree.KERNEL32(00000000), ref: 00290F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00290FA1
HeapFree.KERNEL32(00000000), ref: 00290FA8

Part of subcall function 00291193: GetProcessHeap.KERNEL32(00000008,00290BB1,?,00000000,?,00290BB1,?), ref: 002911A1
Part of subcall function 00291193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00290BB1,?), ref: 002911A8
Part of subcall function 00291193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00290BB1,?), ref: 002911B7

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: ef6eae62965710ae4da794b85272e83d921e7d1b21df22bbbb70f9ee57ed535a
Instruction ID: 06a3515a39f305e22d6e8eebcaa338144477519c51613ad29a6bdec625c52883
Opcode Fuzzy Hash: ef6eae62965710ae4da794b85272e83d921e7d1b21df22bbbb70f9ee57ed535a
Instruction Fuzzy Hash: E3714A7291020AAFDF20DFA5EC88FAEBBB8FF05310F144125F959A6191DB719A15CB60

Function 002BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,002CCC08,00000000,?,00000000,?,?), ref: 002BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 002BC5A4
_wcslen.LIBCMT ref: 002BC5F4
_wcslen.LIBCMT ref: 002BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 002BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 002BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 002BC84D
RegCloseKey.ADVAPI32(?), ref: 002BC881
RegCloseKey.ADVAPI32(00000000), ref: 002BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 002BC960

Strings

REG_SZ, xrefs: 002BC644
REG_MULTI_SZ, xrefs: 002BC6F5
REG_BINARY, xrefs: 002BC913
REG_DWORD, xrefs: 002BC804
REG_QWORD, xrefs: 002BC8C3
REG_EXPAND_SZ, xrefs: 002BC5CD

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e1c57f12ebf0deaec3605fa6b59df17686e8210f81cce799c6505025067de0c5
Instruction ID: ec7d9475542d6be33f499cf9eb06c06c5f1d3993dd7d0213a7d5d14d4d31172e
Opcode Fuzzy Hash: e1c57f12ebf0deaec3605fa6b59df17686e8210f81cce799c6505025067de0c5
Instruction Fuzzy Hash: 81128A756242019FCB24DF14C881E6AB7E5EF88754F14885DF88A9B3A2DB31ED51CF81

Function 002C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002C09C6
_wcslen.LIBCMT ref: 002C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002C0A54
_wcslen.LIBCMT ref: 002C0A8A
_wcslen.LIBCMT ref: 002C0B06
_wcslen.LIBCMT ref: 002C0B81

Part of subcall function 0024F9F2: _wcslen.LIBCMT ref: 0024F9FD

Part of subcall function 00292BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00292BFA

Strings

GETITEMCOUNT, xrefs: 002C0C1E
COLLAPSE, xrefs: 002C0B01, 002C0B1C
UNCHECK, xrefs: 002C0D3E
ISCHECKED, xrefs: 002C0CE1
GETTEXT, xrefs: 002C0C97
SELECT, xrefs: 002C0D11
CHECK, xrefs: 002C0A85, 002C0AA0
GETTOTALCOUNT, xrefs: 002C09F2, 002C0A17
EXPAND, xrefs: 002C0BF8
GETSELECTED, xrefs: 002C0C4E
EXISTS, xrefs: 002C0B7C, 002C0B97

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 5269fbc026f226bef5955d834b7b9205bd37039d60e941bbd1024081c4f91806
Instruction ID: 5b50a970c9f9d42b46f51aa9d1d5eacc5fc483a5e4e35ad1237d5fb0ddcf2549
Opcode Fuzzy Hash: 5269fbc026f226bef5955d834b7b9205bd37039d60e941bbd1024081c4f91806
Instruction Fuzzy Hash: 37E19971228302DFCB14DF24C490A2AB7E1FF98358F118A5DF8969B262D731ED65CB81

Function 002BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
_wcslen.LIBCMT ref: 002BC9F1
_wcslen.LIBCMT ref: 002BCA68
_wcslen.LIBCMT ref: 002BCA9E
_wcslen.LIBCMT ref: 002BCAF9
_wcslen.LIBCMT ref: 002BCB2F
_wcslen.LIBCMT ref: 002BCB7F

Strings

HKCU, xrefs: 002BCBCE
HKEY_CURRENT_USER, xrefs: 002BCBBD
HKEY_USERS, xrefs: 002BCBDF
HKCC, xrefs: 002BCBAC
HKU, xrefs: 002BCBF0
HKEY_LOCAL_MACHINE, xrefs: 002BCA62, 002BCA67
HKLM, xrefs: 002BCA98, 002BCA9D
HKEY_CLASSES_ROOT, xrefs: 002BCAF3, 002BCAF8
HKCR, xrefs: 002BCB29, 002BCB2E
HKEY_CURRENT_CONFIG, xrefs: 002BCB79, 002BCB7E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 7011ad0fc3c6ee550da5aa1a743fbba7ea442645172fef750e460a030449827a
Instruction ID: caf177b2bb26b207517d153a122379c67e480b51f3eed4308882443865239df5
Opcode Fuzzy Hash: 7011ad0fc3c6ee550da5aa1a743fbba7ea442645172fef750e460a030449827a
Instruction Fuzzy Hash: E971F43263016B8BCB20DE6CCD515FE7795ABA07D4F310129FC969B285E670CDB487A0

Function 002C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002C835A
_wcslen.LIBCMT ref: 002C836E
_wcslen.LIBCMT ref: 002C8391
_wcslen.LIBCMT ref: 002C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002C5BF2), ref: 002C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002C8501
FreeLibrary.KERNEL32(?), ref: 002C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002C851D
DestroyIcon.USER32(?,?,?,?,?,002C5BF2), ref: 002C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002C8555

Strings

.exe, xrefs: 002C8388
.dll, xrefs: 002C83AB
.icl, xrefs: 002C8368

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b06b0deba78b0ac13ab818652d1ffb69ace0bb1333b7c17f2c9d4401160fd3dd
Instruction ID: d371c833ba6f75a81a75a379c988fbc3f481252c57deacc18e16493927faa00c
Opcode Fuzzy Hash: b06b0deba78b0ac13ab818652d1ffb69ace0bb1333b7c17f2c9d4401160fd3dd
Instruction Fuzzy Hash: 65610471560216BEEB28DF64DC45FBE77A8FF04751F20820AF815D60D0DBB4A9A0CBA0

Function 00237778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 002377E7
#pragma compile, xrefs: 002377D3
#cs, xrefs: 00237873, 002378C5
#ce, xrefs: 002378ED
#comments-start, xrefs: 0023785F, 002378B1
#OnAutoItStartRegister, xrefs: 00237817
", xrefs: 00275153
Unterminated group of comments, xrefs: 0027528C
Cannot parse #include, xrefs: 00275279
#include, xrefs: 00237847
#requireadmin, xrefs: 002377FF
Bad directive syntax error, xrefs: 0027519A
#comments-end, xrefs: 002378D9
#include-once, xrefs: 0023782F
', xrefs: 00275169

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 4a33c3551b9c015418b8adf03c6a928e23d76b85bb594a3a2fbfbb0ce10455d8
Instruction ID: fce2843d08e52dd2f45ce79519a77e92e9f88b6db9022bd44f104f8ecf7da53b
Opcode Fuzzy Hash: 4a33c3551b9c015418b8adf03c6a928e23d76b85bb594a3a2fbfbb0ce10455d8
Instruction Fuzzy Hash: 7481EAF1634615BBDF20AF60CD42FAEB7A8AF55300F044025FD09AA192EBB0D975CB91

Function 002A3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002A3EF8
_wcslen.LIBCMT ref: 002A3F03
_wcslen.LIBCMT ref: 002A3F5A
_wcslen.LIBCMT ref: 002A3F98
GetDriveTypeW.KERNEL32(?), ref: 002A3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002A4087

Strings

open , xrefs: 002A3FE5
type cdaudio alias cd wait, xrefs: 002A4001
close, xrefs: 002A3EFE, 002A3F18
closed, xrefs: 002A3F08, 002A3F2D, 002A3F46, 002A3F7E, 002A3F97
close cd wait, xrefs: 002A4072
set cd door , xrefs: 002A4028
wait, xrefs: 002A4044
open, xrefs: 002A3F54, 002A3F59

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: edfa099b66f42c22950964b6f3654fa0e070e2a6c043013851acd860224ceb3b
Instruction ID: 7cf8d6f230f0829ee5fde1e66ef71a89b818aef0aa6b4536ae13066320e060e3
Opcode Fuzzy Hash: edfa099b66f42c22950964b6f3654fa0e070e2a6c043013851acd860224ceb3b
Instruction Fuzzy Hash: DD71F1726242029FC710EF24C88586AF7F4EF96758F10492DF995D3251EB30DE69CB91

Function 00295A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00295A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00295A40
SetWindowTextW.USER32(?,?), ref: 00295A57
GetDlgItem.USER32(?,000003EA), ref: 00295A6C
SetWindowTextW.USER32(00000000,?), ref: 00295A72
GetDlgItem.USER32(?,000003E9), ref: 00295A82
SetWindowTextW.USER32(00000000,?), ref: 00295A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00295AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00295AC3
GetWindowRect.USER32(?,?), ref: 00295ACC
_wcslen.LIBCMT ref: 00295B33
SetWindowTextW.USER32(?,?), ref: 00295B6F
GetDesktopWindow.USER32 ref: 00295B75
GetWindowRect.USER32(00000000), ref: 00295B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00295BD3
GetClientRect.USER32(?,?), ref: 00295BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00295C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00295C2F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: dceb74d20489f4e6342de30132f8fede5cc02a5d458be5a8e3571b55ce48facf
Instruction ID: e84903292e30e15231e5af6917c46bfc7412dc14261ef7e89f3d8c298dc2b040
Opcode Fuzzy Hash: dceb74d20489f4e6342de30132f8fede5cc02a5d458be5a8e3571b55ce48facf
Instruction Fuzzy Hash: 1B719F31A10B16AFDF21DFA8CE89E6EBBF5FF48704F200518E586A25A4D770E954CB50

Function 002AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 002AFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 002AFE32
LoadCursorW.USER32(00000000,00007F00), ref: 002AFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 002AFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 002AFE53
LoadCursorW.USER32(00000000,00007F01), ref: 002AFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 002AFE69
LoadCursorW.USER32(00000000,00007F88), ref: 002AFE74
LoadCursorW.USER32(00000000,00007F80), ref: 002AFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 002AFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 002AFE95
LoadCursorW.USER32(00000000,00007F85), ref: 002AFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 002AFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 002AFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 002AFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 002AFECC
GetCursorInfo.USER32(?), ref: 002AFEDC
GetLastError.KERNEL32 ref: 002AFF1E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 662e4d36a9df3f864402fac4a20ad399c829594f179cf55bfd756f10ec77d3f4
Instruction ID: a1c2ee4f0ec43189f69ed32dbfedbc8c25b51fcafd09f672e4dedbf11a964c5d
Opcode Fuzzy Hash: 662e4d36a9df3f864402fac4a20ad399c829594f179cf55bfd756f10ec77d3f4
Instruction Fuzzy Hash: 524161B0D0431A6FDB509FBA8C89C5EBFE8FF05354B50452AE11DE7681DB78A9018F90

Function 002930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029318D
_wcslen.LIBCMT ref: 002931F8

Strings

[/, xrefs: 0029339A
NAME, xrefs: 00293335, 00293346
INSTANCE, xrefs: 00293453
TEXT, xrefs: 0029347C
CLASS, xrefs: 00293188, 002931A5
CLASSNN, xrefs: 002931F3, 00293204
REGEXPCLASS, xrefs: 00293255, 00293266

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[/
API String ID: 176396367-1273981479
Opcode ID: 444bb4b80cf38a005ac2374709f29fce7703251f3c7a92361afc363d397f06cf
Instruction ID: 7ffa46d3d712460db2c97b3392d9e1512b46a4abcc2bb8316b9ec6f64affbd6f
Opcode Fuzzy Hash: 444bb4b80cf38a005ac2374709f29fce7703251f3c7a92361afc363d397f06cf
Instruction Fuzzy Hash: 88E1F532A20516ABCF18DFA8C4517FDFBB0BF48750F558129E956F7240DB30AEA58B90

Function 002500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002500C6

Part of subcall function 002500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0030070C,00000FA0,CB5553FA,?,?,?,?,002723B3,000000FF), ref: 0025011C
Part of subcall function 002500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002723B3,000000FF), ref: 00250127
Part of subcall function 002500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002723B3,000000FF), ref: 00250138
Part of subcall function 002500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0025014E
Part of subcall function 002500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0025015C
Part of subcall function 002500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0025016A
Part of subcall function 002500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00250195
Part of subcall function 002500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002501A0

___scrt_fastfail.LIBCMT ref: 002500E7

Part of subcall function 002500A3: __onexit.LIBCMT ref: 002500A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00250122
WakeAllConditionVariable, xrefs: 00250162
InitializeConditionVariable, xrefs: 00250148
kernel32.dll, xrefs: 00250133
SleepConditionVariableCS, xrefs: 00250154

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 51ff75abc6bf84cc7ce54100865d9401f1485ae517cf6a6d7ab6250e67768af6
Instruction ID: 1f3c7fc9b6a3140086eda6b96d12b24f5e706b20c70128ed48fd8e72d04d5bbe
Opcode Fuzzy Hash: 51ff75abc6bf84cc7ce54100865d9401f1485ae517cf6a6d7ab6250e67768af6
Instruction Fuzzy Hash: 08219B326607016FE7151F64BD49F6A3394DB45F62F10423AFC09932D1DFB48C108AA9

Function 002A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,002CCC08), ref: 002A4527
_wcslen.LIBCMT ref: 002A453B
_wcslen.LIBCMT ref: 002A4599
_wcslen.LIBCMT ref: 002A45F4
_wcslen.LIBCMT ref: 002A463F
_wcslen.LIBCMT ref: 002A46A7

Part of subcall function 0024F9F2: _wcslen.LIBCMT ref: 0024F9FD

GetDriveTypeW.KERNEL32(?,002F6BF0,00000061), ref: 002A4743

Strings

unknown, xrefs: 002A4708
ramdisk, xrefs: 002A46F1
network, xrefs: 002A469D, 002A46A2
fixed, xrefs: 002A4635, 002A463A
removable, xrefs: 002A45EA, 002A45EF
all, xrefs: 002A4531, 002A4536
cdrom, xrefs: 002A458F, 002A4594

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3a436b8b0efef88a2f45d63426f051a7f37fcf5fdbc96ee9c6957479f967221f
Instruction ID: 70ef77497134d17748a5402233bee379ec4ac2522fcfb2e5fb2916ef45164ef0
Opcode Fuzzy Hash: 3a436b8b0efef88a2f45d63426f051a7f37fcf5fdbc96ee9c6957479f967221f
Instruction Fuzzy Hash: 7CB103716283029FC710EF28C890A7AF7E5AFE6B64F50491DF496C7291DBB0D864CB52

Function 002C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

DragQueryPoint.SHELL32(?,?), ref: 002C9147

Part of subcall function 002C7674: ClientToScreen.USER32(?,?), ref: 002C769A
Part of subcall function 002C7674: GetWindowRect.USER32(?,?), ref: 002C7710
Part of subcall function 002C7674: PtInRect.USER32(?,?,002C8B89), ref: 002C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 002C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 002C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 002C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 002C9277
DragFinish.SHELL32(?), ref: 002C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002C9371

Strings

@GUI_DRAGFILE, xrefs: 002C9320
p#0, xrefs: 002C92BB
@GUI_DRAGID, xrefs: 002C92E9
@GUI_DROPID, xrefs: 002C929E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#0
API String ID: 221274066-1452285169
Opcode ID: 33d790ae7d3dbecb59cd785def2813c6fd8a4424b87d8283901b0b9a487f6d5b
Instruction ID: 35a661b1ec556834d9b4563d36d32f18fb474781e89bec0cbafab4f3392991ab
Opcode Fuzzy Hash: 33d790ae7d3dbecb59cd785def2813c6fd8a4424b87d8283901b0b9a487f6d5b
Instruction Fuzzy Hash: 5B616971118301AFC705DF64DC89EAFBBE8EF89750F100A2EF595921A0DB709A59CF92

Function 0023326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00301990), ref: 00272F8D
GetMenuItemCount.USER32(00301990), ref: 0027303D
GetCursorPos.USER32(?), ref: 00273081
SetForegroundWindow.USER32(00000000), ref: 0027308A
TrackPopupMenuEx.USER32(00301990,00000000,?,00000000,00000000,00000000), ref: 0027309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002730A9

Strings

0, xrefs: 0023327D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d41c658094bd59dfc55d12184d59cdf5c570eefe1c8e0cc285089dbfbaea10fe
Instruction ID: 850839877dac1fb62dd5210602c30aa7517851a3170af59b73071326a0c8a59e
Opcode Fuzzy Hash: d41c658094bd59dfc55d12184d59cdf5c570eefe1c8e0cc285089dbfbaea10fe
Instruction Fuzzy Hash: 4971E671664216BFEB218F24DC49F9ABF68FF05364F208216F918661E0C7B1AD24DB91

Function 002C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 002C6DEB

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C6E94
DestroyWindow.USER32(?), ref: 002C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00230000,00000000), ref: 002C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002C6EFD
GetDesktopWindow.USER32 ref: 002C6F16
GetWindowRect.USER32(00000000), ref: 002C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002C6F4D

Part of subcall function 00249944: GetWindowLongW.USER32(?,000000EB), ref: 00249952

Strings

0, xrefs: 002C6D98
tooltips_class32, xrefs: 002C6E58, 002C6EDD

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 6defb820df0194f712dc92500cc5f9abd72f83e3d7a6575790ab66fc0b95cd2b
Instruction ID: 2c97fedb13b3d506962362a654b71bbb8a436eed46a53897818fdcf1e3a9aaff
Opcode Fuzzy Hash: 6defb820df0194f712dc92500cc5f9abd72f83e3d7a6575790ab66fc0b95cd2b
Instruction Fuzzy Hash: 7F717770114245AFDB25CF18EC58FAABBE9FF89304F14061EF98A87261C770A916DF11

Function 002AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 002AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002AC5F0
InternetCloseHandle.WININET(00000000), ref: 002AC5FB

Strings

, xrefs: 002AC575

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 21ef5072f622205d837c594d739eda55e1a11d37a0ccb3c4b2724727cf53e6f3
Instruction ID: a6662ad80f1e79c1211f7babc89ea1fe5a54cd9bc7f8e8942c753ff7b8907a3a
Opcode Fuzzy Hash: 21ef5072f622205d837c594d739eda55e1a11d37a0ccb3c4b2724727cf53e6f3
Instruction Fuzzy Hash: 2D515CB0510205BFDB218F60D948EABBBFCFF09754F60441AF949A6610DB30E958DB60

Function 002C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 002C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 002C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,002CFC38,?), ref: 002C8611
GlobalFree.KERNEL32(00000000), ref: 002C8621
GetObjectW.GDI32(?,00000018,?), ref: 002C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 002C8671
DeleteObject.GDI32(?), ref: 002C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002C86AF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7b9c07bede808b6318c77bf21740e68c69b340dcfa694955e84954effebdc93c
Instruction ID: 24e3fc757ab4600981032656220058ebdd92e2d55a649180e87bbde5cf581d45
Opcode Fuzzy Hash: 7b9c07bede808b6318c77bf21740e68c69b340dcfa694955e84954effebdc93c
Instruction Fuzzy Hash: 2D411975600205AFDB119FA5DC4CEAA7BBCFF89751F248158F909E7260DB709901CB60

Function 002A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 002A1502
VariantCopy.OLEAUT32(?,?), ref: 002A150B
VariantClear.OLEAUT32(?), ref: 002A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 002A1657
VariantInit.OLEAUT32(?), ref: 002A1708
SysFreeString.OLEAUT32(?), ref: 002A178C
VariantClear.OLEAUT32(?), ref: 002A17D8
VariantClear.OLEAUT32(?), ref: 002A17E7
VariantInit.OLEAUT32(00000000), ref: 002A1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 002A1625
Default, xrefs: 002A16AF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8d5bf9d88fc3a2bf87ea1678034ec0f1f862755747bcfb9dacddc77d406a0d01
Instruction ID: 23378b7dfaf1d536c1e87d1b12a3a32970804cc94462914454db89b4c7a18105
Opcode Fuzzy Hash: 8d5bf9d88fc3a2bf87ea1678034ec0f1f862755747bcfb9dacddc77d406a0d01
Instruction Fuzzy Hash: D5D11072E20505DBDB149FA4E898B79B7B5BF46720F60809AE446AB180DFB0DC70DF61

Function 002BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 002BB80A
RegCloseKey.ADVAPI32(?), ref: 002BB87E
RegCloseKey.ADVAPI32(?), ref: 002BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 002BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 002BB922
FreeLibrary.KERNEL32(00000000), ref: 002BB983
RegCloseKey.ADVAPI32(00000000), ref: 002BB994

Strings

advapi32.dll, xrefs: 002BB8ED
RegDeleteKeyExW, xrefs: 002BB8FE

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: e871f042f62610b816a5967516efc2575280191dffe073b83644d89cf997b9b2
Instruction ID: fe5a846943d7e4c7682397ed722efff803f40e9ef3eda1decf124dbbd208e3af
Opcode Fuzzy Hash: e871f042f62610b816a5967516efc2575280191dffe073b83644d89cf997b9b2
Instruction Fuzzy Hash: B3C1BD71228202AFC711DF14C494F6ABBE5FF84348F24849CE49A4B2A2CBB1EC55CF81

Function 002B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 002B25E8
CreateCompatibleDC.GDI32(?), ref: 002B25F4
SelectObject.GDI32(00000000,?), ref: 002B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 002B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 002B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 002B26D0
SelectObject.GDI32(?,?), ref: 002B26D8
DeleteObject.GDI32(?), ref: 002B26E1
DeleteDC.GDI32(?), ref: 002B26E8
ReleaseDC.USER32(00000000,?), ref: 002B26F3

Strings

(, xrefs: 002B268D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ff76e1c6b49ca9cbca7c45ae7e79146ecfd52077c82a680c58d8720b02b7233c
Instruction ID: 206308fa495ce0ec1441a10ee46cc9a8194a04158cc0d2246a0a3d4dafaaf7e3
Opcode Fuzzy Hash: ff76e1c6b49ca9cbca7c45ae7e79146ecfd52077c82a680c58d8720b02b7233c
Instruction Fuzzy Hash: D761E275D10219EFCF04CFA8D988EAEBBB9FF48310F248529E959A7250D770A951CF50

Function 0026DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0026DAA1

Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D659
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D66B
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D67D
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D68F
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6A1
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6B3
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6C5
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6D7
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6E9
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D6FB
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D70D
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D71F
Part of subcall function 0026D63C: _free.LIBCMT ref: 0026D731

_free.LIBCMT ref: 0026DA96

Part of subcall function 002629C8: HeapFree.KERNEL32(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026DAB8
_free.LIBCMT ref: 0026DACD
_free.LIBCMT ref: 0026DAD8
_free.LIBCMT ref: 0026DAFA
_free.LIBCMT ref: 0026DB0D
_free.LIBCMT ref: 0026DB1B
_free.LIBCMT ref: 0026DB26
_free.LIBCMT ref: 0026DB5E
_free.LIBCMT ref: 0026DB65
_free.LIBCMT ref: 0026DB82
_free.LIBCMT ref: 0026DB9A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 41583325887bec42fed12d8aa03b611cbb8a787058883841d098989541164af7
Instruction ID: dab9ddcbb0365426e1c6e7a62019a9d1cd057e3678aa84a7761081893544d06f
Opcode Fuzzy Hash: 41583325887bec42fed12d8aa03b611cbb8a787058883841d098989541164af7
Instruction Fuzzy Hash: 54317C31B2460ADFEB25AE78E841B5AB7E9FF40350F255429E049D7191DE30ACE48B20

Function 0029365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0029369C
_wcslen.LIBCMT ref: 002936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00293797
GetClassNameW.USER32(?,?,00000400), ref: 0029380C
GetDlgCtrlID.USER32(?), ref: 0029385D
GetWindowRect.USER32(?,?), ref: 00293882
GetParent.USER32(?), ref: 002938A0
ScreenToClient.USER32(00000000), ref: 002938A7
GetClassNameW.USER32(?,?,00000100), ref: 00293921
GetWindowTextW.USER32(?,?,00000400), ref: 0029395D

Strings

%s%u, xrefs: 00293734

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3cbb9a2de396990a363e4d0271350b7b8a61af5f9c321ca4ae82f8619c46d5f0
Instruction ID: 49c9264937d9770ad43ad72cb29f1e92fd85a316837b45a3fa2ff911dc52189b
Opcode Fuzzy Hash: 3cbb9a2de396990a363e4d0271350b7b8a61af5f9c321ca4ae82f8619c46d5f0
Instruction Fuzzy Hash: BC91D271224607AFEB19DF64C885FEAF7A8FF44350F108529F999C2190DB30EA65CB91

Function 00294954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00294994
GetWindowTextW.USER32(?,?,00000400), ref: 002949DA
_wcslen.LIBCMT ref: 002949EB
CharUpperBuffW.USER32(?,00000000), ref: 002949F7
_wcsstr.LIBVCRUNTIME ref: 00294A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00294A64
GetWindowTextW.USER32(?,?,00000400), ref: 00294A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00294AE6
GetClassNameW.USER32(?,?,00000400), ref: 00294B20
GetWindowRect.USER32(?,?), ref: 00294B8B

Strings

ThumbnailClass, xrefs: 00294A6F, 00294AF1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 36470950aaca73089e6ddb601e80bbd2596e598def3cbfe7d93937d87bbf6012
Instruction ID: 2ed35d11f3b760b255da59b96e3746eccff5a1b3b9997d9580df20836ff4843f
Opcode Fuzzy Hash: 36470950aaca73089e6ddb601e80bbd2596e598def3cbfe7d93937d87bbf6012
Instruction Fuzzy Hash: 4D91F1310282069FDF04EF14C994FAA77E8FF84318F04446AFD859A195DB30ED66CBA1

Function 002C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002C8D5A
GetFocus.USER32 ref: 002C8D6A
GetDlgCtrlID.USER32(00000000), ref: 002C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 002C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002C8ECF
GetMenuItemCount.USER32(?), ref: 002C8EEC
GetMenuItemID.USER32(?,00000000), ref: 002C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002C8FA1

Strings

0, xrefs: 002C8E9F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 95b83337424c4b63210b3d4ee8ad56122ec046fda5a02e585fcaf692cd3b7525
Instruction ID: 0eb2d55f034b5ab2616ceb7a176b02287f7662b74581cc240ba5f7d107929101
Opcode Fuzzy Hash: 95b83337424c4b63210b3d4ee8ad56122ec046fda5a02e585fcaf692cd3b7525
Instruction Fuzzy Hash: B081BF715283029FD710CF24D884FABBBE9FB89354F144A1DF98597291DB70D921CBA2

Function 0029DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0029DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0029DC46
_wcslen.LIBCMT ref: 0029DC50
_wcsstr.LIBVCRUNTIME ref: 0029DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0029DCBC

Strings

StringFileInfo\, xrefs: 0029DC8F
\VarFileInfo\Translation, xrefs: 0029DCB4
04090000, xrefs: 0029DCF2
DefaultLangCodepage, xrefs: 0029DD1F
%u.%u.%u.%u, xrefs: 0029DD9A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4b6b5a49e2e8d7a8fc9fabf7ebcce078cde037a8f9321b43c3ebeeda56fd8f71
Instruction ID: 944eb6012f638d0e39f90690a4f43157c2c5b0eac61254a5f9cf8e755476814e
Opcode Fuzzy Hash: 4b6b5a49e2e8d7a8fc9fabf7ebcce078cde037a8f9321b43c3ebeeda56fd8f71
Instruction Fuzzy Hash: 1B412432A602057ADB18BB749C07EBF776CEF46751F100069FD04E6182EB7499359BB8

Function 002BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 002BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002BCD48

Part of subcall function 002BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 002BCCAA
Part of subcall function 002BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 002BCCBD
Part of subcall function 002BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002BCCCF
Part of subcall function 002BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002BCD05
Part of subcall function 002BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 002BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 002BCCF3

Strings

advapi32.dll, xrefs: 002BCCB8
RegDeleteKeyExW, xrefs: 002BCCC9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 71f7f64bb07977067d97ff5fc6be702548a0a261615be34f7a85b8b651d6a237
Instruction ID: a8cb1ad5bf82d032b5f3b1a767a52ed36a78a0087586069f57c24c374a4f869f
Opcode Fuzzy Hash: 71f7f64bb07977067d97ff5fc6be702548a0a261615be34f7a85b8b651d6a237
Instruction Fuzzy Hash: A3318E7591112ABBDB208F51DC8CEFFBB7CEF55790F240165E909E2240DA709A45EAA0

Function 002A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002A3D40
_wcslen.LIBCMT ref: 002A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 002A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 002A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002A3E55
CloseHandle.KERNEL32(00000000), ref: 002A3E60
CloseHandle.KERNEL32(00000000), ref: 002A3E6B

Strings

\??\%s, xrefs: 002A3D5B
\, xrefs: 002A3D77
:, xrefs: 002A3D82

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e9cfc887a3e37ed97a5667330c67c902b92be19359acbd9f4203ec7227d3dd43
Instruction ID: 3b2e63c27e27bce3a338e9627d965ab61aca6fc29d96d2763bf159d4309f296b
Opcode Fuzzy Hash: e9cfc887a3e37ed97a5667330c67c902b92be19359acbd9f4203ec7227d3dd43
Instruction Fuzzy Hash: 5731A17291020AABDB21DFA0DC49FEB37BCEF8A740F2040B5F909D6060EB7497548B24

Function 0029E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0029E6B4

Part of subcall function 0024E551: timeGetTime.WINMM(?,?,0029E6D4), ref: 0024E555

Sleep.KERNEL32(0000000A), ref: 0029E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0029E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0029E727
SetActiveWindow.USER32 ref: 0029E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0029E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0029E773
Sleep.KERNEL32(000000FA), ref: 0029E77E
IsWindow.USER32 ref: 0029E78A
EndDialog.USER32(00000000), ref: 0029E79B

Strings

BUTTON, xrefs: 0029E719

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2b5c7fd6e1c4b0b2b754edd2f05d8bc803327e9b70c2c709569ad9908538cf27
Instruction ID: cf1c0d15b82828f17e53763b336a235f29ee2b1fa30887fa532ce0a76aec1a32
Opcode Fuzzy Hash: 2b5c7fd6e1c4b0b2b754edd2f05d8bc803327e9b70c2c709569ad9908538cf27
Instruction Fuzzy Hash: CE21C3B0210209AFEF029F64FC9DE267B6DF754748F250426F509811A1DBB2AC60CB25

Function 0029E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0029EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0029EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0029EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0029EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0029EAA7

Strings

open , xrefs: 0029EA0C
alias PlayMe, xrefs: 0029EA36
status PlayMe mode, xrefs: 0029EA58
play PlayMe wait, xrefs: 0029EA91
close PlayMe, xrefs: 0029EA6E, 0029EA9B
play PlayMe, xrefs: 0029EAA2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6018a0178a705808ea5eedba2481fee222f801eeaa313b58cfc070ed9038de72
Instruction ID: 762b86a8a7ca73cd796b8cf45cb870903da3aea45c5bad504687961fd3b94384
Opcode Fuzzy Hash: 6018a0178a705808ea5eedba2481fee222f801eeaa313b58cfc070ed9038de72
Instruction Fuzzy Hash: 7C112471AB025D79DB10E761DD4EDFFAA7CEBD2B40F400439B511A20D1DAB05965CAB0

Function 00295CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00295CE2
GetWindowRect.USER32(00000000,?), ref: 00295CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00295D59
GetDlgItem.USER32(?,00000002), ref: 00295D69
GetWindowRect.USER32(00000000,?), ref: 00295D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00295DCF
GetDlgItem.USER32(?,000003E9), ref: 00295DDD
GetWindowRect.USER32(00000000,?), ref: 00295DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00295E31
GetDlgItem.USER32(?,000003EA), ref: 00295E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00295E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00295E67

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8aa2330f4d49b8aaae09402b73e56fae50dd96561e33f8012e3fcdaece6e874f
Instruction ID: 13a91df3dcda9accfc95273bc6ca1af5ff59cbdfa07b99d6587e3006eb1e7207
Opcode Fuzzy Hash: 8aa2330f4d49b8aaae09402b73e56fae50dd96561e33f8012e3fcdaece6e874f
Instruction Fuzzy Hash: 505120B0B10615AFDF18CF68DD89EAEBBB9FB48310F208129F519E6294D7709D14CB60

Function 00248BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00248F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00248BE8,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 00248FC5

DestroyWindow.USER32(?), ref: 00248C81
KillTimer.USER32(00000000,?,?,?,?,00248BBA,00000000,?), ref: 00248D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00286973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 002869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00248BBA,00000000,?), ref: 002869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00248BBA,00000000), ref: 002869D4
DeleteObject.GDI32(00000000), ref: 002869E6

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b4ffa63846e246eeb52a2eb5ac1b4cf926438a3efeb1b3a4e650555cc12a5331
Instruction ID: bda0e6f8b1d3c02fb34f7512c1b31046bb92f84467b6f1f5fe7e99781a86b235
Opcode Fuzzy Hash: b4ffa63846e246eeb52a2eb5ac1b4cf926438a3efeb1b3a4e650555cc12a5331
Instruction Fuzzy Hash: B6618D35533611DFCB2E9F28D99CB29B7F5FB40312F24451AE0469A9A0CB71A9A0CF90

Function 00249838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00249944: GetWindowLongW.USER32(?,000000EB), ref: 00249952

GetSysColor.USER32(0000000F), ref: 00249862

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8624e776031a215155f04ba8a371ad05a7d0eb5ac194c5b2286a5c3df38fd974
Instruction ID: 95f8b0825ff36672c21a28deb91208ed6bb394b774dffc83c010a2f6be757d53
Opcode Fuzzy Hash: 8624e776031a215155f04ba8a371ad05a7d0eb5ac194c5b2286a5c3df38fd974
Instruction Fuzzy Hash: ED41E6311156009FDB249F3CAC88FBA3B65EB06331F284615FAA6872E1C771DC92DB10

Function 00268D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.%, xrefs: 0026903A, 00268FD0, 00268FF2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: .%
API String ID: 0-3802303113
Opcode ID: b76b657163f57dc0de6e0beb7665e97d85d4f14b46e24035d8769e2b3b861348
Instruction ID: 188793a9ba884684082f08c2c9974da1129bd98be60815a265eb737c415ccb58
Opcode Fuzzy Hash: b76b657163f57dc0de6e0beb7665e97d85d4f14b46e24035d8769e2b3b861348
Instruction Fuzzy Hash: 52C1F37492428AEFCF11DFA8D841BADBBB8AF09310F144199F815A7392CB7189D1CF61

Function 002996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0027F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00299717
LoadStringW.USER32(00000000,?,0027F7F8,00000001), ref: 00299720

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0027F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00299742
LoadStringW.USER32(00000000,?,0027F7F8,00000001), ref: 00299745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00299866

Strings

Line %d (File "%s"):, xrefs: 0029978F
Error: , xrefs: 0029981D
Line %d:, xrefs: 002997A0
^ ERROR, xrefs: 002997FB
%s (%d) : ==> %s: %s %s, xrefs: 0029984A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 5cd53a599e33a6c87605a16a3b2455e135909c33e3059dc84d7c3049729d0d9d
Instruction ID: 04023245e0164d2fb6484855113e1441fdae38d0e440fd1b32df788f605eadb8
Opcode Fuzzy Hash: 5cd53a599e33a6c87605a16a3b2455e135909c33e3059dc84d7c3049729d0d9d
Instruction Fuzzy Hash: F9414EB2814209AACF14FBE4DE46DEEB378EF55350F104069F60572092EA756FA8CF61

Function 002906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00290804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0029082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00290837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0029083C

Strings

\CLSID, xrefs: 00290724
\IPC$, xrefs: 00290784
SOFTWARE\Classes\, xrefs: 0029070E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 2d711d20f65f1cd299b71aaaf39b00fe844c5e8bf6e0d59c27ebc7d0be1bbea8
Instruction ID: d80695c818716e012758d06ff0255ef2cc181c168417f2acbf7439a1f164c2ad
Opcode Fuzzy Hash: 2d711d20f65f1cd299b71aaaf39b00fe844c5e8bf6e0d59c27ebc7d0be1bbea8
Instruction Fuzzy Hash: DF4104B282022DABDF15EFA4DC89DEDB778BF44350F144169E905A3160EB709E64CFA0

Function 002B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002B3C5C
CoInitialize.OLE32(00000000), ref: 002B3C8A
CoUninitialize.OLE32 ref: 002B3C94
_wcslen.LIBCMT ref: 002B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 002B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 002B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 002B3F0E
CoGetObject.OLE32(?,00000000,002CFB98,?), ref: 002B3F2D
SetErrorMode.KERNEL32(00000000), ref: 002B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002B3FC4
VariantClear.OLEAUT32(?), ref: 002B3FD8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 0b9edab59e19c12ad880d8c4ae92d4ebd635c783b54527e770ff70b053d6b7c6
Instruction ID: 6b1bd636062ab12ed4b16ca6a5af37394d8aa234e80dfa5b26b5f850d286354d
Opcode Fuzzy Hash: 0b9edab59e19c12ad880d8c4ae92d4ebd635c783b54527e770ff70b053d6b7c6
Instruction Fuzzy Hash: 19C167B16183069FD700DF68C88496BBBE9FF89784F14491DF98A9B210DB70EE15CB52

Function 002A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 002A7BA3
CoCreateInstance.OLE32(002CFD08,00000000,00000001,002F6E6C,?), ref: 002A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002A7C74
CoTaskMemFree.OLE32(?,?), ref: 002A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 002A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002A7D7A
CoTaskMemFree.OLE32(00000000), ref: 002A7D81
CoTaskMemFree.OLE32(00000000), ref: 002A7DD6
CoUninitialize.OLE32 ref: 002A7DDC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 59d1d4a3bbdc967cc607147cc696a7740f89a73c9f4d6c508641ff1cd5ae7c06
Instruction ID: 7e48663210b79ca401d462cf128544e66d492e5a42a7e6e8af927d5ca51bf6a1
Opcode Fuzzy Hash: 59d1d4a3bbdc967cc607147cc696a7740f89a73c9f4d6c508641ff1cd5ae7c06
Instruction Fuzzy Hash: 76C13C75A14109AFCB14DF64C888DAEBBF9FF49314F148499E81A9B261DB30ED51CF90

Function 002C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C5515
CharNextW.USER32(00000158), ref: 002C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C55AC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2dffc8e98ba35444ef6080ddc76aa6ac7cec30ac9c96e91554e725602e819f7b
Instruction ID: 46aea10b2e91817c430a6d4be660435bb4e744da0bed308ddee1db83c7cbc3d6
Opcode Fuzzy Hash: 2dffc8e98ba35444ef6080ddc76aa6ac7cec30ac9c96e91554e725602e819f7b
Instruction Fuzzy Hash: FF618130920629ABDF248F54CC84EFE7BB9FF05760F204249F525A6291D774EAE0DB60

Function 0028FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0028FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0028FB08
VariantInit.OLEAUT32(?), ref: 0028FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0028FB3A
VariantCopy.OLEAUT32(?,?), ref: 0028FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0028FBA1
VariantClear.OLEAUT32(?), ref: 0028FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0028FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0028FBCC
VariantClear.OLEAUT32(?), ref: 0028FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0028FBE9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 960d825988bad2dc00102d6fb8c143437d353eedaef4e0af979fe6bc8a577117
Instruction ID: 5e7a261fe3dcd96203f2ec2d5a97b7c99ee455789496f744e5341ef5d07f2ea4
Opcode Fuzzy Hash: 960d825988bad2dc00102d6fb8c143437d353eedaef4e0af979fe6bc8a577117
Instruction Fuzzy Hash: B0419135A10219DFDF14EF64D858DAEBBB9FF08354F10C029E80AA7261DB30A955CF90

Function 00299C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00299CA1
GetAsyncKeyState.USER32(000000A0), ref: 00299D22
GetKeyState.USER32(000000A0), ref: 00299D3D
GetAsyncKeyState.USER32(000000A1), ref: 00299D57
GetKeyState.USER32(000000A1), ref: 00299D6C
GetAsyncKeyState.USER32(00000011), ref: 00299D84
GetKeyState.USER32(00000011), ref: 00299D96
GetAsyncKeyState.USER32(00000012), ref: 00299DAE
GetKeyState.USER32(00000012), ref: 00299DC0
GetAsyncKeyState.USER32(0000005B), ref: 00299DD8
GetKeyState.USER32(0000005B), ref: 00299DEA

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 29364d49b6ff1e0dbc47d93db6b2812e779e7fedd0079474d74589c139a608f1
Instruction ID: e77a3ddab0eaca22ff26891d3eb807281f99c831ad10e845926bf6b65df31706
Opcode Fuzzy Hash: 29364d49b6ff1e0dbc47d93db6b2812e779e7fedd0079474d74589c139a608f1
Instruction Fuzzy Hash: EF410B305147CB6DFF309F6888443B5BEA0AF16364F44805FCAC6565C2EBA59DE4C7A2

Function 002B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002B05BC
inet_addr.WSOCK32(?), ref: 002B061C
gethostbyname.WSOCK32(?), ref: 002B0628
IcmpCreateFile.IPHLPAPI ref: 002B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 002B07B9
WSACleanup.WSOCK32 ref: 002B07BF

Strings

Ping, xrefs: 002B0676

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e6964df343463dfcbe5ef94759a38c24a7a8f226027f2ebfc4031a11a61bd267
Instruction ID: 304da37bf0bcf161ec73125817166385ef1a1e09e8aa3f326f7086729863c77c
Opcode Fuzzy Hash: e6964df343463dfcbe5ef94759a38c24a7a8f226027f2ebfc4031a11a61bd267
Instruction Fuzzy Hash: FD918C756242029FD321CF15D4C8F5AFBE4EF84358F1485A9E46A8BAA2CB70EC55CF81

Function 002B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 002B8CF3

Part of subcall function 00298E54: _wcslen.LIBCMT ref: 00298E77

_wcslen.LIBCMT ref: 002B8D4E
_wcslen.LIBCMT ref: 002B8D9C
_wcslen.LIBCMT ref: 002B8DDC
_wcslen.LIBCMT ref: 002B8E6E

Strings

none, xrefs: 002B8E65, 002B8E6A
winapi, xrefs: 002B8D96, 002B8D9B
stdcall, xrefs: 002B8DD6, 002B8DDB
cdecl, xrefs: 002B8D48, 002B8D4D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 14e28130e2894d99d21b1b2efe2202a4afa50c0431c41102091e05c54aee500a
Instruction ID: 728eba105fed8ec3b2db658852e61bf874395b096c0bb9067a17dc6011e4d3be
Opcode Fuzzy Hash: 14e28130e2894d99d21b1b2efe2202a4afa50c0431c41102091e05c54aee500a
Instruction Fuzzy Hash: 2951C471A241179BCF14DF68C8408FEB3A9BF653A4B204229F969E72C4DB30DD60CB90

Function 002B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 002B3774
CoUninitialize.OLE32 ref: 002B377F
CoCreateInstance.OLE32(?,00000000,00000017,002CFB78,?), ref: 002B37D9
IIDFromString.OLE32(?,?), ref: 002B384C
VariantInit.OLEAUT32(?), ref: 002B38E4
VariantClear.OLEAUT32(?), ref: 002B3936

Strings

NULL Pointer assignment, xrefs: 002B381E
Invalid parameter, xrefs: 002B3865
Failed to create object, xrefs: 002B37E4, 002B389A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 969aa5cd941908e3e493335cb3c49fa10c90a46f800df15864f4912f7493f04d
Instruction ID: 0e4672e0dc122f3f7a063910b89adac5f7c8cb2692796c4d43640fd55eb15034
Opcode Fuzzy Hash: 969aa5cd941908e3e493335cb3c49fa10c90a46f800df15864f4912f7493f04d
Instruction Fuzzy Hash: 7E61D5B1628301AFD710DF54C888FAAB7E8EF45790F10491DF9859B291DB70EE58CB92

Function 002C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

Part of subcall function 0024912D: GetCursorPos.USER32(?), ref: 00249141
Part of subcall function 0024912D: ScreenToClient.USER32(00000000,?), ref: 0024915E
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000001), ref: 00249183
Part of subcall function 0024912D: GetAsyncKeyState.USER32(00000002), ref: 0024919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 002C8B6B
ImageList_EndDrag.COMCTL32 ref: 002C8B71
ReleaseCapture.USER32 ref: 002C8B77
SetWindowTextW.USER32(?,00000000), ref: 002C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 002C8CFF

Strings

@GUI_DRAGFILE, xrefs: 002C8C9A
@GUI_DROPID, xrefs: 002C8C51
p#0, xrefs: 002C8C71

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#0
API String ID: 1924731296-1516117121
Opcode ID: d086f3e6544bb25648a76c71f417037674e1e94cb6b1f3065a8737a9a98376dd
Instruction ID: 35c1c337aa3a178633865662a96460476d21b9681a0b467bbe8f213f6865475a
Opcode Fuzzy Hash: d086f3e6544bb25648a76c71f417037674e1e94cb6b1f3065a8737a9a98376dd
Instruction Fuzzy Hash: 71519C71115200AFD704DF14DCA9FAA77E4FB88710F10062EF956672E1CB709A64CFA2

Function 002A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 002A33CF

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 002A33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 002A3522
Line %d (File "%s"):, xrefs: 002A3443, 002A345C
Error: , xrefs: 002A34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 002A3504
^ ERROR , xrefs: 002A349E
Incorrect parameters to object property !, xrefs: 002A34AB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 0dae93cd81bcdd0b398f46e49a9d173b7d8d005bbf812d14708523baee8f3e4d
Instruction ID: 4a92f6aa6ee2f842d3deef7ebbd823f76e55186180144c2f3425b22fb020c270
Opcode Fuzzy Hash: 0dae93cd81bcdd0b398f46e49a9d173b7d8d005bbf812d14708523baee8f3e4d
Instruction Fuzzy Hash: 2F516EB1920209ABDF15EBA4CD56EEEB778EF09340F1041A5F50572051EB612FA8DF60

Function 0029B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0029B5FC
_wcslen.LIBCMT ref: 0029B608
_wcslen.LIBCMT ref: 0029B64D
_wcslen.LIBCMT ref: 0029B68C
_wcslen.LIBCMT ref: 0029B6C7

Strings

REMOVE, xrefs: 0029B602, 0029B607
APPEND, xrefs: 0029B6C1, 0029B6C6
KEYS, xrefs: 0029B647, 0029B64C
EXISTS, xrefs: 0029B686, 0029B68B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f3e6a8a2174c68ca7f564c91782d4ce09c001a83afe257bff9a7e85ee2cf5ce7
Instruction ID: 7c509aa4a9c2968ea375d16d80b794fa48abb3940600be4b0f8a069ba54991ca
Opcode Fuzzy Hash: f3e6a8a2174c68ca7f564c91782d4ce09c001a83afe257bff9a7e85ee2cf5ce7
Instruction Fuzzy Hash: 7941E833A200279ACF116F7D9A905BEB7A9EFA0754B244239E421D7284E731EDA1C790

Function 002A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002A5416
GetLastError.KERNEL32 ref: 002A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 002A54A7

Strings

INVALID, xrefs: 002A5459
NOTREADY, xrefs: 002A544B
UNKNOWN, xrefs: 002A5444
READY, xrefs: 002A5460, 002A5468
READONLY, xrefs: 002A5452

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 66b027832701b0c4f0a7cccb77aec150e4fdffff516de175984cf0c414ea4da7
Instruction ID: 9fe1620e405ecd905d47f80e5305dd85d3b3bd592f615dd8ffb63d8aced23c2f
Opcode Fuzzy Hash: 66b027832701b0c4f0a7cccb77aec150e4fdffff516de175984cf0c414ea4da7
Instruction Fuzzy Hash: 8E31E575A206159FC710DF68C488EAABBF4FF4A305F188065E505CB252DB70DD92CB90

Function 002C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 002C3C79
SetMenu.USER32(?,00000000), ref: 002C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C3D10
IsMenu.USER32(?), ref: 002C3D24
CreatePopupMenu.USER32 ref: 002C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002C3D5B
DrawMenuBar.USER32 ref: 002C3D63

Strings

F, xrefs: 002C3D4E
0, xrefs: 002C3C54

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 7ad6c5e46897cde4c52deec787e5424f5280cc6fcaa44bbf4d6116b83d0155e6
Instruction ID: e0b1772935b7eaa210ce438f0c80e13e7dd64af08e0c334c0708e367c7b324ed
Opcode Fuzzy Hash: 7ad6c5e46897cde4c52deec787e5424f5280cc6fcaa44bbf4d6116b83d0155e6
Instruction Fuzzy Hash: 1E418A74A1120AAFDB14CF64E858FAABBB5FF49350F14452DF946A7360D730AA20CF90

Function 002C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 002C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 002C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 002C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 002C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 002C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002C3C13

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f9cc2795a36bd9e83ebd542301aab989cf45cad9ad9892f938efa4bfc7c02548
Instruction ID: 141b4b9aec285819adfca331ea04f36f74f3d6fccdd04298c04e92053b81d473
Opcode Fuzzy Hash: f9cc2795a36bd9e83ebd542301aab989cf45cad9ad9892f938efa4bfc7c02548
Instruction Fuzzy Hash: 6F617775A00208AFDB11DFA8CC81FEEB7B8EB09704F10459AFA15A72A1C770AE55DF50

Function 0029B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0029B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B165
GetWindowThreadProcessId.USER32(00000000), ref: 0029B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0029B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0029A1E1,?,00000001), ref: 0029B21D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7ae92d77a44d124a860ee000887392c9e26570fe8ab77271baf7c64168550a91
Instruction ID: c94a86faf485d56eab5596ea18523fb547ee63f219643ffe5fb877a79e6cd5b9
Opcode Fuzzy Hash: 7ae92d77a44d124a860ee000887392c9e26570fe8ab77271baf7c64168550a91
Instruction Fuzzy Hash: 39319C75922205BFDF129F24FE58FAD7BADFB51311F20401AFA0AD6190D7B4AA418F60

Function 00262C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00262C94

Part of subcall function 002629C8: HeapFree.KERNEL32(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 00262CA0
_free.LIBCMT ref: 00262CAB
_free.LIBCMT ref: 00262CB6
_free.LIBCMT ref: 00262CC1
_free.LIBCMT ref: 00262CCC
_free.LIBCMT ref: 00262CD7
_free.LIBCMT ref: 00262CE2
_free.LIBCMT ref: 00262CED
_free.LIBCMT ref: 00262CFB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 492d2beea0b9e46bd9e4bfc14eed7e82c115c157e0e5ee84475b68e15ce09eef
Instruction ID: e87ef3d52280ab1fd7ac907152833730b3027f1cca732c35e8730af742c8a05d
Opcode Fuzzy Hash: 492d2beea0b9e46bd9e4bfc14eed7e82c115c157e0e5ee84475b68e15ce09eef
Instruction Fuzzy Hash: EF11F636221408EFCB06EF54D842CDC3BA5FF45380F5150A1F9485B222D631EEA49F90

Function 00231410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00231459
OleUninitialize.OLE32(?,00000000), ref: 002314F8
UnregisterHotKey.USER32(?), ref: 002316DD
DestroyWindow.USER32(?), ref: 002724B9
FreeLibrary.KERNEL32(?), ref: 0027251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0027254B

Strings

close all, xrefs: 00231454

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 40cf68ae97d8884dee2a48907e212d6d382878672fd432bcb8dd0a9ff17186f0
Instruction ID: d8d514b3c6e28720c1ce5e25ff3b7c8358d928d733538e516daaa77058894cf5
Opcode Fuzzy Hash: 40cf68ae97d8884dee2a48907e212d6d382878672fd432bcb8dd0a9ff17186f0
Instruction Fuzzy Hash: 55D16A71721212CFCB29EF14C999B29F7A4BF45700F6482ADE94A6B251CB30AD36CF51

Function 002A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 002A7FC1
GetFileAttributesW.KERNEL32(?), ref: 002A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 002A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 002A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002A80B0

Strings

*.*, xrefs: 002A8066

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: a0788f93bbfab0190cc612fe5e05e104472a16e3069d22c8127af0c7581ba4d4
Instruction ID: fc3ffd17d90298997c498721f2ee9e3ccb1863662a79b70aa8487316cfc08db8
Opcode Fuzzy Hash: a0788f93bbfab0190cc612fe5e05e104472a16e3069d22c8127af0c7581ba4d4
Instruction Fuzzy Hash: 6781C1725283429BCB20EF14C9449AAB3E8BF8A310F144C6EF885D7250EF75DD698F56

Function 00235BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00235C7A

Part of subcall function 00235D0A: GetClientRect.USER32(?,?), ref: 00235D30
Part of subcall function 00235D0A: GetWindowRect.USER32(?,?), ref: 00235D71
Part of subcall function 00235D0A: ScreenToClient.USER32(?,?), ref: 00235D99

GetDC.USER32 ref: 002746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00274708
SelectObject.GDI32(00000000,00000000), ref: 00274716
SelectObject.GDI32(00000000,00000000), ref: 0027472B
ReleaseDC.USER32(?,00000000), ref: 00274733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002747C4

Strings

U, xrefs: 00274693

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 72471e4ea8a9319a851577fceb0bcfadccb74873eeadb1bef8d301940cd757c1
Instruction ID: b6f78b9e81cd67b889ade8e4b97460f67b50ddea619d35c9e73155e847e86c33
Opcode Fuzzy Hash: 72471e4ea8a9319a851577fceb0bcfadccb74873eeadb1bef8d301940cd757c1
Instruction Fuzzy Hash: 9571F430520206DFCF26AF64C984EBA7BB5FF4A314F24826AED595A166C331DC61DF50

Function 002A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002A35E4

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

LoadStringW.USER32(00302390,?,00000FFF,?), ref: 002A360A

Strings

"%s" (%d) : ==> %s:, xrefs: 002A3742
Line %d (File "%s"):, xrefs: 002A366B
Error: , xrefs: 002A36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 002A3724
^ ERROR, xrefs: 002A36C9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 00a1573e9e75fe240ae41da9662792203354b71e6ac45f39130a9c4f6d9bc94f
Instruction ID: 5d8067a533d720f245f470695e7b925063088eb16057fed36ebb967ad5f7e263
Opcode Fuzzy Hash: 00a1573e9e75fe240ae41da9662792203354b71e6ac45f39130a9c4f6d9bc94f
Instruction Fuzzy Hash: CF515DB182020ABBDF15EBA0CC56EEDBB78EF05350F144165F105721A1EB711BA9DFA0

Function 002AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002AC2CA
GetLastError.KERNEL32 ref: 002AC322
SetEvent.KERNEL32(?), ref: 002AC336
InternetCloseHandle.WININET(00000000), ref: 002AC341

Strings

, xrefs: 002AC2BB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 782ef79f97a91e66e19d260ca6726f9e56a8f419dfd01c96f5e6c9f4790ba640
Instruction ID: 4d7b9562ce718afaeca91d8679462c0941e2fb717ae31f76bfbe513397e24649
Opcode Fuzzy Hash: 782ef79f97a91e66e19d260ca6726f9e56a8f419dfd01c96f5e6c9f4790ba640
Instruction Fuzzy Hash: 5F317FB1510204AFDB219F649C88EAB7BFCEB4A744F24855EF44AD2200DF30DD199B61

Function 0029989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00273AAF,?,?,Bad directive syntax error,002CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 002998BC
LoadStringW.USER32(00000000,?,00273AAF,?), ref: 002998C3

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00299987

Strings

Line %d (File "%s"):, xrefs: 0029992D
Line %d:, xrefs: 00299912
Error: , xrefs: 00299955
., xrefs: 0029996D
%s (%d) : ==> %s.: %s %s, xrefs: 002998F1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 6201278cf78f19863a40b3a8a03f6cff0a9a843050c42f278cd2d612c55e03d1
Instruction ID: 3d7975e3d1a24cf5b9aa1fd2a1e141ddda829106a564b9b4a38411cb151c51cc
Opcode Fuzzy Hash: 6201278cf78f19863a40b3a8a03f6cff0a9a843050c42f278cd2d612c55e03d1
Instruction Fuzzy Hash: 1F218C7182021AABDF15AF90CC0AEEE7739FF19300F044469F519660A2EA7196B8DF50

Function 0029209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 002920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0029214D

Strings

largeicons, xrefs: 002920E1
SHELLDLL_DefView, xrefs: 002920CC
details, xrefs: 002920FB
smallicons, xrefs: 00292115
list, xrefs: 0029212F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 18b2c64ef0ff6042e3bc304428735c873b7feed3331a295ed032e1b0f9314689
Instruction ID: 7091c61ec06c5683c923416099c0cf10ed011abf6014802d6586437978b56589
Opcode Fuzzy Hash: 18b2c64ef0ff6042e3bc304428735c873b7feed3331a295ed032e1b0f9314689
Instruction Fuzzy Hash: F4113D765B8717F5FE012620EC1ADB6779CCF05359F300026FF0CA40D6EAB198795A18

Function 0026CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0026CEB7
_free.LIBCMT ref: 0026CF22
_free.LIBCMT ref: 0026CF48
_free.LIBCMT ref: 0026CF71
_free.LIBCMT ref: 0026CFA9
_free.LIBCMT ref: 0026CFDA
_free.LIBCMT ref: 0026D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0026D09C
_free.LIBCMT ref: 0026D0B5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: d724d229a81d5b8e0f1f00000899b12e5d816fc05fa52b1d0ad4864505b82c9b
Instruction ID: 82ae6cd46c72d117a68589823f4b37452ef61452b8fccc80dbcbc488f0f1a688
Opcode Fuzzy Hash: d724d229a81d5b8e0f1f00000899b12e5d816fc05fa52b1d0ad4864505b82c9b
Instruction Fuzzy Hash: B4618B71A25302EFDB25BFB49C81B797BA9EF05310F24016FF884D7641D6329DA08BA0

Function 002C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 002C5186
ShowWindow.USER32(?,00000000), ref: 002C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 002C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 002C51D1

Part of subcall function 002C6FBA: DeleteObject.GDI32(00000000), ref: 002C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 002C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 002C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 002C5296

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: d27ea44c251a2bbcace00c4f6f60b4c6e934766f47818305bf8eb6fb834dae27
Instruction ID: 6916e7507518ba1272062e507605085aa4c7e00af819bf507d8758c3b86d428a
Opcode Fuzzy Hash: d27ea44c251a2bbcace00c4f6f60b4c6e934766f47818305bf8eb6fb834dae27
Instruction Fuzzy Hash: 5E51C530A70A29BEEF249F24CC49F9977A5EB04324F544219F919962E0C3B1F9E0DF41

Function 00248B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00286890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00248874,00000000,00000000,00000000,000000FF,00000000), ref: 00286901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00248874,00000000,00000000,00000000,000000FF,00000000), ref: 0028692D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d8acb5468211059463aff3dffdf9aac5f2f1a45726066f2a6feb8e376c965244
Instruction ID: 86c7fe0556fc7346db414b4487a1ba007afa58faafd11a061c3613ce8658b799
Opcode Fuzzy Hash: d8acb5468211059463aff3dffdf9aac5f2f1a45726066f2a6feb8e376c965244
Instruction Fuzzy Hash: 58518B74A20206EFDB24DF24CC59FAA7BB5EB44754F204518F916D72E0DB70E9A0DB50

Function 002AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002AC182
GetLastError.KERNEL32 ref: 002AC195
SetEvent.KERNEL32(?), ref: 002AC1A9

Part of subcall function 002AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002AC272
Part of subcall function 002AC253: GetLastError.KERNEL32 ref: 002AC322
Part of subcall function 002AC253: SetEvent.KERNEL32(?), ref: 002AC336
Part of subcall function 002AC253: InternetCloseHandle.WININET(00000000), ref: 002AC341

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 4b66fb7d088871d48029e33f34a7c272aa0a54d789d27901f5e0d97c98f0683b
Instruction ID: 1fb2001b18be0da6e8d65b77babab10e6925e87049f877da743a3c4be1a4049d
Opcode Fuzzy Hash: 4b66fb7d088871d48029e33f34a7c272aa0a54d789d27901f5e0d97c98f0683b
Instruction Fuzzy Hash: 84319071210605AFDB219FA5ED48A66BBF8FF5A300B24441EF95A83610DB31E824DFA0

Function 002925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00293A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00293A57
Part of subcall function 00293A3D: GetCurrentThreadId.KERNEL32 ref: 00293A5E
Part of subcall function 00293A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002925B3), ref: 00293A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 002925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 002925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00292601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00292605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0029260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00292623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00292627

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5cda34749546870e24e725c67798c5d65998630cc804a8bac34a2ee995c5396d
Instruction ID: 1c0be4226f1eef560b273f9c09d2781d69910eccbc6e240324f57e20d50c6dcd
Opcode Fuzzy Hash: 5cda34749546870e24e725c67798c5d65998630cc804a8bac34a2ee995c5396d
Instruction Fuzzy Hash: 3A01D4307A0210BBFB106769AC8EF593F5DDB8EB12F210011F31CAE1D1C9E22454CAA9

Function 00291803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00291449,?,?,00000000), ref: 0029180C
HeapAlloc.KERNEL32(00000000,?,00291449,?,?,00000000), ref: 00291813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00291449,?,?,00000000), ref: 00291828
GetCurrentProcess.KERNEL32(?,00000000,?,00291449,?,?,00000000), ref: 00291830
DuplicateHandle.KERNEL32(00000000,?,00291449,?,?,00000000), ref: 00291833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00291449,?,?,00000000), ref: 00291843
GetCurrentProcess.KERNEL32(00291449,00000000,?,00291449,?,?,00000000), ref: 0029184B
DuplicateHandle.KERNEL32(00000000,?,00291449,?,?,00000000), ref: 0029184E
CreateThread.KERNEL32(00000000,00000000,00291874,00000000,00000000,00000000), ref: 00291868

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ba6e052c74dc07f09b875dab0a9aaf650cfc4953de953c7f9cf8d76946b158de
Instruction ID: c299e6863ca074db602ec9348e471efb4a1548460c9ff705be4b8c439ad62351
Opcode Fuzzy Hash: ba6e052c74dc07f09b875dab0a9aaf650cfc4953de953c7f9cf8d76946b158de
Instruction Fuzzy Hash: 6401BFB5240344BFE710AB66EC4DF5B3B6CEB89B11F144411FA09DB191C6B49810CB20

Function 00263E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00263F0B
__alldvrm.LIBCMT ref: 0026410C
__alldvrm.LIBCMT ref: 0026412E

Strings

}}%, xrefs: 00263E96, 00263EF1, 00263F0A, 00264090
}}%, xrefs: 002640CD
}}%, xrefs: 00263E8A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}%$}}%$}}%
API String ID: 1036877536-2031228006
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2b897eaa799acaecf6bd5f1a850d19753eb3fd14d250ee9aed31197fa2ad7ffa
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 02A16B71E303969FEB25EF18C8917AEBBE4EF62350F1441ADE5859B281C2748DE1CB50

Function 002BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0029D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0029D501
Part of subcall function 0029D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0029D50F
Part of subcall function 0029D4DC: CloseHandle.KERNEL32(00000000), ref: 0029D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002BA16D
GetLastError.KERNEL32 ref: 002BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 002BA268
GetLastError.KERNEL32(00000000), ref: 002BA273
CloseHandle.KERNEL32(00000000), ref: 002BA2C4

Strings

SeDebugPrivilege, xrefs: 002BA18F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 773ec09babdd11301b82591fc3e6e1915969e81f1fcf0d29b3c18aba0213c29c
Instruction ID: c9d6b043d47ee165c69f90807d4ef73431e9174aa383646b0776cfc0bfec162a
Opcode Fuzzy Hash: 773ec09babdd11301b82591fc3e6e1915969e81f1fcf0d29b3c18aba0213c29c
Instruction Fuzzy Hash: C861B170224242AFD720DF19C494F55BBE5AF44358F18849CE86A8BBA3C772EC55CF92

Function 002C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002C3954
_wcslen.LIBCMT ref: 002C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 002C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002C39F4

Strings

SysListView32, xrefs: 002C38F7

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d18bab2f453271c399443710efb20a1f6270cf5f5a0c6cdbb07faf2ac1739520
Instruction ID: 78435adfc20cab1eb77fe92b4cee539f81cf2d4b8820286369532b46aed7ae00
Opcode Fuzzy Hash: d18bab2f453271c399443710efb20a1f6270cf5f5a0c6cdbb07faf2ac1739520
Instruction Fuzzy Hash: 0841C671A10219ABDF21DF64CC49FEA77A9EF08350F10462AF958E7281D7719EA0CF90

Function 0029BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0029BCFD
IsMenu.USER32(00000000), ref: 0029BD1D
CreatePopupMenu.USER32 ref: 0029BD53
GetMenuItemCount.USER32(01864E50), ref: 0029BDA4
InsertMenuItemW.USER32(01864E50,?,00000001,00000030), ref: 0029BDCC

Strings

0, xrefs: 0029BCA8
2, xrefs: 0029BD37

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b7a767439307f0ffcd44a639c0af16a2f0e471dc15c25654d943b0b637ecaea2
Instruction ID: a6a00f1b0e3bd8bb92dfb42631f81bf7e39e1a8b1d8095eb892f90c66ed0a5e7
Opcode Fuzzy Hash: b7a767439307f0ffcd44a639c0af16a2f0e471dc15c25654d943b0b637ecaea2
Instruction Fuzzy Hash: BD51B370A2020ADBDF12CFA8EA88BADBBF4BF45314F244169E405E7290D7709955CB71

Function 00252D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00252D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00252D53
_ValidateLocalCookies.LIBCMT ref: 00252DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00252E0C
_ValidateLocalCookies.LIBCMT ref: 00252E61

Strings

&H%, xrefs: 00252DFE, 00252E07, 00252E18
csm, xrefs: 00252DF6

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H%$csm
API String ID: 1170836740-3280660909
Opcode ID: cdbd37b157107621f4bc09daf5344a3c8b24aa6b172abfeb69ed1645a2e21e7f
Instruction ID: f3c7ebe9691212158fccee6e4c1418a4c06e3d3641f255d9233bdc49856e5984
Opcode Fuzzy Hash: cdbd37b157107621f4bc09daf5344a3c8b24aa6b172abfeb69ed1645a2e21e7f
Instruction Fuzzy Hash: B641E434A21209DBCF10DF68C885A9EBBB4BF46366F148055EC146B392D731AA2DCF94

Function 0029C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0029C913

Strings

warning, xrefs: 0029C8FC
stop, xrefs: 0029C8E4
blank, xrefs: 0029C895
question, xrefs: 0029C8CC
info, xrefs: 0029C8B4

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: becbe59396b0c9ee608da7ae75619db8b96973761f7af70ef3eca29b1a95f182
Instruction ID: 35c7e2ca53b8e8aed94f40b89d63375ee86653f6caa20a5d2cd3afa04a3982f2
Opcode Fuzzy Hash: becbe59396b0c9ee608da7ae75619db8b96973761f7af70ef3eca29b1a95f182
Instruction Fuzzy Hash: 6D11EB316B930BBABB056B54DC86DBAF79CDF15359B30003AF904A6282D7B09D605768

Function 0029DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0029DE42
gethostname.WSOCK32(?,00000100), ref: 0029DE5C
gethostbyname.WSOCK32(?), ref: 0029DE69
inet_ntoa.WSOCK32(?), ref: 0029DEAB
_strcat.LIBCMT ref: 0029DEB9
WSACleanup.WSOCK32 ref: 0029DEDE

Strings

0.0.0.0, xrefs: 0029DE87

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6300ce48cb369b3b148c0f118d39a9a9a763f554e89dd7a9a3be7f08113143df
Instruction ID: 3c33d484282cd12f7a0f5e2208c87f5f2ab35702bd56fb02c06af36d24aed9bd
Opcode Fuzzy Hash: 6300ce48cb369b3b148c0f118d39a9a9a763f554e89dd7a9a3be7f08113143df
Instruction Fuzzy Hash: 4E115971920105AFCF20BF70EC4AEEFB7ACDF11361F100169F54996091EF718AA49E60

Function 0029ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0029ED2A
_wcslen.LIBCMT ref: 0029ED3B
_wcslen.LIBCMT ref: 0029ED79
_wcslen.LIBCMT ref: 0029EDAF
_wcslen.LIBCMT ref: 0029EDDF
_wcslen.LIBCMT ref: 0029EDEF
_wcslen.LIBCMT ref: 0029EE2B
_wcslen.LIBCMT ref: 0029EE5A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3d8050530fd09ef92be0a8f0e9be5a68ebdf4ae361e7f4762fa526e2965a725c
Instruction ID: efd78ca29c9de3895969fe7b63561b435290d494b04279cbb5ff8d701687920c
Opcode Fuzzy Hash: 3d8050530fd09ef92be0a8f0e9be5a68ebdf4ae361e7f4762fa526e2965a725c
Instruction Fuzzy Hash: D0418265C2011865CF11FBB4888AADFB7ACAF45711F508466ED14E3122EB34D269C7A9

Function 0024F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 0024F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 0028F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 0028F454

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5c7a3c9a21dae0423ff1bcc820d4603ac28b9309225fb1dd64c98a9b737ea901
Instruction ID: 83059cb3cd2676f15a1f53e0278cc1c43acf9718eda5382f003fa351aa70b799
Opcode Fuzzy Hash: 5c7a3c9a21dae0423ff1bcc820d4603ac28b9309225fb1dd64c98a9b737ea901
Instruction Fuzzy Hash: 37414C342396C1BAD7FD9F289B88B2A7B95AFD6314F24443DE04B525A0C771A8A0CB11

Function 002C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002C2D1B
GetDC.USER32(00000000), ref: 002C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 002C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 002C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002C2DE1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 16ba11acf5804e1407331a7541ae3f8d32ac55bcb2ad0f9b68d61781bfdf6d40
Instruction ID: 166d16d1ea3d2f248e1de6c28c56557eb24ef51f19bc2f4a61a69f87bbb8162b
Opcode Fuzzy Hash: 16ba11acf5804e1407331a7541ae3f8d32ac55bcb2ad0f9b68d61781bfdf6d40
Instruction Fuzzy Hash: BC31BA72211610BFEB248F10DC8AFEB3BADEF49711F184055FE0D9A291CA758C50CBA0

Function 00295622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00295637
_memcmp.LIBVCRUNTIME ref: 00295659
_memcmp.LIBVCRUNTIME ref: 00295671
_memcmp.LIBVCRUNTIME ref: 00295684
_memcmp.LIBVCRUNTIME ref: 0029569E
_memcmp.LIBVCRUNTIME ref: 002956B1
_memcmp.LIBVCRUNTIME ref: 002956C9
_memcmp.LIBVCRUNTIME ref: 002956E4

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 22d685998c91e21aa480402f94b2986f2fff7a88e36121b8f842a30c7d4ac011
Instruction ID: 63418df1ccc8904aa344fefde4bf8e4b47405c3a6c728a7b151f170e149e0b44
Opcode Fuzzy Hash: 22d685998c91e21aa480402f94b2986f2fff7a88e36121b8f842a30c7d4ac011
Instruction Fuzzy Hash: F6213B61770A2A77DA1A9E209E92FFB334DAF21385F440025FD049A585F770EE34C7A9

Function 002B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 002B502E, 002B5383
Not an Object type, xrefs: 002B5007

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e64d41eae384f33b31efaa14cb0a6433c404de70dd09c7827985a222f27e4178
Instruction ID: d7e77e738a97f29ccc3e40fc357f2416dcad06366645b24afc36740058fad47a
Opcode Fuzzy Hash: e64d41eae384f33b31efaa14cb0a6433c404de70dd09c7827985a222f27e4178
Instruction Fuzzy Hash: 2DD1AF71A2061A9FDF14DFA8C880BEEB7B5BF48384F148469E915AF281E770DD51CB90

Function 00271522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00271651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002717FB,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 002716FB

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00271777
__freea.LIBCMT ref: 002717A2
__freea.LIBCMT ref: 002717AE

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 8732f9b37489485c60f2464294a6f87240f97286e43ff0033fb5fdd7a51c7054
Instruction ID: 0dd1f88adf504c78938885ed34c91d41005f9e0c3e391ad4dbce214de85e70c0
Opcode Fuzzy Hash: 8732f9b37489485c60f2464294a6f87240f97286e43ff0033fb5fdd7a51c7054
Instruction Fuzzy Hash: 2391C571E202179ADB288E6CCC81AEEBBB5AF49710F588559E809E7180D735DD70CBA0

Function 002B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002B4648
VariantInit.OLEAUT32(?), ref: 002B4749
VariantClear.OLEAUT32(?), ref: 002B4753
VariantClear.OLEAUT32(?), ref: 002B47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002B45D8, 002B4706, 002B47BE
Incorrect Object type in FOR..IN loop, xrefs: 002B472C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: c27d4618c3543d22b7e619a41f5eb324c2d153b90fb250dca32feccad738fc16
Instruction ID: 8fe0986cc2f6c8ef2ece5ea6f413d812f1d989c19a8e273f3e306e159ad7c20e
Opcode Fuzzy Hash: c27d4618c3543d22b7e619a41f5eb324c2d153b90fb250dca32feccad738fc16
Instruction Fuzzy Hash: 2991C470A20219ABDF24DFA4C884FEEB7B8EF46754F108559F505AB282DB709951CFA0

Function 002A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 002A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 002A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 002A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 002A1430

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: dd36352c879d38a6e09640aa4198d37049dbd300004711d8518e530fd6cbec84
Instruction ID: 2134e85101c3d88a5b2933bbc2c4926e29a3292b61d448298d35ad78c81ade04
Opcode Fuzzy Hash: dd36352c879d38a6e09640aa4198d37049dbd300004711d8518e530fd6cbec84
Instruction Fuzzy Hash: 0191C2719202199FEB04DF98C885BBEB7B5FF46325F104029E941EB291DB74E961CF50

Function 0024948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: bcd590e490a6042d65a16849b19ea62746b55856d2bd3522a1c18b59e4424cc2
Instruction ID: 8d4526b26de569abcbbb4e176ea464efb42f5657381ea122e35617c21b231867
Opcode Fuzzy Hash: bcd590e490a6042d65a16849b19ea62746b55856d2bd3522a1c18b59e4424cc2
Instruction Fuzzy Hash: 6C911671D1021AAFCB14CFA9CC88AEEBBB8FF49320F244559E515B7291D374A991CB60

Function 002B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002B396B
CharUpperBuffW.USER32(?,?), ref: 002B3A7A
_wcslen.LIBCMT ref: 002B3A8A
VariantClear.OLEAUT32(?), ref: 002B3C1F

Part of subcall function 002A0CDF: VariantInit.OLEAUT32(00000000), ref: 002A0D1F
Part of subcall function 002A0CDF: VariantCopy.OLEAUT32(?,?), ref: 002A0D28
Part of subcall function 002A0CDF: VariantClear.OLEAUT32(?), ref: 002A0D34

Strings

Incorrect Parameter format, xrefs: 002B39A6, 002B3BA1
AUTOIT.ERROR, xrefs: 002B3A80, 002B3A85

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: f86be39648756c152d28ce8a865c5ac4c44f36761f17f2e47a1991a9b87e35bc
Instruction ID: 8a4dbbc6af550e49ef9e03b29d9d9d6cdbf8d3a313c71d68e12e7abfd09f07c7
Opcode Fuzzy Hash: f86be39648756c152d28ce8a865c5ac4c44f36761f17f2e47a1991a9b87e35bc
Instruction Fuzzy Hash: E29146756283059FCB04EF24C4809AAB7E4BF89354F14882EF88997351DB30EE55CF92

Function 002B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0029000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?,?,0029035E), ref: 0029002B
Part of subcall function 0029000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290046
Part of subcall function 0029000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290054
Part of subcall function 0029000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?), ref: 00290064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 002B4C51
_wcslen.LIBCMT ref: 002B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 002B4DCF
CoTaskMemFree.OLE32(?), ref: 002B4DDA

Strings

NULL Pointer assignment, xrefs: 002B4E23, 002B4E52

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b9465ee89aa0a161a79c3cfb119f8922bca757f31a44b410517b3fba46ef9785
Instruction ID: c3bd008180e5c8d11eaacea7b31955242b74d9ce4fd288dbf8836ed97b24f2bd
Opcode Fuzzy Hash: b9465ee89aa0a161a79c3cfb119f8922bca757f31a44b410517b3fba46ef9785
Instruction Fuzzy Hash: FD9129B1D1021DAFDF14EFA4C881EEEB7B8BF08354F104169E915A7251DB709A54CF60

Function 002C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002C2183
GetMenuItemCount.USER32(00000000), ref: 002C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002C21DD
_wcslen.LIBCMT ref: 002C2213
GetMenuItemID.USER32(?,?), ref: 002C224D
GetSubMenu.USER32(?,?), ref: 002C225B

Part of subcall function 00293A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00293A57
Part of subcall function 00293A3D: GetCurrentThreadId.KERNEL32 ref: 00293A5E
Part of subcall function 00293A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002925B3), ref: 00293A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002C22E3

Part of subcall function 0029E97B: Sleep.KERNELBASE ref: 0029E9F3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ae572d3d28c63220b775738cfd7a7a9b0a6877658e1daa66c1ce617f97fb795b
Instruction ID: fcca7a0a8959b6634709ae9768ffb637ebde3d4a4b56d710349d788c9f6aeda6
Opcode Fuzzy Hash: ae572d3d28c63220b775738cfd7a7a9b0a6877658e1daa66c1ce617f97fb795b
Instruction Fuzzy Hash: BC71AC75A20205EFCB14EF64C845FAEB7F5EF88310F148559E81AAB341DB74AD158F90

Function 002C7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01864CE8), ref: 002C7F37
IsWindowEnabled.USER32(01864CE8), ref: 002C7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 002C801E
SendMessageW.USER32(01864CE8,000000B0,?,?), ref: 002C8051
IsDlgButtonChecked.USER32(?,?), ref: 002C8089
GetWindowLongW.USER32(01864CE8,000000EC), ref: 002C80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002C80C3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4b85c700bc1cfe61a8f652d983da1c6860b7669fbb1c76395f761d7ca6f91061
Instruction ID: fbd3ba99742714c867c9b8fa357b02d450ed75509de0da732bdc510fb0047fc0
Opcode Fuzzy Hash: 4b85c700bc1cfe61a8f652d983da1c6860b7669fbb1c76395f761d7ca6f91061
Instruction Fuzzy Hash: 5571DF34628206AFEB259F64CCD4FAABBB9EF09340F14425DE94593261CB32AC64DF10

Function 0029AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0029AEF9
GetKeyboardState.USER32(?), ref: 0029AF0E
SetKeyboardState.USER32(?), ref: 0029AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0029AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0029AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0029AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0029B020

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 63ae647884b0901a9b3083a206fc5419483e9b7983c9f74a74de50fc9ae880fa
Instruction ID: 383abaee498a6c32d466dd99915c52b8484881ff79eaed6ee6dc19bb04352289
Opcode Fuzzy Hash: 63ae647884b0901a9b3083a206fc5419483e9b7983c9f74a74de50fc9ae880fa
Instruction Fuzzy Hash: 7651E1A0A247D63DFF374734CD49BBABEA95B06304F088489E1D9458C2C3D9ACE8D791

Function 0029ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0029AD19
GetKeyboardState.USER32(?), ref: 0029AD2E
SetKeyboardState.USER32(?), ref: 0029AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0029ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0029ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0029AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0029AE38

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d475e43a84e6c3f3575b2a857854b7e367f5a798548594e0dfeaadc3b7ca1ff5
Instruction ID: 27a15d2eb0ff31bae0798d83a1e9a31874973ae68acb33351cf8d92ef5423d96
Opcode Fuzzy Hash: d475e43a84e6c3f3575b2a857854b7e367f5a798548594e0dfeaadc3b7ca1ff5
Instruction Fuzzy Hash: 2151E7A19247D63DFF3787348C55B7A7E986B46300F088499E1D5468C2D394ECA4D7A2

Function 0026542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00273CD6,?,?,?,?,?,?,?,?,00265BA3,?,?,00273CD6,?,?), ref: 00265470
__fassign.LIBCMT ref: 002654EB
__fassign.LIBCMT ref: 00265506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00273CD6,00000005,00000000,00000000), ref: 0026552C
WriteFile.KERNEL32(?,00273CD6,00000000,00265BA3,00000000,?,?,?,?,?,?,?,?,?,00265BA3,?), ref: 0026554B
WriteFile.KERNEL32(?,?,00000001,00265BA3,00000000,?,?,?,?,?,?,?,?,?,00265BA3,?), ref: 00265584

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e9aa8c17ef49822836e36c087e9ab415608780b4f7be097cca821a6f6e878f81
Instruction ID: b72a47232a643fed258b4ce16ae6f4620821ff84130da17bc8b120b96a4caa9f
Opcode Fuzzy Hash: e9aa8c17ef49822836e36c087e9ab415608780b4f7be097cca821a6f6e878f81
Instruction Fuzzy Hash: E751C1B0A1064ADFDB10CFA8D849BEEBBF9EF08300F14415EF556E7291D6709A91CB60

Function 002B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002B307A
Part of subcall function 002B304E: _wcslen.LIBCMT ref: 002B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002B1112
WSAGetLastError.WSOCK32 ref: 002B1121
WSAGetLastError.WSOCK32 ref: 002B11C9
closesocket.WSOCK32(00000000), ref: 002B11F9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 00f7f9046bf8641aa4f3115789ec566b679e05fbe758c1a21616d155a9467036
Instruction ID: 09b7ef0c2760bd4664fec664579811f9ffde219805034e744a1c3865adfea3ce
Opcode Fuzzy Hash: 00f7f9046bf8641aa4f3115789ec566b679e05fbe758c1a21616d155a9467036
Instruction Fuzzy Hash: 52411671220204AFDB109F18D888BEAB7E9EF443A4F648159FD099B291C770AD61CFA0

Function 0029CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0029CF22,?), ref: 0029DDFD

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0029CF22,?), ref: 0029DE16

lstrcmpiW.KERNEL32(?,?), ref: 0029CF45
MoveFileW.KERNEL32(?,?), ref: 0029CF7F
_wcslen.LIBCMT ref: 0029D005
_wcslen.LIBCMT ref: 0029D01B
SHFileOperationW.SHELL32(?), ref: 0029D061

Strings

\*.*, xrefs: 0029CFF3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 306f119777f52a7e06df5d87b516fcfa8dba44df355412083e1f4323bb60b0fd
Instruction ID: 8fc9c39ae400b88f5865f918025427ae3e2426fff42ae637e401d18e97c96128
Opcode Fuzzy Hash: 306f119777f52a7e06df5d87b516fcfa8dba44df355412083e1f4323bb60b0fd
Instruction Fuzzy Hash: EF4179719152195FDF12EFA4D981EDDB7B8AF08380F1000E6E509EB141EB34AB98CF50

Function 002C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002C2E1C
GetWindowLongW.USER32(?,000000F0), ref: 002C2E4F
GetWindowLongW.USER32(?,000000F0), ref: 002C2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 002C2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 002C2EE0
GetWindowLongW.USER32(?,000000F0), ref: 002C2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C2F0B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9cf33f5781012a640d582dd6925c3e85ad7b44d0b2755c58870ab1a02ea5678b
Instruction ID: 3e7e07e3f9936aeab4cb9859395d234680b9fd891fe9f19aa6d5798a27dc4184
Opcode Fuzzy Hash: 9cf33f5781012a640d582dd6925c3e85ad7b44d0b2755c58870ab1a02ea5678b
Instruction Fuzzy Hash: 51311330615255EFDB21DF18ED98FA537E8EB8A710F240269F904AB2B2CB71B854DB40

Function 00297726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00297769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0029778F
SysAllocString.OLEAUT32(00000000), ref: 00297792
SysAllocString.OLEAUT32(?), ref: 002977B0
SysFreeString.OLEAUT32(?), ref: 002977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 002977DE
SysAllocString.OLEAUT32(?), ref: 002977EC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6e293482087ac0eef8e03cf4ae316e3bfd26cf442a40d9d88fa1c29a6d15d21b
Instruction ID: 690df75451e4c2b17a5fa951d034176054bd8bad797e62d07ae96d7a1edf0d80
Opcode Fuzzy Hash: 6e293482087ac0eef8e03cf4ae316e3bfd26cf442a40d9d88fa1c29a6d15d21b
Instruction Fuzzy Hash: DF219276624219AFDF14EFA9DC88CFBB7ACEB097647148025F919DB150D670DC418B60

Function 002977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00297842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00297868
SysAllocString.OLEAUT32(00000000), ref: 0029786B
SysAllocString.OLEAUT32 ref: 0029788C
SysFreeString.OLEAUT32 ref: 00297895
StringFromGUID2.OLE32(?,?,00000028), ref: 002978AF
SysAllocString.OLEAUT32(?), ref: 002978BD

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 38e2d2e930f2ea56b4af19403e476e87eaca4f9e11fae9c2bf3d563de23b3bef
Instruction ID: e9ae33ac3ff71ca0d7d8ba4e5447e6b19a4b198dcddea2f62d53dfe9e870b297
Opcode Fuzzy Hash: 38e2d2e930f2ea56b4af19403e476e87eaca4f9e11fae9c2bf3d563de23b3bef
Instruction Fuzzy Hash: A9218031628205AFDF14AFB8DC8CDAA77ECFB097607148125F919CB2A1DA70DC51DB64

Function 002A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002A052E

Strings

nul, xrefs: 002A0567

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 30cf9f9020ad1e3952f0d7731688959dc832ebce1ec4d37fb5cb2b65e7ba480e
Instruction ID: dae882443569e358e1b0296b3e0b6cdb60a5c832188ed2ec1e2c0af2dcea38b8
Opcode Fuzzy Hash: 30cf9f9020ad1e3952f0d7731688959dc832ebce1ec4d37fb5cb2b65e7ba480e
Instruction Fuzzy Hash: DD218271D103069FDF209F69DC88A5A7BB4BF46764F604A19F8A5D71E0DB709960CF20

Function 002A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002A0601

Strings

nul, xrefs: 002A0639

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 0d07226ec9d8ba29a03b5caea03043a2473fba4b121a65f9aed53b8276d8358b
Instruction ID: 5179099f8ec357680f67b6a9966957138e28dbc379e2ebf5b52c297345646afc
Opcode Fuzzy Hash: 0d07226ec9d8ba29a03b5caea03043a2473fba4b121a65f9aed53b8276d8358b
Instruction Fuzzy Hash: A5213575510306DBDB209F69DC84E5A77E8BF96B24F200A19FDA1E72D0DBB09970CB50

Function 002C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0023604C
Part of subcall function 0023600E: GetStockObject.GDI32(00000011), ref: 00236060
Part of subcall function 0023600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002C4145

Strings

Msctls_Progress32, xrefs: 002C40E3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8f6c6267cd8e8ea7d54f7d1cc41f13b9a2f083719fc8c41f12a8fc880c9e676f
Instruction ID: 2589f6a4d87a9467cf104c0f4c6d47186dc8d970f93771ad82b1073e46edee06
Opcode Fuzzy Hash: 8f6c6267cd8e8ea7d54f7d1cc41f13b9a2f083719fc8c41f12a8fc880c9e676f
Instruction Fuzzy Hash: 8B1193B11501197EEF119E64CC85EE77F9DEF08798F104211FA18A2050C6729C21DBA4

Function 0026D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0026D7A3: _free.LIBCMT ref: 0026D7CC

_free.LIBCMT ref: 0026D82D

Part of subcall function 002629C8: HeapFree.KERNEL32(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026D838
_free.LIBCMT ref: 0026D843
_free.LIBCMT ref: 0026D897
_free.LIBCMT ref: 0026D8A2
_free.LIBCMT ref: 0026D8AD
_free.LIBCMT ref: 0026D8B8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 7177430487b93fa0804aaa39900197a93de7d4e765bae839d0f3eca0f44a00a9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: FD115171B61B08EAD522BFB0CC47FCBBBDC6F40700F440825B299A6092DA65B5A54E51

Function 0029DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0029DA74
LoadStringW.USER32(00000000), ref: 0029DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0029DA91
LoadStringW.USER32(00000000), ref: 0029DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0029DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0029DAB9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: bb3d427c3a16941aee2aed78185106f8a62b023db6af43281a76d6638d9d306f
Instruction ID: 1b87e881ded3f35fb7ab05b474ef8f480d31d6bf25797480ba3b1881e55fa099
Opcode Fuzzy Hash: bb3d427c3a16941aee2aed78185106f8a62b023db6af43281a76d6638d9d306f
Instruction Fuzzy Hash: E80162F29102087FEB10ABA4AD8DEE7726CEB08311F500496F74AE2041EA749E944F74

Function 002A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0185D300,0185D300), ref: 002A097B
EnterCriticalSection.KERNEL32(0185D2E0,00000000), ref: 002A098D
TerminateThread.KERNEL32(?,000001F6), ref: 002A099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 002A09A9
CloseHandle.KERNEL32(?), ref: 002A09B8
InterlockedExchange.KERNEL32(0185D300,000001F6), ref: 002A09C8
LeaveCriticalSection.KERNEL32(0185D2E0), ref: 002A09CF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5abbd2a69e8fff78b76b67e6b361056f43bb3e3ea9347ac1a80da1faf0b9f3fc
Instruction ID: 0bada5659ce849cd8adff0f60ddc3ef1a664318136c8639c72d129d3929599f3
Opcode Fuzzy Hash: 5abbd2a69e8fff78b76b67e6b361056f43bb3e3ea9347ac1a80da1faf0b9f3fc
Instruction Fuzzy Hash: ABF01932442A02ABD7416FA4FE8CED6BA29FF01702F502025F206908A0CB74A875CF91

Function 002B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002B1DE1
WSAGetLastError.WSOCK32 ref: 002B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 002B1EDB
inet_ntoa.WSOCK32(?), ref: 002B1E8C

Part of subcall function 002939E8: _strlen.LIBCMT ref: 002939F2

Part of subcall function 002B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,002AEC0C), ref: 002B3240

_strlen.LIBCMT ref: 002B1F35

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: acb54091722138f37d5980fc26bfc8f09f1d7b83b5f6ef4e5a15bcbdc0d032f7
Instruction ID: c6a0f6e077d8cbcc74357ea34c5ca6e08297ef6a9fc18ffef57a24bc80434133
Opcode Fuzzy Hash: acb54091722138f37d5980fc26bfc8f09f1d7b83b5f6ef4e5a15bcbdc0d032f7
Instruction Fuzzy Hash: C1B10270224301AFC324DF24C895F6A7BE5AF84358FA4854CF55A5B2E2CB71ED61CB91

Function 00235D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00235D30
GetWindowRect.USER32(?,?), ref: 00235D71
ScreenToClient.USER32(?,?), ref: 00235D99
GetClientRect.USER32(?,?), ref: 00235ED7
GetWindowRect.USER32(?,?), ref: 00235EF8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 367122047d6e71f02220e5a3f733299d9fe05d92182bc86ef8bd02a0a39695e9
Instruction ID: 286289b977c7bf83972ce9b57fe34c01f5163741386d7cefec38da0b68c97f3a
Opcode Fuzzy Hash: 367122047d6e71f02220e5a3f733299d9fe05d92182bc86ef8bd02a0a39695e9
Instruction Fuzzy Hash: EDB18A75A20B5ADBDB10DFA8C4807EEB7F1FF48310F14841AE8A9D7250DB34AA61DB50

Function 002601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002600D6
__allrem.LIBCMT ref: 002600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0026010B
__allrem.LIBCMT ref: 00260122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00260140

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8ab277a01b12b0780a272284010bc5a4f8bc8a7b3fd4f956ba6afeb3ebb5f767
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 74815972A207069BE7209F78CC81B6B73E8AF41320F24453EF855D7AC1E770D9A49B94

Function 002661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002582D9,002582D9,?,?,?,0026644F,00000001,00000001,8BE85006), ref: 00266258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0026644F,00000001,00000001,8BE85006,?,?,?), ref: 002662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002663D8
__freea.LIBCMT ref: 002663E5

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

__freea.LIBCMT ref: 002663EE
__freea.LIBCMT ref: 00266413

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: f77c5113ea46b6f0ad08a66b6e64d48d54d6f3ca976c0f2578a3ab3407d43b2e
Instruction ID: 8f7dd2a7a27eeca2b402cc3c91940586106581dcdd5c7ba9bc100ef5a638b549
Opcode Fuzzy Hash: f77c5113ea46b6f0ad08a66b6e64d48d54d6f3ca976c0f2578a3ab3407d43b2e
Instruction Fuzzy Hash: E351E472620217ABDB258FA4DC89EAF77A9EF44B10F144269FC05D6240DB74DCF0CAA0

Function 002BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002BBD25
RegCloseKey.ADVAPI32(00000000), ref: 002BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002BBDF3
RegCloseKey.ADVAPI32(?), ref: 002BBDFF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 790567e0db78d34b2fcaf74aa0bc6c567c9d4fa10ace361857f6c4e0a8ea5825
Instruction ID: 584aec8455a66a722525c2b618226017b9aaba71e5e95a24b409884656ea5121
Opcode Fuzzy Hash: 790567e0db78d34b2fcaf74aa0bc6c567c9d4fa10ace361857f6c4e0a8ea5825
Instruction Fuzzy Hash: 2281DD70228242AFC715DF24C885E6ABBE5FF84348F14895CF4994B2A2CB71ED55CF92

Function 0028F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0028F7B9
SysAllocString.OLEAUT32(00000001), ref: 0028F860
VariantCopy.OLEAUT32(0028FA64,00000000), ref: 0028F889
VariantClear.OLEAUT32(0028FA64), ref: 0028F8AD
VariantCopy.OLEAUT32(0028FA64,00000000), ref: 0028F8B1
VariantClear.OLEAUT32(?), ref: 0028F8BB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e7faa03ee762535de34eb64f2784e6a5b1739f83bc922e4297f03653c1811724
Instruction ID: 88b333b592b9e7fa4735581834f73f0ad9f6cb97083ce875264715c672245cc0
Opcode Fuzzy Hash: e7faa03ee762535de34eb64f2784e6a5b1739f83bc922e4297f03653c1811724
Instruction Fuzzy Hash: AA51D739631310BACFA4BF65D995B29B3A4EF45310F208467E905DF2D1DBB08C60CB66

Function 002A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 002A94E5
_wcslen.LIBCMT ref: 002A9506
_wcslen.LIBCMT ref: 002A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 002A9585

Strings

X, xrefs: 002A9412

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 08812b2d34b4c23440c4842105b869d78f7009616329af47ea5f2e04c21c415f
Instruction ID: 16cedac7c0594c49f3634c4233adb6f43bc6020da44c18808806f59bc1065b42
Opcode Fuzzy Hash: 08812b2d34b4c23440c4842105b869d78f7009616329af47ea5f2e04c21c415f
Instruction Fuzzy Hash: F5E1C2715283419FCB24DF25C481B6AB7E4BF86314F04896DF8899B2A2DB30DD55CF92

Function 0024920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

BeginPaint.USER32(?,?,?), ref: 00249241
GetWindowRect.USER32(?,?), ref: 002492A5
ScreenToClient.USER32(?,?), ref: 002492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002492D3
EndPaint.USER32(?,?,?,?,?), ref: 00249321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002871EA

Part of subcall function 00249339: BeginPath.GDI32(00000000), ref: 00249357

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 640916a7307c0f1d6570278dd318e9e6bc334a6d57b529f18bba2b63709c9d42
Instruction ID: 08180f9f00112485a55b3236dac451523f0f7746010f15facd2e3f83069f3558
Opcode Fuzzy Hash: 640916a7307c0f1d6570278dd318e9e6bc334a6d57b529f18bba2b63709c9d42
Instruction Fuzzy Hash: 5D41B031115201AFD721DF24DC98FBB7BA8EF86320F240269F9A8872E1C7709895DB61

Function 002A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 002A0847
EnterCriticalSection.KERNEL32(?), ref: 002A0863
LeaveCriticalSection.KERNEL32(?), ref: 002A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 002A0921

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 1795ee5c467d959bf3cf58c72d786a1ff8ad14d4efbb1a9ba8a9d72f27729d95
Instruction ID: 5e873f5524986d495cb75bbd8a294359b9afe460d0602a3d8504e0b3a98fe9e0
Opcode Fuzzy Hash: 1795ee5c467d959bf3cf58c72d786a1ff8ad14d4efbb1a9ba8a9d72f27729d95
Instruction Fuzzy Hash: 84419871A10206EFDF04AF54DCC5AAAB7B8FF44300F1440A9ED049A296DB30DE65DFA4

Function 002C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0028F3AB,00000000,?,?,00000000,?,0028682C,00000004,00000000,00000000), ref: 002C824C
EnableWindow.USER32(?,00000000), ref: 002C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 002C82D1
ShowWindow.USER32(?,00000004), ref: 002C82E5
EnableWindow.USER32(?,00000001), ref: 002C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002C832F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e7a8ea3145696f22f325513253beb691e550b5d707098501a3dda01bc16a0d74
Instruction ID: be3a7f149071f2e7e4bad2056c3b5f9eade91884a60b4f827781fdb91fd550fa
Opcode Fuzzy Hash: e7a8ea3145696f22f325513253beb691e550b5d707098501a3dda01bc16a0d74
Instruction Fuzzy Hash: 4641A330601685AFDB16CF14DC99FA47BE4FB4A714F1892ADE9084B262CB31A851CB91

Function 00294C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00294C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00294CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00294CEA
_wcslen.LIBCMT ref: 00294D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00294D10
_wcsstr.LIBVCRUNTIME ref: 00294D1A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 79cd8b4e1ee54004e201401a09ad8c8ee9f8cb6b5b27062a756a6c0a5c1d8471
Instruction ID: 71001f4539d382ab176046ab405708d99568c8f8e479d7682fa3bdf3fb3b21a3
Opcode Fuzzy Hash: 79cd8b4e1ee54004e201401a09ad8c8ee9f8cb6b5b27062a756a6c0a5c1d8471
Instruction Fuzzy Hash: 1621F935614201BBEF196F35AD49E7B7B9CDF85750F20402AF809CA191EA61DC6196A0

Function 002A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00233AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00233A97,?,?,00232E7F,?,?,?,00000000), ref: 00233AC2

_wcslen.LIBCMT ref: 002A587B
CoInitialize.OLE32(00000000), ref: 002A5995
CoCreateInstance.OLE32(002CFCF8,00000000,00000001,002CFB68,?), ref: 002A59AE
CoUninitialize.OLE32 ref: 002A59CC

Strings

.lnk, xrefs: 002A5876, 002A58C1, 002A5985

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: dd8d0b9982ce82e2bb5e2ca2cede1d30aeb9e9f5ded5b1e2b1a7d92ce31e2d6d
Instruction ID: b867701b535b4e6e2d4bdbf86a82bc6c90dc044bba2e3c037491416fdab4ce3e
Opcode Fuzzy Hash: dd8d0b9982ce82e2bb5e2ca2cede1d30aeb9e9f5ded5b1e2b1a7d92ce31e2d6d
Instruction Fuzzy Hash: 5DD153B56246129FCB14DF24C480A2BBBE1FF8A714F108959F8899B261DB31EC55CF92

Function 0029175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00290FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00290FCA
Part of subcall function 00290FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00290FD6
Part of subcall function 00290FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00290FE5
Part of subcall function 00290FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00290FEC
Part of subcall function 00290FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00291002

GetLengthSid.ADVAPI32(?,00000000,00291335), ref: 002917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002917BA
HeapAlloc.KERNEL32(00000000), ref: 002917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 002917DA
GetProcessHeap.KERNEL32(00000000,00000000,00291335), ref: 002917EE
HeapFree.KERNEL32(00000000), ref: 002917F5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d66fbc87cf67acd85eaf7866a20f128639a8dd13230fcc948d51163700925e27
Instruction ID: ebe87f15bbefbee4ebf16028d1e96f65e5f37960a9053e052cf165894bb16a02
Opcode Fuzzy Hash: d66fbc87cf67acd85eaf7866a20f128639a8dd13230fcc948d51163700925e27
Instruction Fuzzy Hash: 3511AC32520207FFDF109FA6DC49FEEBBA9EB45355F244028F4499B220C775A960CB60

Function 002914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00291506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00291515
CloseHandle.KERNEL32(00000004), ref: 00291520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00291563

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 69147b6f83cb1808dd63866752fbf1ded10ceafa6b2df5283f24d179641916ba
Instruction ID: 38a905f07f522ef927e4f0d8a04e4d903439b149fb89803dbd9222749bbacf73
Opcode Fuzzy Hash: 69147b6f83cb1808dd63866752fbf1ded10ceafa6b2df5283f24d179641916ba
Instruction Fuzzy Hash: 8A11567250020AABDF119FA8ED49FDE7BA9FF48744F154024FA09A2060C375CE65DB60

Function 00253382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00253379,00252FE5), ref: 00253390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0025339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002533B7
SetLastError.KERNEL32(00000000,?,00253379,00252FE5), ref: 00253409

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 988599d20baa7be74b91576b60700fe8eefbafe5024dc88e6bbedc58d35931f2
Instruction ID: 8917b467068fbe00156140e52899f901ad3a4fc76561e43559363fec59ed84ba
Opcode Fuzzy Hash: 988599d20baa7be74b91576b60700fe8eefbafe5024dc88e6bbedc58d35931f2
Instruction Fuzzy Hash: 9801D232629316BAA6156B747D899B62A98DB053FB330123DFC10851F0EE314D2A998C

Function 00262D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00265686,00273CD6,?,00000000,?,00265B6A,?,?,?,?,?,0025E6D1,?,002F8A48), ref: 00262D78
_free.LIBCMT ref: 00262DAB
_free.LIBCMT ref: 00262DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0025E6D1,?,002F8A48,00000010,00234F4A,?,?,00000000,00273CD6), ref: 00262DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0025E6D1,?,002F8A48,00000010,00234F4A,?,?,00000000,00273CD6), ref: 00262DEC
_abort.LIBCMT ref: 00262DF2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 47158ac079d99c401c98102f2c466e3a4e534bd70c1e77d51a3cd2a625b8ccaf
Instruction ID: bacc1b8d09d0268237f0493ad60277d11cca4d912c12fddd6b71d1f25f3c1795
Opcode Fuzzy Hash: 47158ac079d99c401c98102f2c466e3a4e534bd70c1e77d51a3cd2a625b8ccaf
Instruction Fuzzy Hash: EAF0A931525E02E7C2126734BC1AE5F1559ABC27A1F350424F828931D5DE248CF94560

Function 002C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00249639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00249693
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496A2
Part of subcall function 00249639: BeginPath.GDI32(?), ref: 002496B9
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 002C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002C8A70
LineTo.GDI32(?,00000000,00000003), ref: 002C8A80
EndPath.GDI32(?), ref: 002C8A90
StrokePath.GDI32(?), ref: 002C8AA0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9c0973215965e7449f83e960df1a03407a2a711f64b87d1278af200b02abd910
Instruction ID: a86a549629a41d32c49267950017110fd903b55535b8ef91279134e52aecd4cd
Opcode Fuzzy Hash: 9c0973215965e7449f83e960df1a03407a2a711f64b87d1278af200b02abd910
Instruction Fuzzy Hash: F3110576400149FFEB129F90EC88FAA7F6CEB08350F148026FA599A1A1C7719D65DFA0

Function 002951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00295218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00295229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00295230
ReleaseDC.USER32(00000000,00000000), ref: 00295238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0029524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00295261

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: badb4352d5eba7b8e9177e7ac3537d01b689313dd24d56949b5e7fb0fd98efa3
Instruction ID: 0a2dde004cb1f7988f28320f3f525cdcea6587d728099eca3bdf9b2ed22b597d
Opcode Fuzzy Hash: badb4352d5eba7b8e9177e7ac3537d01b689313dd24d56949b5e7fb0fd98efa3
Instruction Fuzzy Hash: 22014475E01715BBEF105FA59D49E5EBFB8EF44751F144065FA08A7281D6709C10CF60

Function 00231BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00231BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00231BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00231C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00231C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00231C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00231C22

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 496e3a368edca2f58a1b83e389f28a3344bf0b19145d5e4654ce359cc2d2a205
Instruction ID: 720b773d93786106ccb6c22f59ad866b8cd23f9713b5cbe552734403a5dd309a
Opcode Fuzzy Hash: 496e3a368edca2f58a1b83e389f28a3344bf0b19145d5e4654ce359cc2d2a205
Instruction Fuzzy Hash: 3A0167B0902B5ABDE3008F6A8C85B52FFA8FF59354F10411BE15C4BA42C7F5A864CBE5

Function 0029EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0029EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0029EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0029EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0029EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0029EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0029EB75

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ecbeacf76bbb350ca5cc8976fdbe4f4e46f766af933d9626db5a5a597eb7251f
Instruction ID: 9e852df6800361dec50cca12fd1ff59a65123cab493d65e0ad3550ae68949bb0
Opcode Fuzzy Hash: ecbeacf76bbb350ca5cc8976fdbe4f4e46f766af933d9626db5a5a597eb7251f
Instruction Fuzzy Hash: 64F03A72640558BBE7215B63AD0EEEF3A7CEFCAB15F200158F609D1091D7A05A01C6B5

Function 00287439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00287452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00287469
GetWindowDC.USER32(?), ref: 00287475
GetPixel.GDI32(00000000,?,?), ref: 00287484
ReleaseDC.USER32(?,00000000), ref: 00287496
GetSysColor.USER32(00000005), ref: 002874B0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 93b612dd446c5af26d088cb38153f3b15f0063757836cd97baa2b1ebe0a27f2d
Instruction ID: 88c904beeae2aa3666ebef704a4d2fe9d9f1fb283a220f714913e998c1ef0ab1
Opcode Fuzzy Hash: 93b612dd446c5af26d088cb38153f3b15f0063757836cd97baa2b1ebe0a27f2d
Instruction Fuzzy Hash: A6014B35410215EFDB51AFA4ED0CFAA7BB9FB04311F750164F929A21A1CB711E62EB50

Function 00291874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0029187F
UnloadUserProfile.USERENV(?,?), ref: 0029188B
CloseHandle.KERNEL32(?), ref: 00291894
CloseHandle.KERNEL32(?), ref: 0029189C
GetProcessHeap.KERNEL32(00000000,?), ref: 002918A5
HeapFree.KERNEL32(00000000), ref: 002918AC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f0affb64e2e3217b6bfc1734ec3556a1698ea3c6ac0a8ca5b76fe5988853af8b
Instruction ID: 2dec979c6c6ff1d832587e02f26dc863e67c3cadddf8d16dbd7550b360ee5c5e
Opcode Fuzzy Hash: f0affb64e2e3217b6bfc1734ec3556a1698ea3c6ac0a8ca5b76fe5988853af8b
Instruction Fuzzy Hash: DEE0E536404501BBDB016FA2FD0CD0ABF39FF49B22B208220F22D81470CB729420DF50

Function 0023BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0023BEB3

Strings

D%0, xrefs: 0023BE9A
D%0D%0, xrefs: 0023BCA5
D%0, xrefs: 0023BDED, 0023BD91, 0023BD1B
D%0, xrefs: 0023BCA2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%0$D%0$D%0$D%0D%0
API String ID: 1385522511-516430114
Opcode ID: 8e078e5a989ad2f704bb591b03d5f5988be88284119ff9a75bc779b4861827ab
Instruction ID: 25d44792c914e1a91cafa3c2e42e1b40bded772cfafa14f159e6638937e1eae4
Opcode Fuzzy Hash: 8e078e5a989ad2f704bb591b03d5f5988be88284119ff9a75bc779b4861827ab
Instruction Fuzzy Hash: 07918CB5A2020ACFCB29CF59C4A06AAB7F1FF59310F20456ADA45AB350D731ED91CF90

Function 002B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00250242: EnterCriticalSection.KERNEL32(0030070C,00301884,?,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025024D
Part of subcall function 00250242: LeaveCriticalSection.KERNEL32(0030070C,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025028A

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002500A3: __onexit.LIBCMT ref: 002500A9

__Init_thread_footer.LIBCMT ref: 002B7BFB

Part of subcall function 002501F8: EnterCriticalSection.KERNEL32(0030070C,?,?,00248747,00302514), ref: 00250202
Part of subcall function 002501F8: LeaveCriticalSection.KERNEL32(0030070C,?,00248747,00302514), ref: 00250235

Strings

+T(, xrefs: 002B7E2E
G, xrefs: 002B7C7F
Variable must be of type 'Object'., xrefs: 002B7C3A
5, xrefs: 002B7C78

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T($5$G$Variable must be of type 'Object'.
API String ID: 535116098-2278887451
Opcode ID: 1326f5ddccfac11b26bef9375ee6a1a47366a882349490a2ed2c048253a2e549
Instruction ID: 94f790ebc992e0cedf186656a847e92cd327e58782158815a24c073876b2b291
Opcode Fuzzy Hash: 1326f5ddccfac11b26bef9375ee6a1a47366a882349490a2ed2c048253a2e549
Instruction Fuzzy Hash: 22918C74A2420AAFCB14EF54C891DEDB7B1FF89380F508059F8069B292DB71AE61CF51

Function 0029C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0029C6EE
_wcslen.LIBCMT ref: 0029C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0029C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0029C7CA

Strings

0, xrefs: 0029C6AF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a277924228e5eda8a49c0123b7bc0792d5ef6a20de61ca581190fea1225c612c
Instruction ID: 377206f910ec621f5bb321d6d8af6fcbf360e6d6142812d27a293969056b6329
Opcode Fuzzy Hash: a277924228e5eda8a49c0123b7bc0792d5ef6a20de61ca581190fea1225c612c
Instruction Fuzzy Hash: 9851CF716343029BDB159F68C885AABB7ECAF89310F240A2DF995E21D0DB70D924CF52

Function 002BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 002BAEA3

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

GetProcessId.KERNEL32(00000000), ref: 002BAF38
CloseHandle.KERNEL32(00000000), ref: 002BAF67

Strings

<, xrefs: 002BAE6B
@, xrefs: 002BAE72

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: de2105d0f4e13dc866e0316cb8b42b05d071ac5db4c33e286ee5bf3d93d9960c
Instruction ID: 282bf95f2fc7cb7ada2161ece7fafb7530898c59b6512c60300dda51105783b6
Opcode Fuzzy Hash: de2105d0f4e13dc866e0316cb8b42b05d071ac5db4c33e286ee5bf3d93d9960c
Instruction Fuzzy Hash: 877166B1A20219DFCF14DF54C484A9EBBF0AF08310F0484A9E856AB7A2C771ED55CF91

Function 0029719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00297206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0029723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0029724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002972CF

Strings

DllGetClassObject, xrefs: 00297242

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 64319052be32d86b41b095eb6d73ac530bee4c12c796c4e1958923ad584b64bc
Instruction ID: 014a79ffa5d60da097689cf0f072f32dd33bdc2bb0aea8d1047c05eb28dbb885
Opcode Fuzzy Hash: 64319052be32d86b41b095eb6d73ac530bee4c12c796c4e1958923ad584b64bc
Instruction Fuzzy Hash: 68416D71A34204EFDF15CF54C884A9A7BB9EF45710F2580AEBD099F20AD7B0D954CBA0

Function 002C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C3E35
IsMenu.USER32(?), ref: 002C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002C3E92
DrawMenuBar.USER32 ref: 002C3EA5

Strings

0, xrefs: 002C3D89

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0eef3a5e4b086b6b056db2688762fb5efc0cc49943aea70b4191669a11d1da43
Instruction ID: 04dde4642ecdcd57486fb7a0d5ed7273cb49c23775cac8128691153077e9f4ac
Opcode Fuzzy Hash: 0eef3a5e4b086b6b056db2688762fb5efc0cc49943aea70b4191669a11d1da43
Instruction Fuzzy Hash: D0414C75A2120AEFDB10DF50D884E9ABBB9FF49354F04862DF905A7250D730AE65CFA0

Function 00291DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00291E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00291E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00291EA9

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Strings

ListBox, xrefs: 00291E25
ComboBox, xrefs: 00291DF0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: f1e793164d1ef62202b13c359921bc9bf924e992b0d2f8dd7638ef4551786604
Instruction ID: dcf7b58266f9b3ca50752ac2929456da8008eb390a54445dc48b98757cb12c7e
Opcode Fuzzy Hash: f1e793164d1ef62202b13c359921bc9bf924e992b0d2f8dd7638ef4551786604
Instruction Fuzzy Hash: 4A2123B1A20105BADF18AF61DD4ACFFB7B8DF86350F204129F865A31E0DB7449398A20

Function 002C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002C2F8D
LoadLibraryW.KERNEL32(?), ref: 002C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002C2FA9
DestroyWindow.USER32(?), ref: 002C2FB1

Strings

SysAnimate32, xrefs: 002C2F68

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 337c848400b7574498900ea7356fcd6609001a662b3003dbcac7f7ab844f6706
Instruction ID: 686771e04a8299ddc1c0f21165a1c6e4b10e60693d6e5168f9d381f5dd52682e
Opcode Fuzzy Hash: 337c848400b7574498900ea7356fcd6609001a662b3003dbcac7f7ab844f6706
Instruction Fuzzy Hash: 6921B87122020AEBEB218E649C84FBB77BDEB59364F20532CFA1092590CA71DC659B60

Function 00254D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00254D1E,002628E9,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002), ref: 00254D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00254DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00254D1E,002628E9,?,00254CBE,002628E9,002F88B8,0000000C,00254E15,002628E9,00000002,00000000), ref: 00254DC3

Strings

mscoree.dll, xrefs: 00254D86
CorExitProcess, xrefs: 00254D98

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 30725583af854da0be868b5f0267d88811ee2fcfed0cfe1d9666725e66aad7ab
Instruction ID: 52666f5831810a4edaaf2bb347e407471906e0b509d9314b311f61efbc0f4bca
Opcode Fuzzy Hash: 30725583af854da0be868b5f0267d88811ee2fcfed0cfe1d9666725e66aad7ab
Instruction Fuzzy Hash: 6DF0A430550208BBEB155F90EC4DFADBFB4EF04752F1400A4FC09A2260CB705D94CE94

Function 0028D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0028D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0028D3BF
FreeLibrary.KERNEL32(00000000), ref: 0028D3E5

Strings

X64, xrefs: 0028D2A8
GetSystemWow64DirectoryW, xrefs: 0028D3B9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: d723ab51c25020bf7a4662725db942792601a4e4267892c6c1a9dc5dc12f7d4e
Instruction ID: 23d28a11ac314bc392d4ac0e420d793950256730d67bc92103c13afdc9ef6928
Opcode Fuzzy Hash: d723ab51c25020bf7a4662725db942792601a4e4267892c6c1a9dc5dc12f7d4e
Instruction Fuzzy Hash: F2F0EC3D8775129BE7753B115C5CD69B3149F11702F644595FC09E20CADBE0CD788B92

Function 00234E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00234EAE
FreeLibrary.KERNEL32(00000000,?,?,00234EDD,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00234EA8
kernel32.dll, xrefs: 00234E94

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 659ac164e86cd06ee3b6b31557bc28fb2363b816a7a6112b5edbd11699e0532b
Instruction ID: df29adebf11b95ba644a432460518ed73e06045474c12224295ffbc2b21496c4
Opcode Fuzzy Hash: 659ac164e86cd06ee3b6b31557bc28fb2363b816a7a6112b5edbd11699e0532b
Instruction Fuzzy Hash: FFE0CD75E115235BD2322F267C1CF6FA554AFC2F62F190155FD0CD2110DBA0DD1280B0

Function 00234E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00234E74
FreeLibrary.KERNEL32(00000000,?,?,00273CDE,?,00301418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00234E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00234E6E
kernel32.dll, xrefs: 00234E5B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: fe5c235a0038d3f70c8e8cf946f800422240b8f2063b7f19d61a73b467d519df
Instruction ID: 29e00cc22235481515cc66b192798c18e614346b050dfa8246c4cb4c9302c2fe
Opcode Fuzzy Hash: fe5c235a0038d3f70c8e8cf946f800422240b8f2063b7f19d61a73b467d519df
Instruction Fuzzy Hash: 98D02B329226335746322F26BC1CE8F6A18AF86F513190264F90CE2110CFA0CD22C1E0

Function 002A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002A2C05
DeleteFileW.KERNEL32(?), ref: 002A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002A2CC0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 136e27eb89fced6ce059745d3f131647e9535291be02a2180e592c0f0879e14a
Instruction ID: 131f3e9e158ec05525132110298bb7b98babed79a214746b219afc71d533c4ea
Opcode Fuzzy Hash: 136e27eb89fced6ce059745d3f131647e9535291be02a2180e592c0f0879e14a
Instruction Fuzzy Hash: 38B17071D20129EBDF25DFA4CC85EDEB77DEF49350F1040A6FA09E6141EA309A588F61

Function 002BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 002BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002BA468
CloseHandle.KERNEL32(?), ref: 002BA63D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 7127bba106c5b89298441a5a99ca7a910cc1dfc3af17bd5faa855ec83ba1be03
Instruction ID: 7b2d088d22078c0bc369a7ca40ae22ea914543e8f79ff7207d6737379a5300e4
Opcode Fuzzy Hash: 7127bba106c5b89298441a5a99ca7a910cc1dfc3af17bd5faa855ec83ba1be03
Instruction Fuzzy Hash: 57A1B1B1614301AFD720DF24D886F2AB7E5AF84714F14885DF69A9B292D7B0EC518F82

Function 0026BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,002D3700), ref: 0026BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0030121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0026BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00301270,000000FF,?,0000003F,00000000,?), ref: 0026BC36
_free.LIBCMT ref: 0026BB7F

Part of subcall function 002629C8: HeapFree.KERNEL32(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026BD4B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c3b38f8e2091a16abae1bb024f87a0b6c368a7b5402d1c5a26af97c32a3f888a
Instruction ID: 55c94ed66fb64999d00bb84bba43505faa0881b39c59387fde59bdbf5c353a64
Opcode Fuzzy Hash: c3b38f8e2091a16abae1bb024f87a0b6c368a7b5402d1c5a26af97c32a3f888a
Instruction Fuzzy Hash: 5A51C671910209EFCB16EF699C819AEB7BCEF40360F10466BE554D7291EB709EE18B50

Function 0029E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0029CF22,?), ref: 0029DDFD

Part of subcall function 0029DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0029CF22,?), ref: 0029DE16

Part of subcall function 0029E199: GetFileAttributesW.KERNEL32(?,0029CF95), ref: 0029E19A

lstrcmpiW.KERNEL32(?,?), ref: 0029E473
MoveFileW.KERNEL32(?,?), ref: 0029E4AC
_wcslen.LIBCMT ref: 0029E5EB
_wcslen.LIBCMT ref: 0029E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0029E650

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 09f60305cf2f5ac1d76f4eb5eb9587ce89751d76ee22d4bde89774043b758dcf
Instruction ID: 1a695b1d585157023a2f42ede863791604d64ed03019b70cb6595b909ce5dfad
Opcode Fuzzy Hash: 09f60305cf2f5ac1d76f4eb5eb9587ce89751d76ee22d4bde89774043b758dcf
Instruction Fuzzy Hash: 695164B24183459BCB24EB90D8819DFB3DCAF85340F10491EF689D3191EF74A598CB66

Function 002BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 002BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002BB6AE,?,?), ref: 002BC9B5
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BC9F1
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA68
Part of subcall function 002BC998: _wcslen.LIBCMT ref: 002BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002BBB63
RegCloseKey.ADVAPI32(?,?), ref: 002BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 002BBBB3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 0b14d325da5dfc3bb5144b50a5d0428dee34c73cc1ccb3761d7bf442d0209c87
Instruction ID: c6798a20778389128b7bed6890bbe4c275eb143d7c05bda79c01c83caf069b57
Opcode Fuzzy Hash: 0b14d325da5dfc3bb5144b50a5d0428dee34c73cc1ccb3761d7bf442d0209c87
Instruction Fuzzy Hash: E361D171228241AFC715DF14C890E6ABBE5FF84348F14895CF4998B2A2CB71ED55CF92

Function 00298BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00298BCD
VariantClear.OLEAUT32 ref: 00298C3E
VariantClear.OLEAUT32 ref: 00298C9D
VariantClear.OLEAUT32(?), ref: 00298D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00298D3B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7c7c255a46d5ceb944696a0ef1afadeb86cd7289614f6fcdf811b8012ffc5ebf
Instruction ID: 8ff3e6e2d3618276ce7ef7ae093abad453a2627f303239b870381f4b9ff2c786
Opcode Fuzzy Hash: 7c7c255a46d5ceb944696a0ef1afadeb86cd7289614f6fcdf811b8012ffc5ebf
Instruction Fuzzy Hash: D6515CB5A10219EFCB14CF68D894EAAB7F8FF89314B158559E909DB350E730E911CFA0

Function 002A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 002A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002A8C5F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 07ac9e819b14d0df237bfa8bc67739cb8698c9f8565cf0ce330e39583d17d058
Instruction ID: b5ace39883e4f5f1d657ff4687810f879ccb28f2fd39ed6ead848dc0b3318b3f
Opcode Fuzzy Hash: 07ac9e819b14d0df237bfa8bc67739cb8698c9f8565cf0ce330e39583d17d058
Instruction Fuzzy Hash: F7513975A10219AFCB19DF65C880A69BBF5FF49314F088459E849AB362CB31ED61CF90

Function 002B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 002B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 002B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 002B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 002B9032
FreeLibrary.KERNEL32(00000000), ref: 002B9052

Part of subcall function 0024F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,002A1043,?,75C0E610), ref: 0024F6E6
Part of subcall function 0024F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0028FA64,00000000,00000000,?,?,002A1043,?,75C0E610,?,0028FA64), ref: 0024F70D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 64bc950d27ece34368cdaea24504ba7d6af9fa2d573fbcc767e51ebabac16079
Instruction ID: 5d672f0a0ab3d630b055d6b5dfa9f48af3e7ce177e598560f7afddccd82b7966
Opcode Fuzzy Hash: 64bc950d27ece34368cdaea24504ba7d6af9fa2d573fbcc767e51ebabac16079
Instruction Fuzzy Hash: 94516874610205DFCB05EF68C4848ADBBB1FF49354F5880A8E90A9B762DB31ED96CF90

Function 002C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 002C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 002C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,002AAB79,00000000,00000000), ref: 002C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002C6CC7

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: dc158990d6de0ca3b0737f1aa8818463d8bc37f209a8da941f497deedd3f8e07
Instruction ID: 0f466ddfa86eecb3af0b43396a43140dc1dd3826846874fffb8676ba69184592
Opcode Fuzzy Hash: dc158990d6de0ca3b0737f1aa8818463d8bc37f209a8da941f497deedd3f8e07
Instruction Fuzzy Hash: 0741F935624105AFD724CF28CD5CFA97BA9EB49350F14032EF899A72E1C371EE61CA80

Function 00262051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002620C3
_free.LIBCMT ref: 002620E3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 410e23f62f0ac1c6c6e36e631e0154fb45fef211cdc37bb3f81e985858b0a4a7
Instruction ID: 8d1a3b5d4e16143f0e430e8f84d09e1e45c0a81140e3613029fa1d4fdf33ec88
Opcode Fuzzy Hash: 410e23f62f0ac1c6c6e36e631e0154fb45fef211cdc37bb3f81e985858b0a4a7
Instruction Fuzzy Hash: C3410332A10604DFCB24DF78C980A6DB3F5EF89314F2545A8EA15EB392DB31AD55CB80

Function 0024912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00249141
ScreenToClient.USER32(00000000,?), ref: 0024915E
GetAsyncKeyState.USER32(00000001), ref: 00249183
GetAsyncKeyState.USER32(00000002), ref: 0024919D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 8c0fa64402c7a410dbfad666dc83af9fdfa8036adcf8963ddab7e971995b7e66
Instruction ID: 32cfad460269dd1630c82b82ba6f48db6cdf0735d8006d7ae4a2bdd21346ba17
Opcode Fuzzy Hash: 8c0fa64402c7a410dbfad666dc83af9fdfa8036adcf8963ddab7e971995b7e66
Instruction Fuzzy Hash: 2C414F3591851BEBDF19AF64C848BEEB774FB05320F20431AE42DA62D0C770A9A4DF51

Function 002A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 002A3922
TranslateMessage.USER32(?), ref: 002A394B
DispatchMessageW.USER32(?), ref: 002A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A3966

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: daca7b4345f1de7c7f8cc2585572539acd78dca90a71e2112b21c123c98a4204
Instruction ID: b822dd86db5dfee22c7f2edab1270dc7599488b36d8bafaca0dc80b15786a8f6
Opcode Fuzzy Hash: daca7b4345f1de7c7f8cc2585572539acd78dca90a71e2112b21c123c98a4204
Instruction Fuzzy Hash: 7931BF709253439FEB26CF349858BB777ACAB07304F14456AF466821A0EBF49A94CB11

Function 002ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 002ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 002ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,002AC21E,00000000), ref: 002ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,002AC21E,00000000), ref: 002ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,002AC21E,00000000), ref: 002ACFF2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 039a453041ac412d9323552576340e2ede4f5a04220f8e75862456d981781a94
Instruction ID: e82e7ec4222f8d8c4e277a01b05a994445ece41fb342aab7285e7c2a1715e921
Opcode Fuzzy Hash: 039a453041ac412d9323552576340e2ede4f5a04220f8e75862456d981781a94
Instruction Fuzzy Hash: 6E318071520206EFDB24DFA5D984DABBBF9EB05310B20442FF50AD2910DB30AD51DF60

Function 00291901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00291915
PostMessageW.USER32(00000001,00000201,00000001), ref: 002919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 002919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 002919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002919E2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: c2d98f0f6ebc483fcacaae8e2962c8715a25c63f37cd12ce95b713c9de3872f2
Instruction ID: 344d90a5539da50d9d9f1c9e86eaaf65d97974e21516324dbdd29076ac314efb
Opcode Fuzzy Hash: c2d98f0f6ebc483fcacaae8e2962c8715a25c63f37cd12ce95b713c9de3872f2
Instruction Fuzzy Hash: 6631DF71A1021AEFEF04CFA9DD99ADE3BB5EB44314F104229F925A72D0C3B09964CB90

Function 002C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 002C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 002C579D
_wcslen.LIBCMT ref: 002C57AF
_wcslen.LIBCMT ref: 002C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 002C5816

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: cf837cdc472638104700558380a7c5d47078efae9eab52cd33821bba46edf283
Instruction ID: 21c427a974eb6d1c169e85c1b7da43110370335ec1ba9959a149f768761d8e4d
Opcode Fuzzy Hash: cf837cdc472638104700558380a7c5d47078efae9eab52cd33821bba46edf283
Instruction Fuzzy Hash: D22181319246299ADB209F60CC85FEEB7BCFF44324F10835AE919AA180D770E9D5CF50

Function 002B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002B0951
GetForegroundWindow.USER32 ref: 002B0968
GetDC.USER32(00000000), ref: 002B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 002B09B0
ReleaseDC.USER32(00000000,00000003), ref: 002B09E8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5cedfc6031937bacd76a7523b36f8973bb58d405349f42c223fb267da1c1dd90
Instruction ID: 7f57d25fe871886756bfe3694120d68b1a4fc381f0caa3a535f1c0a9d202ddda
Opcode Fuzzy Hash: 5cedfc6031937bacd76a7523b36f8973bb58d405349f42c223fb267da1c1dd90
Instruction Fuzzy Hash: 15218E75A10204AFD704EF65D988EAEBBE9EF49740F148069E94AA7762CB70AC14CF50

Function 0026CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0026CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0026CDE9

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0026CE0F
_free.LIBCMT ref: 0026CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0026CE31

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 69f466ddfd76f30b5e6e3c8081214183a1843d33a93620cf02046cb823f4097d
Instruction ID: bdeca72755a82c2dca176748b8dd1c38126ecc6225b3739299ba7e2b984a951a
Opcode Fuzzy Hash: 69f466ddfd76f30b5e6e3c8081214183a1843d33a93620cf02046cb823f4097d
Instruction Fuzzy Hash: AA01D872A222157F23212AB67C8CC7B797DDEC6FA13350129F909C7200DA668D6181B0

Function 00249639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00249693
SelectObject.GDI32(?,00000000), ref: 002496A2
BeginPath.GDI32(?), ref: 002496B9
SelectObject.GDI32(?,00000000), ref: 002496E2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e47cb5fc9d860a4897444679b7e19b9763dc2fd4fdcd2336ad14dd0e6c53281b
Instruction ID: 6cd80007735063f8a0b1f7deb27732dcc509af3f8ae38ae1a6c1313530a67494
Opcode Fuzzy Hash: e47cb5fc9d860a4897444679b7e19b9763dc2fd4fdcd2336ad14dd0e6c53281b
Instruction Fuzzy Hash: C9218331823306EFDB129F25EC28BAB3B6CBB50325F210216F414A61B0D3B098A1CFD0

Function 00295711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00295726
_memcmp.LIBVCRUNTIME ref: 00295744
_memcmp.LIBVCRUNTIME ref: 00295757
_memcmp.LIBVCRUNTIME ref: 0029576F
_memcmp.LIBVCRUNTIME ref: 00295787

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 09e0e56edceea3358d7ebca57427a4b363c8c6ab63139099cdaa412e59245ed4
Instruction ID: 27990b98710a8ccedf8b86f01f12de682f6d7be8011c478641ea92090e9c0dea
Opcode Fuzzy Hash: 09e0e56edceea3358d7ebca57427a4b363c8c6ab63139099cdaa412e59245ed4
Instruction Fuzzy Hash: 2801F9613B1615BBDA099A509E92FFBB35D9B21395F004025FD049A241F770EF34C7A4

Function 00262DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0025F2DE,00263863,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6), ref: 00262DFD
_free.LIBCMT ref: 00262E32
_free.LIBCMT ref: 00262E59
SetLastError.KERNEL32(00000000,00231129), ref: 00262E66
SetLastError.KERNEL32(00000000,00231129), ref: 00262E6F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 55c2b026a85e2c8a168d82cc60cea124494954d6c56bc354d308f3f6b1d628ed
Instruction ID: f3dde305bfebd435cc9aefca0091169f1ce2346658b9431c5500b7bbe58f2750
Opcode Fuzzy Hash: 55c2b026a85e2c8a168d82cc60cea124494954d6c56bc354d308f3f6b1d628ed
Instruction Fuzzy Hash: C601F436675E01E7C6126B347D49D2B265DABD13B5B350038F829A32D3EB729CB94520

Function 0029000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?,?,0029035E), ref: 0029002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?), ref: 00290064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0028FF41,80070057,?,?), ref: 00290070

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1ca62d21482997f69f0175069803eb2e4b79e1c7c45e4c013e3c14f418888b72
Instruction ID: abeb4ff34e47efc7dac7176118ac7ac5c0a92e6e2d51d6c741ed5502eb2c0780
Opcode Fuzzy Hash: 1ca62d21482997f69f0175069803eb2e4b79e1c7c45e4c013e3c14f418888b72
Instruction Fuzzy Hash: 2D01A272610219BFDF118F68EC88FAE7AEDEF44751F244224F909D2210D771DD508BA0

Function 002910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00291114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 0029112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00290B9B,?,?,?), ref: 00291136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0029114D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e29d9d21da8b2b91b1ebba195dc8504529be328ed2fcf65fa74357525c314b9e
Instruction ID: 602036d135828a943b5245f60bf180dfbdeddcc417c1c9056c1db27330b5d1ae
Opcode Fuzzy Hash: e29d9d21da8b2b91b1ebba195dc8504529be328ed2fcf65fa74357525c314b9e
Instruction Fuzzy Hash: CE013C75200206BFDB114FA6EC4DE6A3F6EEF893A0B244429FA49D7360DB71DC119B60

Function 00290FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00290FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00290FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00290FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00290FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00291002

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 56736c0dc05d703c7819aeef278ccd2e09b23ad97352397b474608d253bfd160
Instruction ID: b440c6081c14eeb163b338675b0f24085d416b325fee6d623da40c9286110ca8
Opcode Fuzzy Hash: 56736c0dc05d703c7819aeef278ccd2e09b23ad97352397b474608d253bfd160
Instruction Fuzzy Hash: E2F04935200312ABDB215FA6AC4DF563BADFF89762F244424FE49C7251CA71DC60CA60

Function 00291014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0029102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00291036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0029104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291062

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ee14416dace6df5a4e9933e14e17262406faa0be724a8ba1b08fa8f84dd2e213
Instruction ID: 26d6d134ba09a8e72a07b9454aa7eafa4fe8d3e7b26cc9e65681e1fd14ca742a
Opcode Fuzzy Hash: ee14416dace6df5a4e9933e14e17262406faa0be724a8ba1b08fa8f84dd2e213
Instruction Fuzzy Hash: E8F06D35200312EBDB215FA6FC4DF563BADFF897A1F240424FE49C7250CA71D8608A60

Function 002A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0324
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0331
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A033E
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A034B
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0358
CloseHandle.KERNEL32(?,?,?,?,002A017D,?,002A32FC,?,00000001,00272592,?), ref: 002A0365

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 65c82bd68f68cac5b208ae8cf67ed5104f5c885cb75ae9ea271dbf3e8d9acdb4
Instruction ID: d274f8cf2ae4c6d7f0370228d58b454c07245881a1138d4ef88711f5e56ce667
Opcode Fuzzy Hash: 65c82bd68f68cac5b208ae8cf67ed5104f5c885cb75ae9ea271dbf3e8d9acdb4
Instruction Fuzzy Hash: DC01EE72810B028FCB30AF66D8C0806FBF9BF613053148A7FD19652930CBB1A968CF80

Function 0026D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0026D752

Part of subcall function 002629C8: HeapFree.KERNEL32(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 0026D764
_free.LIBCMT ref: 0026D776
_free.LIBCMT ref: 0026D788
_free.LIBCMT ref: 0026D79A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a33f1093118ed711551cf714140daf7b6fbd17c095ff149a697f7cb351ff75b
Instruction ID: 5a2d5c3c489e3d821d0fd8f900cc30ff8ebcee2d2cd0ab42c45e63f77500d937
Opcode Fuzzy Hash: 1a33f1093118ed711551cf714140daf7b6fbd17c095ff149a697f7cb351ff75b
Instruction Fuzzy Hash: 6DF0FF32B6560DEB8626EF64FAC5C26B7DDBB447A0BB41815F048D7501CB20FCD4CA65

Function 00295C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00295C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00295C6F
MessageBeep.USER32(00000000), ref: 00295C87
KillTimer.USER32(?,0000040A), ref: 00295CA3
EndDialog.USER32(?,00000001), ref: 00295CBD

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4652fb26c547cb44d3d92e9ea65d5bccface5e52c80c8de05ad8adea644b87d
Instruction ID: 81ae79c6d07639558c6e3d356d21ba19ab03c43a96e71b307acfea0fdaca05c8
Opcode Fuzzy Hash: e4652fb26c547cb44d3d92e9ea65d5bccface5e52c80c8de05ad8adea644b87d
Instruction Fuzzy Hash: 9E018670610B14ABEF215F10EE4EFA677BCBB00B05F10055AF687A15E1DBF4A9948F90

Function 002622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002622BE

Part of subcall function 002629C8: HeapFree.KERNEL32(00000000,00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000), ref: 002629DE
Part of subcall function 002629C8: GetLastError.KERNEL32(00000000,?,0026D7D1,00000000,00000000,00000000,00000000,?,0026D7F8,00000000,00000007,00000000,?,0026DBF5,00000000,00000000), ref: 002629F0

_free.LIBCMT ref: 002622D0
_free.LIBCMT ref: 002622E3
_free.LIBCMT ref: 002622F4
_free.LIBCMT ref: 00262305

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a3077b1315ab9b5e9e5267c76f66f35561a7286f7a81840b27c29e791a40afff
Instruction ID: cd8cc27a8284aa2f1dec19698c854d67e42a0022417f906c0c17839962a54690
Opcode Fuzzy Hash: a3077b1315ab9b5e9e5267c76f66f35561a7286f7a81840b27c29e791a40afff
Instruction Fuzzy Hash: B2F030B0523915CBC71BAF54BC21A183BACB7587E1F20151BF410D2271C73004A5AFA5

Function 002495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002495D4
StrokeAndFillPath.GDI32(?,?,002871F7,00000000,?,?,?), ref: 002495F0
SelectObject.GDI32(?,00000000), ref: 00249603
DeleteObject.GDI32 ref: 00249616
StrokePath.GDI32(?), ref: 00249631

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 833a862f816a7ef67f6f90fe7523273282d9fbac8765f75db30fd9b078732231
Instruction ID: 316563803252530d2bbae8aa202d952142dec2056a4231d4e70b48d752fce0ef
Opcode Fuzzy Hash: 833a862f816a7ef67f6f90fe7523273282d9fbac8765f75db30fd9b078732231
Instruction Fuzzy Hash: C4F04F31026605EFDB175F65ED2CB653F69FB00322F248215F469590F0C77089A5DFA0

Function 00260F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002610F9
__freea.LIBCMT ref: 00261117

Part of subcall function 00261537: _free.LIBCMT ref: 0026154F

Strings

a/p, xrefs: 002611DE
am/pm, xrefs: 0026117A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c926153399755918975e42086a23bb3f9d3927c43aacba1890fe017389f128bb
Instruction ID: c210799436bde0f9716835f32f5eb83bc1991aa25cf9399f1501b400b270caef
Opcode Fuzzy Hash: c926153399755918975e42086a23bb3f9d3927c43aacba1890fe017389f128bb
Instruction Fuzzy Hash: 0AD1DF31930206DADB289F68C895BBAB7B1EF06300F2C4199E9069B754D775BDF0CB91

Function 002B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00250242: EnterCriticalSection.KERNEL32(0030070C,00301884,?,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025024D
Part of subcall function 00250242: LeaveCriticalSection.KERNEL32(0030070C,?,0024198B,00302518,?,?,?,002312F9,00000000), ref: 0025028A

Part of subcall function 002500A3: __onexit.LIBCMT ref: 002500A9

__Init_thread_footer.LIBCMT ref: 002B6238

Part of subcall function 002501F8: EnterCriticalSection.KERNEL32(0030070C,?,?,00248747,00302514), ref: 00250202
Part of subcall function 002501F8: LeaveCriticalSection.KERNEL32(0030070C,?,00248747,00302514), ref: 00250235

Part of subcall function 002A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 002A35E4
Part of subcall function 002A359C: LoadStringW.USER32(00302390,?,00000FFF,?), ref: 002A360A

Strings

x#0, xrefs: 002B633A
x#0, xrefs: 002B636F
x#0, xrefs: 002B6353

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#0$x#0$x#0
API String ID: 1072379062-3395092969
Opcode ID: eef2618a3570d72651d67cfc55b1110fc1cd0b8343e06a97cbebeb16f93d01a5
Instruction ID: d58be9188616cc629a137b03a59dddcb8bc403ff0685cd8a9d5a443d487c9820
Opcode Fuzzy Hash: eef2618a3570d72651d67cfc55b1110fc1cd0b8343e06a97cbebeb16f93d01a5
Instruction Fuzzy Hash: 29C18B71A20106AFDB24DF98C894EFEB7B9EF48340F148069F9459B291DB74ED64CB90

Function 00265AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO#, xrefs: 00265BA8, 00265C6C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: JO#
API String ID: 0-1472918460
Opcode ID: 8a2662cb33d1a9605149e1dc66fc9e4746e21a1ee528c0956c77401719c0c97d
Instruction ID: 491b436cdd2b087c30679343a2689f36ef9c2299712e968a0a2cf72808beb50a
Opcode Fuzzy Hash: 8a2662cb33d1a9605149e1dc66fc9e4746e21a1ee528c0956c77401719c0c97d
Instruction Fuzzy Hash: 1151D171D3062AAFCB119FA8CD45FAEBBB8EF05314F14005AF805A7291D77199A1CB61

Function 00268A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00268B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00268B7A
__dosmaperr.LIBCMT ref: 00268B81

Strings

.%, xrefs: 00268A63

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .%
API String ID: 2434981716-3802303113
Opcode ID: ee9f40035f7d959e31b6f138896cd0c882936b80c5e01c21d59aed7fe57ffbc5
Instruction ID: fcd49be0c22d3fe51c8856d72cf6b8fae5dee41f9c44faa1ac59f55e21f49af8
Opcode Fuzzy Hash: ee9f40035f7d959e31b6f138896cd0c882936b80c5e01c21d59aed7fe57ffbc5
Instruction Fuzzy Hash: 2E41AEB0624046AFD7259F64D884A797FE5DB45308F2843AAF884C7542DE718CA29790

Function 00292716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0029B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002921D0,?,?,00000034,00000800,?,00000034), ref: 0029B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00292760

Part of subcall function 0029B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0029B3F8

Part of subcall function 0029B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0029B355
Part of subcall function 0029B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00292194,00000034,?,?,00001004,00000000,00000000), ref: 0029B365
Part of subcall function 0029B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00292194,00000034,?,?,00001004,00000000,00000000), ref: 0029B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0029281A

Strings

@, xrefs: 00292832

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: e8165d680f46820229151cfd43e4167522e17ff50564a99e02ee53e20935f07b
Instruction ID: 06499286ea2ed812bdc0878fe551330c0f831ace17912812900f7805f820b7b3
Opcode Fuzzy Hash: e8165d680f46820229151cfd43e4167522e17ff50564a99e02ee53e20935f07b
Instruction Fuzzy Hash: B6412972900218BEDF11DFA4DD45EEEBBB8AF09300F104095EA55B7181DA706E99CFA0

Function 0026172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00261769
_free.LIBCMT ref: 00261834
_free.LIBCMT ref: 0026183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00261760, 00261767, 00261796, 002617CE

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 79f4438c2eb639ed2cbf70ba510f77f69b14fba53a609805117579ba590df498
Instruction ID: 87653a854085950a21865b1d5466cf0bb7a05ca49737f143c98d2ce964d31146
Opcode Fuzzy Hash: 79f4438c2eb639ed2cbf70ba510f77f69b14fba53a609805117579ba590df498
Instruction Fuzzy Hash: 08316275A11219EFDB22DF999885D9EBBFCEB85310F184166F804D7211D770AEA0CB90

Function 0029C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0029C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0029C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00301990,01864E50), ref: 0029C395

Strings

0, xrefs: 0029C2DF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9776ca29c830b5cd054fea58f3cc3967bab47774498fffa01195bdaa6555d4b3
Instruction ID: 89c72262328078171aa39d4a72fd4ed86ae271a213927709cd5ae4abdc3ff631
Opcode Fuzzy Hash: 9776ca29c830b5cd054fea58f3cc3967bab47774498fffa01195bdaa6555d4b3
Instruction Fuzzy Hash: 1641E6712143029FDB20DF24D884F1ABBE4EF85310F2086ADF8A5972D1D770E954CB66

Function 002C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002CCC08,00000000,?,?,?,?), ref: 002C44AA
GetWindowLongW.USER32 ref: 002C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C44D7

Strings

SysTreeView32, xrefs: 002C447C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7b77c56725c3e47ca06166abba57de988d667b632fb95c597fa02fa195e53135
Instruction ID: cbadaf5f4b7ffb05e359f2e08665bf9772c2e7f13cde0189f48d051bf983c594
Opcode Fuzzy Hash: 7b77c56725c3e47ca06166abba57de988d667b632fb95c597fa02fa195e53135
Instruction Fuzzy Hash: C231AD31220606AFDB24AE38DC55FEB7BA9EB08334F204329F979921D0D770EC609B50

Function 00296E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00296EED
VariantCopyInd.OLEAUT32(?,?), ref: 00296F08
VariantClear.OLEAUT32(?), ref: 00296F12

Strings

*j), xrefs: 00296E8B, 00296E90, 00296EF8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j)
API String ID: 2173805711-389742949
Opcode ID: f12c9e1d30c4cc2c20b715eaab685d7d7b3f3a516aa4135faa73f818fa8c7b3d
Instruction ID: 886823f48b872f0e6c3141ef6118d3c0dd6ff163f51c6a3af694505db22e2f3e
Opcode Fuzzy Hash: f12c9e1d30c4cc2c20b715eaab685d7d7b3f3a516aa4135faa73f818fa8c7b3d
Instruction Fuzzy Hash: CA3191B2624245DFCF09AFA4E8599BD37B6EF85300F2004A9F9034B6A1C7749936DF90

Function 002B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,002B3077,?,?), ref: 002B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 002B307A
_wcslen.LIBCMT ref: 002B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 002B3106

Strings

255.255.255.255, xrefs: 002B3095, 002B309A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: c6554edb84c7e8b55756f8e1558e96a6de96b4a929ca232d039a1438f97d1622
Instruction ID: e730c4df7675da8833a2decda506046863a99999e10978db60b7018be90c608a
Opcode Fuzzy Hash: c6554edb84c7e8b55756f8e1558e96a6de96b4a929ca232d039a1438f97d1622
Instruction Fuzzy Hash: B03107356202029FCB10DF2CC885EEA77E4EF14398F248559E8158B392DB72DE55CB60

Function 002C3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002C3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002C3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 002C3F78

Strings

SysMonthCal32, xrefs: 002C3F0B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8c3a79bef6012ed394d73508bca088cdad9220db903e6279f86ff6e9938d0978
Instruction ID: 59bd6f7d553387790b9b259d293839604409d92f7440a3444d5dda96aa21821d
Opcode Fuzzy Hash: 8c3a79bef6012ed394d73508bca088cdad9220db903e6279f86ff6e9938d0978
Instruction Fuzzy Hash: 70219F32620219BBDF25CF50DC46FEA3B79EF48714F114618FA196B1D0D6B5A960CB90

Function 002C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002C471A

Strings

msctls_updown32, xrefs: 002C4684

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: df135df18360ba3c343fae392304d7e72dd4f8105f21e2c4eb89927c5b5147e1
Instruction ID: 49c0e337b21846a9d5d2859374542c72cf16f7e15837137a9d98becfe469c55b
Opcode Fuzzy Hash: df135df18360ba3c343fae392304d7e72dd4f8105f21e2c4eb89927c5b5147e1
Instruction Fuzzy Hash: 362190B5610209AFDB11EF64DCD1DB777ADEB5A394B140159FA049B351CB70EC21CA60

Function 002995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029961D

Strings

#notrayicon, xrefs: 002995B7
#requireadmin, xrefs: 002995D9
#OnAutoItStartRegister, xrefs: 002995F3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 87f88c5e0561e8449147e35ea71dbf15877d79e3ff93a52aa2a11466539cfb59
Instruction ID: d97f3b97fb0a1ee1819f0552b229eef73af30fb11220192914dc179762f21cd7
Opcode Fuzzy Hash: 87f88c5e0561e8449147e35ea71dbf15877d79e3ff93a52aa2a11466539cfb59
Instruction Fuzzy Hash: 6C21387223451266DB31AE2C9D02FB7B3AC9FA5320F50402EFE4997041EBA1ADF5C6D5

Function 002C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002C3876

Strings

Listbox, xrefs: 002C380F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 36013d356b9b25e75d4e576479841f4146b6906cdc1ac243ed3373ca4f4b2628
Instruction ID: 78a6d56a28ad791f08b3e7307b1310b6d7b2add7e4b1e6ae6eb87d99589b86bf
Opcode Fuzzy Hash: 36013d356b9b25e75d4e576479841f4146b6906cdc1ac243ed3373ca4f4b2628
Instruction Fuzzy Hash: 91218072620119BBEB11DF54DC85FBB776EEF89750F11C628F9049B190C671DC618BA0

Function 002A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002A4A5C
SetErrorMode.KERNEL32(00000000,?,?,002CCC08), ref: 002A4AD0

Strings

%lu, xrefs: 002A4A6F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: db693f87eabe382b917d116cf5b50b8d5fdb22c8e1642db41dc9d20b9708fce9
Instruction ID: 394a8c9281f968e31bb05470f1b1d79131b44460375dcd3b03a8ac233e09d7c4
Opcode Fuzzy Hash: db693f87eabe382b917d116cf5b50b8d5fdb22c8e1642db41dc9d20b9708fce9
Instruction Fuzzy Hash: 17317371A10109AFDB10DF54C885EAAB7F8EF49308F1480A5F909DB252DB71EE55CF61

Function 002C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002C4271

Strings

msctls_trackbar32, xrefs: 002C4226

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8f1f3cb733f83bb3aeaed599a5128ad03046aed9be7e03e77f75e588ce09e404
Instruction ID: 267c53afb69d20386f33f58984408a363336ba22ed033a0f6d396d659c845163
Opcode Fuzzy Hash: 8f1f3cb733f83bb3aeaed599a5128ad03046aed9be7e03e77f75e588ce09e404
Instruction Fuzzy Hash: 5E110631250208BEEF216F28CC06FAB3BACEF85B54F114228FA55E2090D2B1DC61DB10

Function 00292F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

Part of subcall function 00292DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00292DC5
Part of subcall function 00292DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00292DD6
Part of subcall function 00292DA7: GetCurrentThreadId.KERNEL32 ref: 00292DDD
Part of subcall function 00292DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00292DE4

GetFocus.USER32 ref: 00292F78

Part of subcall function 00292DEE: GetParent.USER32(00000000), ref: 00292DF9

GetClassNameW.USER32(?,?,00000100), ref: 00292FC3
EnumChildWindows.USER32(?,0029303B), ref: 00292FEB

Strings

%s%d, xrefs: 00292FFF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 4b94e8e53b62809dd829823217d2721a9f773bcd9fdce845e0217a68fe9a2099
Instruction ID: 0d3411d34c4717e628206509dc59e622f5d679dc23fe518c039be966b6d64f70
Opcode Fuzzy Hash: 4b94e8e53b62809dd829823217d2721a9f773bcd9fdce845e0217a68fe9a2099
Instruction Fuzzy Hash: 4311D671610205ABCF14BF709C89EFD776EAF84304F148075FA09AB252DE7099598F70

Function 0029D66A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D682
DeviceIoControl.KERNEL32(00000000,pow,00000007,0000000C,?,0000000C,?,00000000), ref: 0029D6BF
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0029D6C8

Strings

pow, xrefs: 0029D6B9

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID: pow
API String ID: 33631002-2276729525
Opcode ID: 545acf4cb02a1186adf94f4ebd459e806cc71b2086a0506abc0aa1dbc45c6208
Instruction ID: d50fbf2591b4c98b5290096ab1a8af5c0e3228b5bc14cec22d218a8fe5135e6b
Opcode Fuzzy Hash: 545acf4cb02a1186adf94f4ebd459e806cc71b2086a0506abc0aa1dbc45c6208
Instruction Fuzzy Hash: 7D01B1B2D00228BBE7109BA9EC48FAFBABCEB08750F104515B914E7190D2B49A008BF0

Function 002C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 002C58EE
DrawMenuBar.USER32(?), ref: 002C58FD

Strings

0, xrefs: 002C588F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: c01f99dafeb3c2895a79433b084060a15beccd961e244f2c2f6b364831cd205c
Instruction ID: 71f196385ad89180751d7a7ec20be3516a22eb2dc7fbd45d50b0f4afaf921037
Opcode Fuzzy Hash: c01f99dafeb3c2895a79433b084060a15beccd961e244f2c2f6b364831cd205c
Instruction Fuzzy Hash: 9B018E31520228EEDB219F11DC44FAEBBB4FF85361F108099E848D6151DB309AA0DF60

Function 0029007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc9b4f538186f0c3e45d2d3c3c54c2d4128999afc7c92d05243de56fbc3e1c89
Instruction ID: 7bfc3806f2123f12c46fab009617f3905ea179f87078602d7354350182d13cd8
Opcode Fuzzy Hash: fc9b4f538186f0c3e45d2d3c3c54c2d4128999afc7c92d05243de56fbc3e1c89
Instruction Fuzzy Hash: 76C17B75A1021AEFDB14CFA4C898EAEB7B5FF48304F208598E905EB251C771ED91CB90

Function 002B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002B3459
CoUninitialize.OLE32 ref: 002B3463
VariantInit.OLEAUT32(?), ref: 002B346E
VariantClear.OLEAUT32(?), ref: 002B371B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: db41bf22b63c2798198f07ab4825f98b6d4ae9575551f68530b49bb72c943434
Instruction ID: 9edd4a551214b6e62e5569473a9915976e7538a0aa471d551390742b05cfcc54
Opcode Fuzzy Hash: db41bf22b63c2798198f07ab4825f98b6d4ae9575551f68530b49bb72c943434
Instruction Fuzzy Hash: A8A179B56243009FCB14DF28C485A6AB7E5FF88754F148859F98A9B362DB30EE11CF91

Function 00290436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002CFC08,?), ref: 002905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002CFC08,?), ref: 00290608
CLSIDFromProgID.OLE32(?,?,00000000,002CCC40,000000FF,?,00000000,00000800,00000000,?,002CFC08,?), ref: 0029062D
_memcmp.LIBVCRUNTIME ref: 0029064E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 106a40b7457066599c2ca1edf8c4d820c321d822516c1b8373253186957d1439
Instruction ID: 087547d1e06024660783c0d0d653eb728e51dc54da48049a595bdc29ed06a090
Opcode Fuzzy Hash: 106a40b7457066599c2ca1edf8c4d820c321d822516c1b8373253186957d1439
Instruction Fuzzy Hash: 0B810971A1010AEFCF04DF94C984EEEB7B9FF89315F204598E516AB250DB71AE16CB60

Function 00271391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002714C0

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 05cd09bbc7af4bc3658d58b480b7480670cc2b3484c38ea63c3e49dbdfcdfa44
Instruction ID: 7a469469a40b85ef6045679160f1af26db8c784afec493b7c9082b2a11b29f7d
Opcode Fuzzy Hash: 05cd09bbc7af4bc3658d58b480b7480670cc2b3484c38ea63c3e49dbdfcdfa44
Instruction Fuzzy Hash: 8B418072630101ABDB257FFD9C46ABE3AA5EF41370F24C225FC1DD3191EA7448B15A61

Function 002C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002C62E2
ScreenToClient.USER32(?,?), ref: 002C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 002C6382

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 3067778ce47e126defe018a18cd4692862bdff8ebb13fa7bd5b5927c7b672a8f
Instruction ID: fc88ea823dab4aa737eccec71aed027e285bd7eb064cf1eb253cceabe07f5199
Opcode Fuzzy Hash: 3067778ce47e126defe018a18cd4692862bdff8ebb13fa7bd5b5927c7b672a8f
Instruction Fuzzy Hash: 02514D7091024AEFCB10DF54D988EAE7BB5EF45760F10829DF81597290D730ED51CB90

Function 002B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002B1AFD
WSAGetLastError.WSOCK32 ref: 002B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002B1B8A
WSAGetLastError.WSOCK32 ref: 002B1B94

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 802edfb279602066cdafee6297ad1325f05073c5d5aa4aea54a8dac0e5f39199
Instruction ID: 973ec51e54c5ac0f116e7334b28e798021430419c341d77c3547d0990895fc78
Opcode Fuzzy Hash: 802edfb279602066cdafee6297ad1325f05073c5d5aa4aea54a8dac0e5f39199
Instruction Fuzzy Hash: B841D274610201AFE720AF24C886F6A77E5AB44718F94C44CFA1A9F7D3D772DD628B90

Function 0026B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b36da8ea2ecc12751c4f619bb872de1bba8c69939091c108164212440aaefe93
Instruction ID: 924ce84220e32e20e885e96bfd2256c9d6d82e40ec7aeba14a0dd2fd8ac27747
Opcode Fuzzy Hash: b36da8ea2ecc12751c4f619bb872de1bba8c69939091c108164212440aaefe93
Instruction Fuzzy Hash: E8412D71920714BFD725AF38CC41BAABBE9EF88710F10452AF546DB2D1D77199E18B80

Function 002A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002A5783
GetLastError.KERNEL32(?,00000000), ref: 002A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002A57FA

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ae7f67e021b930458594bc2f82e5a3ef0e5fd7273071d29c1714bfe408447bb2
Instruction ID: bfd8f8dc03ff6208831856353e0ab3cdc21992f00aed1b40eb75f750383da418
Opcode Fuzzy Hash: ae7f67e021b930458594bc2f82e5a3ef0e5fd7273071d29c1714bfe408447bb2
Instruction Fuzzy Hash: 82411B79610611DFCF25DF15C444A1ABBE1AF89320F198488EC4A6B362CB34FD51CF91

Function 0026D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00256D71,00000000,00000000,002582D9,?,002582D9,?,00000001,00256D71,?,00000001,002582D9,002582D9), ref: 0026D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0026D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0026D9AB
__freea.LIBCMT ref: 0026D9B4

Part of subcall function 00263820: RtlAllocateHeap.NTDLL(00000000,?,00301444,?,0024FDF5,?,?,0023A976,00000010,00301440,002313FC,?,002313C6,?,00231129), ref: 00263852

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 202b46d94498e76fb3d8a14c5842971f21e78ab52d12a1b3ef6cd2a6fda7753f
Instruction ID: 8896b6275a9928c35c989add2f164f90482540b51e7f9742c5c30c6d9634b97a
Opcode Fuzzy Hash: 202b46d94498e76fb3d8a14c5842971f21e78ab52d12a1b3ef6cd2a6fda7753f
Instruction Fuzzy Hash: 5331BE72A2120AABDF24DF65DC85EAF7BA5EF41310B154168FC08D7250EB35DDA4CBA0

Function 002C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 002C5352
GetWindowLongW.USER32(?,000000F0), ref: 002C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002C53A8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f98c857a35015883743fadfbcc640f5efcf5dae7626d9ed41c8d46ad632e0112
Instruction ID: 9d7f16dd6a0c5b57201ffb15e1e4f2a661a864ebface169022d71762a7811f22
Opcode Fuzzy Hash: f98c857a35015883743fadfbcc640f5efcf5dae7626d9ed41c8d46ad632e0112
Instruction Fuzzy Hash: D531C134A75AA9AFEB249E14CC15FE87765AB04390F58428AFA10971E1C7B0F9E09B41

Function 0029AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0029ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0029AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0029AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0029ACC6

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d7a3c3018dd1e3b0157b30076673eab7571f55ffd5ff8eb9d10dd07f6f60f261
Instruction ID: 9a405015baed22ac5fe170421def1a79e2ab06d1091278310730c6c3fb5fbeff
Opcode Fuzzy Hash: d7a3c3018dd1e3b0157b30076673eab7571f55ffd5ff8eb9d10dd07f6f60f261
Instruction Fuzzy Hash: A8313930A203196FEF35CF69CC08BFA7BA5AB89321F14471BE4855A1D0C37589A187D2

Function 002C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002C769A
GetWindowRect.USER32(?,?), ref: 002C7710
PtInRect.USER32(?,?,002C8B89), ref: 002C7720
MessageBeep.USER32(00000000), ref: 002C778C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 408ba0596b3f5d5992f38a9280eec37536e3e1629210b2d7506f9fd48b4d3fc2
Instruction ID: 39c8079e676f8652fb63695cefd5fe476373a387dd816a8a0631b55a905f7f9c
Opcode Fuzzy Hash: 408ba0596b3f5d5992f38a9280eec37536e3e1629210b2d7506f9fd48b4d3fc2
Instruction Fuzzy Hash: 1F417A34A152199FCB02CF68C894FA9B7F9BF49314F1942ADE8149B261C730A959CF90

Function 002C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002C16EB

Part of subcall function 00293A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00293A57
Part of subcall function 00293A3D: GetCurrentThreadId.KERNEL32 ref: 00293A5E
Part of subcall function 00293A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002925B3), ref: 00293A65

GetCaretPos.USER32(?), ref: 002C16FF
ClientToScreen.USER32(00000000,?), ref: 002C174C
GetForegroundWindow.USER32 ref: 002C1752

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b7f4cd097725f7edbd3944a773049d599ba3d5ab2a9d396bd5c10ac6a9e820d8
Instruction ID: 35f5bf0ac86470dcf68030d0bfe22f59330ba8ed7a282d547f3d5421c017f155
Opcode Fuzzy Hash: b7f4cd097725f7edbd3944a773049d599ba3d5ab2a9d396bd5c10ac6a9e820d8
Instruction Fuzzy Hash: 8A3130B5D10149AFCB04EFA9C885DAEB7FDEF49304B5080AAE415E7212E7319E55CFA0

Function 0029D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029D501
Process32FirstW.KERNEL32(00000000,?), ref: 0029D50F
Process32NextW.KERNEL32(00000000,?), ref: 0029D52F
CloseHandle.KERNEL32(00000000), ref: 0029D5DC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 104a6134fa7795b41e152e6ca03b7323a248fa8f10ec6dfa42102412271d6699
Instruction ID: 2c1e22d8ca4b84cba0305e08756996edab4a3ad986f56d42fa9f094b8f6ada94
Opcode Fuzzy Hash: 104a6134fa7795b41e152e6ca03b7323a248fa8f10ec6dfa42102412271d6699
Instruction Fuzzy Hash: 7531DF711183019FD300EF64D885AAFBBE8EF99354F54082DF585821A1EBB19998CB92

Function 002C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

GetCursorPos.USER32(?), ref: 002C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00287711,?,?,?,?,?), ref: 002C9016
GetCursorPos.USER32(?), ref: 002C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00287711,?,?,?), ref: 002C9094

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cb027a3dbe5eff0de478a6d9b7a4aaec669ca4ab4eb3e97ccdf4a3012eba7d74
Instruction ID: d4993bea84d56e0dccaca4e3f7be99624831dbef6d183ab2a384bac84645caa7
Opcode Fuzzy Hash: cb027a3dbe5eff0de478a6d9b7a4aaec669ca4ab4eb3e97ccdf4a3012eba7d74
Instruction Fuzzy Hash: 9C219F35611018EFCB268F94DC5CFEA7BB9EF89350F144169F90557261C33199A0DB60

Function 0029D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002CCB68), ref: 0029D2FB
GetLastError.KERNEL32 ref: 0029D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0029D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002CCB68), ref: 0029D376

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9730f31024bebdf7a84cd78a6e05787b43aa4cc27aae5b576d140733ca8c45b2
Instruction ID: 682d8b9d6aa6aa08547022eb695366acdf744092b89975be89b8154e9983b27b
Opcode Fuzzy Hash: 9730f31024bebdf7a84cd78a6e05787b43aa4cc27aae5b576d140733ca8c45b2
Instruction Fuzzy Hash: B621A370528202DF8B00DF24D88586AB7E4EF56365F204A5DF899C32A1D730D956DF97

Function 00291571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00291014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0029102A
Part of subcall function 00291014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00291036
Part of subcall function 00291014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291045
Part of subcall function 00291014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0029104C
Part of subcall function 00291014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00291062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002915BE
_memcmp.LIBVCRUNTIME ref: 002915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00291617
HeapFree.KERNEL32(00000000), ref: 0029161E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c215d7141a59c8b3b28f266c2f3fab98af001974d4b5c400b6b4bfb4d938927d
Instruction ID: 5821e07f19d545b447190922f445654540d7f40ece3747d719ef65186fce3dc1
Opcode Fuzzy Hash: c215d7141a59c8b3b28f266c2f3fab98af001974d4b5c400b6b4bfb4d938927d
Instruction Fuzzy Hash: 0021AF71E5010AEFDF00DFA6C949BEEB7B8EF44344F194459E445AB241E770AE25CBA0

Function 002C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 002C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 002C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002C2840

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: dfd3df7add3affd28548e9fdb5f549ca95252590aaa26032eb7584af9b17bebb
Instruction ID: 89897d1e7b161058015ecfb1043c5f6b9fa31917cac406a143df775df7a27627
Opcode Fuzzy Hash: dfd3df7add3affd28548e9fdb5f549ca95252590aaa26032eb7584af9b17bebb
Instruction Fuzzy Hash: AF21B031214511EFD7149F24C884FAABB99AF85324F24825CF42A8B6E2CB71EC56CBD0

Function 002978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00298D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0029790A,?,000000FF,?,00298754,00000000,?,0000001C,?,?), ref: 00298D8C
Part of subcall function 00298D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00298DB2
Part of subcall function 00298D7D: lstrcmpiW.KERNEL32(00000000,?,0029790A,?,000000FF,?,00298754,00000000,?,0000001C,?,?), ref: 00298DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00298754,00000000,?,0000001C,?,?,00000000), ref: 00297923
lstrcpyW.KERNEL32(00000000,?), ref: 00297949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00298754,00000000,?,0000001C,?,?,00000000), ref: 00297984

Strings

cdecl, xrefs: 0029797B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 743d967651af97eb8aa1357247f52d40867a5840c6be77cf138bc0ba5716eb20
Instruction ID: cde38054561493d663c15765071b1b001660cedec4a256dfc7d53116ee284875
Opcode Fuzzy Hash: 743d967651af97eb8aa1357247f52d40867a5840c6be77cf138bc0ba5716eb20
Instruction Fuzzy Hash: 1111293A220342AFDF155F39D848E7B77A5FF85350B10402AF906C7264EF719821CB61

Function 002C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 002C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002AB7AD,00000000), ref: 002C7D6B

Part of subcall function 00249BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00249BB2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 13e2644667728cfb6790a21a2bffd2af53f2d9893bf13f95b0a9622e3b795f6f
Instruction ID: 9c81b4a7cafdf402a85491fd38ac539dd6f2bab4dc618baacd7b4d4bca57781c
Opcode Fuzzy Hash: 13e2644667728cfb6790a21a2bffd2af53f2d9893bf13f95b0a9622e3b795f6f
Instruction Fuzzy Hash: 3F11A231525616AFCB119F28DC08F663BA9AF45360F254729F83AD72F0D7309960CF90

Function 002C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 002C56BB
_wcslen.LIBCMT ref: 002C56CD
_wcslen.LIBCMT ref: 002C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 002C5816

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 19736fefc338a2ce493f11c68f4ca5310f20b7aee2b549fe141ebb912ff7a6bd
Instruction ID: 4bda4770c46a0353dfbb8e49b8ebe99da3578d727baf2da225d2e7b70d82b455
Opcode Fuzzy Hash: 19736fefc338a2ce493f11c68f4ca5310f20b7aee2b549fe141ebb912ff7a6bd
Instruction Fuzzy Hash: F311E43162062996DB209F61CC85FEE77ACBF10364B20426EF905D6081E7B0EAE4CF60

Function 00261D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1837119fa89693ade6656b98c099879549ba47fbdf92e8033228049d6eabd04b
Instruction ID: fc3c2adae5df51b3b93d13e6bd6751a691a36ce6f04cbe3b22a36de4b6a1b084
Opcode Fuzzy Hash: 1837119fa89693ade6656b98c099879549ba47fbdf92e8033228049d6eabd04b
Instruction Fuzzy Hash: 8801D6B2626A17BEF7112A787CC1F27661CDF817B8F380325F525511D2DBA0ACB09570

Function 00291A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00291A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00291A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00291A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00291A8A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 94a63abc361a176240074d79c6cfb8082ca347be8b6f96c27f68c1ef5ae1f53d
Instruction ID: 01ca418151412f347fea14602407496e92d3abe2d2a8c820622016952606ea76
Opcode Fuzzy Hash: 94a63abc361a176240074d79c6cfb8082ca347be8b6f96c27f68c1ef5ae1f53d
Instruction Fuzzy Hash: 7411093AD0121AFFEF11DBA5CD85FADBB78EB08750F200091EA04B7294D6716E60DB94

Function 0029E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0029E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0029E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0029E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0029E24D

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 38c6c27305140a4ed17f79497e5e805a2d93885d9931db215dfe9dcd3dde2933
Instruction ID: 6a2f6b794472c2421c379e9bcfcae24b7efdbacdba3ed75f0d6d480fb7275b36
Opcode Fuzzy Hash: 38c6c27305140a4ed17f79497e5e805a2d93885d9931db215dfe9dcd3dde2933
Instruction Fuzzy Hash: 2511C476D14259BBCF01DFA8AC09E9E7FACEB45720F15425AF928E3291D6B08D1487A0

Function 0025D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0025CFF9,00000000,00000004,00000000), ref: 0025D218
GetLastError.KERNEL32 ref: 0025D224
__dosmaperr.LIBCMT ref: 0025D22B
ResumeThread.KERNEL32(00000000), ref: 0025D249

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: cbb2932cf3b9de8f4dd2ec48119ab95b112f89a25f0cb98dc5aa1a6b5d1e017a
Instruction ID: f61657f34f432800b4121d0f5553f6757d4b22426bd764ff333d9518bf01b6ba
Opcode Fuzzy Hash: cbb2932cf3b9de8f4dd2ec48119ab95b112f89a25f0cb98dc5aa1a6b5d1e017a
Instruction Fuzzy Hash: C0012632425205BBC7215FA5EC09BAE7A69DF81332F204219FC29D20D1DBB0C829CAA4

Function 0023600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0023604C
GetStockObject.GDI32(00000011), ref: 00236060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0023606A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: dc16de0b85a3bc30f436292714e2b39f91f2e33b054c1ba16697543ef0f632d6
Instruction ID: b142679084795f8b1993c6496910901c79f815fe1667e83619ee9ffd34f8577a
Opcode Fuzzy Hash: dc16de0b85a3bc30f436292714e2b39f91f2e33b054c1ba16697543ef0f632d6
Instruction Fuzzy Hash: ED11ADB2511509BFEF164FA49C49EEABB6DFF093A4F144202FA0892010C732DC60DBA0

Function 00253B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00253B56

Part of subcall function 00253AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00253AD2
Part of subcall function 00253AA3: ___AdjustPointer.LIBCMT ref: 00253AED

_UnwindNestedFrames.LIBCMT ref: 00253B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00253B7C
CallCatchBlock.LIBVCRUNTIME ref: 00253BA4

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9c2d85f5e6f345e7d85ea113304ef6322dad36b35c4a3a1d2b01dfc71f8444d6
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: C2012932110149BBDF12AE95CC46EEB7B69EF48799F044014FE4896121C732E975DFA4

Function 00263073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002313C6,00000000,00000000,?,0026301A,002313C6,00000000,00000000,00000000,?,0026328B,00000006,FlsSetValue), ref: 002630A5
GetLastError.KERNEL32(?,0026301A,002313C6,00000000,00000000,00000000,?,0026328B,00000006,FlsSetValue,002D2290,FlsSetValue,00000000,00000364,?,00262E46), ref: 002630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0026301A,002313C6,00000000,00000000,00000000,?,0026328B,00000006,FlsSetValue,002D2290,FlsSetValue,00000000), ref: 002630BF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9e01632ac51724035c186568a2a3df2d5d1327964aa829e1fc67b9b3e3f759e8
Instruction ID: 6da9a9449c69a6d87ebfc5158724dad17129b092c16a9b82e48fb026f7ea12bb
Opcode Fuzzy Hash: 9e01632ac51724035c186568a2a3df2d5d1327964aa829e1fc67b9b3e3f759e8
Instruction Fuzzy Hash: 0501AC32771223ABC731CF79AC48D577798DF45761B250620F919D7180D721D959C6D0

Function 00297464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0029747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00297497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002974CA

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c8d2e305cb0ac554ebf832752f8d4f1da461b82616286bc85cb93ae5b079e7d0
Instruction ID: b4aac2480951cd2b26ae42c2bd90a4159a9432a98aeb0d91f0d626a0f4e032a1
Opcode Fuzzy Hash: c8d2e305cb0ac554ebf832752f8d4f1da461b82616286bc85cb93ae5b079e7d0
Instruction Fuzzy Hash: 08116DB5625315ABFB308F14EC09F967BFCEF00B04F208569E65AD6192D7B0E914DBA0

Function 0029B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0029ACD3,?,00008000), ref: 0029B126

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 841854996649862eb634c84df6dbb4e5fd23577098c014aad7c5e9ff1fac1755
Instruction ID: c297563ca445acc79327da0482459f4b22e4b2e63b25720104aff5efb164e279
Opcode Fuzzy Hash: 841854996649862eb634c84df6dbb4e5fd23577098c014aad7c5e9ff1fac1755
Instruction Fuzzy Hash: 30118B30C2062DE7CF01AFE5FA68AEEBF78FF09310F114095D949B2181CB7046608B91

Function 002C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002C7E33
ScreenToClient.USER32(?,?), ref: 002C7E4B
ScreenToClient.USER32(?,?), ref: 002C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002C7E8A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 91cea487d2770fcd1d2701c1fa133a1b984299046c240d11dcf97e85102b4357
Instruction ID: f2224544244016523b09b5b8b14a6508213973b75961cb84f0f1362a78ef3c2c
Opcode Fuzzy Hash: 91cea487d2770fcd1d2701c1fa133a1b984299046c240d11dcf97e85102b4357
Instruction Fuzzy Hash: 9A1156B9D0020AAFDB41DF98D984AEEBBF9FF08310F505156E915E3210D735AA55CF50

Function 00292DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00292DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00292DD6
GetCurrentThreadId.KERNEL32 ref: 00292DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00292DE4

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fe35cabe7728eea261a5b8206062224ca40c67a7d45a2341cb449a3f0b60eb82
Instruction ID: 8f9fc16356e4df1da08d8b4b1ddcbc57fdacc6270fe889b02f1e8abb3f5ccd7a
Opcode Fuzzy Hash: fe35cabe7728eea261a5b8206062224ca40c67a7d45a2341cb449a3f0b60eb82
Instruction Fuzzy Hash: E3E09271511224BBDB201F73AC0DFEB3E6CEF83BA1F200015F10AD10809AA0C845C6B0

Function 002C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00249639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00249693
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496A2
Part of subcall function 00249639: BeginPath.GDI32(?), ref: 002496B9
Part of subcall function 00249639: SelectObject.GDI32(?,00000000), ref: 002496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002C8887
LineTo.GDI32(?,?,?), ref: 002C8894
EndPath.GDI32(?), ref: 002C88A4
StrokePath.GDI32(?), ref: 002C88B2

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 65e142a1477ab5889d8b03cf788dbd7a23365e8cf852db02fba0fe71e1ca138a
Instruction ID: a2887ed0bc9b9d078622c6188398327bbc30da5a77cf1db7c3f5c82ae720a523
Opcode Fuzzy Hash: 65e142a1477ab5889d8b03cf788dbd7a23365e8cf852db02fba0fe71e1ca138a
Instruction Fuzzy Hash: C9F0B836012259FAEB126F94AC0EFCE3F29AF06310F148204FA15610E2C7B41520CFE9

Function 002498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002498CC
SetTextColor.GDI32(?,?), ref: 002498D6
SetBkMode.GDI32(?,00000001), ref: 002498E9
GetStockObject.GDI32(00000005), ref: 002498F1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: f6be3e688e0002e93ed59677e25c8ad5af2380fdc528c64bc65b1abf8e076cef
Instruction ID: 0076230eb4eb8c78ba0bc3f549094c9eb70d68ef79c97a3224f2060be14ade06
Opcode Fuzzy Hash: f6be3e688e0002e93ed59677e25c8ad5af2380fdc528c64bc65b1abf8e076cef
Instruction Fuzzy Hash: 9BE06D31644280AEDB215F75BC0DFE93F20AB12376F288219F6FE980E1C3B186909F10

Function 0029162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00291634
OpenThreadToken.ADVAPI32(00000000,?,?,?,002911D9), ref: 0029163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002911D9), ref: 00291648
OpenProcessToken.ADVAPI32(00000000,?,?,?,002911D9), ref: 0029164F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9f44e3f9c058802dc9844b5b1b58c760bc379d9752f436abe169fb548bf313c2
Instruction ID: 4ff5ba356f35466728a6976659e047ae91e470f92ff547c4f2764b9ef9905bdd
Opcode Fuzzy Hash: 9f44e3f9c058802dc9844b5b1b58c760bc379d9752f436abe169fb548bf313c2
Instruction Fuzzy Hash: A6E08671A01212DBDB201FA1BD0DF463B7CBF44791F284808F74DC9080D6348451C750

Function 0028D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0028D858
GetDC.USER32(00000000), ref: 0028D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028D882
ReleaseDC.USER32(?), ref: 0028D8A3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1b99f3bdd3bddeb8e68ff36d4252c49d486851b46f661c24bdb20b610e41a1b9
Instruction ID: b27447022e76b9fa8fa292be817c343a20f557126b90177d6607e49a6c65ad64
Opcode Fuzzy Hash: 1b99f3bdd3bddeb8e68ff36d4252c49d486851b46f661c24bdb20b610e41a1b9
Instruction Fuzzy Hash: C9E04FB4810204DFCF41AFA0E90CA6DBBB5FB48310F348009F85EE7250C7798912AF40

Function 0028D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0028D86C
GetDC.USER32(00000000), ref: 0028D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028D882
ReleaseDC.USER32(?), ref: 0028D8A3

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 40d5b2751dc1ac47464abd7608fdcf4b2a0497219e546157a52359d074ab2eb4
Instruction ID: 8819a4e68e614dcdc64b053ef775cd3c95f465ae319e446c100086455db8ec08
Opcode Fuzzy Hash: 40d5b2751dc1ac47464abd7608fdcf4b2a0497219e546157a52359d074ab2eb4
Instruction Fuzzy Hash: E0E09AB5810204DFCB519FA0E90CA6DBBB5BB48311F349449E95EE7250C77959129F50

Function 002A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00237620: _wcslen.LIBCMT ref: 00237625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 002A4ED4

Strings

*, xrefs: 002A4E10
LPT, xrefs: 002A4DFB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: d9cf81518f121712ff77afece6c312125028ebc880276e0563451963bb47b4c2
Instruction ID: ca902eca0690b6e3f85c83431fce98f5a031e3a688fc97097076c95e15620606
Opcode Fuzzy Hash: d9cf81518f121712ff77afece6c312125028ebc880276e0563451963bb47b4c2
Instruction Fuzzy Hash: ED917075A102059FCB14DF58C484EAABBF1BF89304F148099E80A9F762CBB1ED95CF90

Function 0025E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0025E30D

Strings

pow, xrefs: 0025E2E5, 0025E302

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 6f657574ee1df76c01392148252701cb3d36de30f2e11aabec5824b275044044
Instruction ID: 47b4f7b1b7995c376535bac5db63de682f72063a917f03881b7db4feba02d1be
Opcode Fuzzy Hash: 6f657574ee1df76c01392148252701cb3d36de30f2e11aabec5824b275044044
Instruction Fuzzy Hash: FE51BD61E3C203A6CF197F14E9013793B94AF50746F304D99E8D1822E9EB358DFD8A4A

Function 002B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0028569E,00000000,?,002CCC08,?,00000000,00000000), ref: 002B78DD

Part of subcall function 00236B57: _wcslen.LIBCMT ref: 00236B6A

CharUpperBuffW.USER32(0028569E,00000000,?,002CCC08,00000000,?,00000000,00000000), ref: 002B783B

Strings

<s/, xrefs: 002B77C8

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s/
API String ID: 3544283678-2113131146
Opcode ID: 6ea81a25670a0cbbcbc41ce371b0e4353dc41e3f0d7a26e449d1abeca6087c20
Instruction ID: 0121eeaa0d52fc4c59fb330b6a0f1b24cfd1b58a4edbc701cf57a7ccce864021
Opcode Fuzzy Hash: 6ea81a25670a0cbbcbc41ce371b0e4353dc41e3f0d7a26e449d1abeca6087c20
Instruction Fuzzy Hash: B56168B2934119AACF04EBA4CC95DFDB378BF54740F544129E642B3091EF60AA69DFA0

Function 0024E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0024E1B1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 338ea66513f3012d1967e3cd158bd168cb247b29a36452b076a86ed29aadb3e0
Instruction ID: 3349fefc39ed9f29f550f5a2c7e907fc4f9776f4c8b358a49c22bf98e43bac3d
Opcode Fuzzy Hash: 338ea66513f3012d1967e3cd158bd168cb247b29a36452b076a86ed29aadb3e0
Instruction Fuzzy Hash: C8518778625243DFEF18EF24C481ABABBA4FF25310F254055EC919B2D0D7709D62CB90

Function 0024F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0024F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0024F2BB

Strings

@, xrefs: 0024F2AF

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fb7f3cf2b92d805f5c85aa237ee936564e1c86cefa05099bc210047c53c958bb
Instruction ID: dc88cb9425ed3f1d73255ef9f25bd6b24a18c62f7f997e982cf78dd096415d46
Opcode Fuzzy Hash: fb7f3cf2b92d805f5c85aa237ee936564e1c86cefa05099bc210047c53c958bb
Instruction Fuzzy Hash: 495137B14187489BD320AF11E886BAFBBF8FB84300F91885DF1D9511A5EB708539CB66

Function 002B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 002B57E0
_wcslen.LIBCMT ref: 002B57EC

Strings

CALLARGARRAY, xrefs: 002B57E6, 002B57EB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 6ab1c6adce4bb6283596efd1cc6e3a633ab7a97bb9704b1a7c4f143733c6cd09
Instruction ID: b72594fa9ccf7a9ffbf028289b8a6b400240815cb13d08ce70b476fd7d4c3678
Opcode Fuzzy Hash: 6ab1c6adce4bb6283596efd1cc6e3a633ab7a97bb9704b1a7c4f143733c6cd09
Instruction Fuzzy Hash: 8141B071A201199FCF14DFA8C885AEEBBB5FF59360F144029E505AB251E7709DA1CF90

Function 002AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002AD13A

Strings

|, xrefs: 002AD10B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d083e492ad99384187b4d58a155c5e333b8401a2cc674a3f3f0713910d153904
Instruction ID: 2c35eef4c9a14f484972ee5c2d37a05340f7608080176ff4db46777cc779c388
Opcode Fuzzy Hash: d083e492ad99384187b4d58a155c5e333b8401a2cc674a3f3f0713910d153904
Instruction Fuzzy Hash: 01311BB1D10109ABCF15EFA4CC85EEEBFB9FF09300F104059E819A6165DB35AA66DF50

Function 002C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002C365C

Strings

static, xrefs: 002C35BC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 59d9684167f09ecd6b20221a0fe1487aa2caa9bf41fcf13632d5d6fa18bd7b81
Instruction ID: 58dbeb329cb5a96602f7f4437dd1fa0d00a01a57e599343d4a79bd21f9d9f5c0
Opcode Fuzzy Hash: 59d9684167f09ecd6b20221a0fe1487aa2caa9bf41fcf13632d5d6fa18bd7b81
Instruction Fuzzy Hash: 32319E71120204AADB10DF24D880FBB73ADFF88760F10961DF86997280DA31ADA18B64

Function 002C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002C4634

Strings

', xrefs: 002C458E

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a8026149cc1e711b28d8ea9d93d0c27fea338a58d8fe003071fbaef5f9e0520d
Instruction ID: 9ff2225095f885874f24a340b4c92bd7e8f86b76f22747dfa61b574dfd389fdf
Opcode Fuzzy Hash: a8026149cc1e711b28d8ea9d93d0c27fea338a58d8fe003071fbaef5f9e0520d
Instruction Fuzzy Hash: 83316974A1020A9FDB04DF68C9A0FDABBB9FF19340F20016AE904AB345D770A911CF90

Function 002C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002C3287

Strings

Combobox, xrefs: 002C3249

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 65d9181d52117817a3d391fe8f83dfa92ff50449ae469a6bb0b0ea5815f7e4ef
Instruction ID: e760feddada161ef3e5c0afe2f558bff6f86fb515135356642c6dac36f9cdf0f
Opcode Fuzzy Hash: 65d9181d52117817a3d391fe8f83dfa92ff50449ae469a6bb0b0ea5815f7e4ef
Instruction Fuzzy Hash: BC1122713202097FFF25DE54DC80FBB376EEB843A0F208628F91897290C6719D608B60

Function 002C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0023600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0023604C
Part of subcall function 0023600E: GetStockObject.GDI32(00000011), ref: 00236060
Part of subcall function 0023600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0023606A

GetWindowRect.USER32(00000000,?), ref: 002C377A
GetSysColor.USER32(00000012), ref: 002C3794

Strings

static, xrefs: 002C3757

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 5835b36a04f627dfd248a15eecd97dd646355ceda9f001de794138f318e7dbcd
Instruction ID: 492564ef84d200fbb49cea8fe982e153c89d556932717d5b41d290f01fed4a2d
Opcode Fuzzy Hash: 5835b36a04f627dfd248a15eecd97dd646355ceda9f001de794138f318e7dbcd
Instruction Fuzzy Hash: CC116DB262020AAFDF01DFA8CC49EEA7BF8FB08314F104A18F955E2250D775E865DB50

Function 002ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002ACDA6

Strings

<local>, xrefs: 002ACD66

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 8219e67be180144790828cf1a79c9f5a147e0aa4c9ca38a98b110a2be155599d
Instruction ID: c155dcf9fc19bb6e224e0df658d1f4d9b7453e0871d1d5b962b7f1c812b51416
Opcode Fuzzy Hash: 8219e67be180144790828cf1a79c9f5a147e0aa4c9ca38a98b110a2be155599d
Instruction Fuzzy Hash: 1011A371625A36BBD7284B668C49EE7BE6CEB137A4F204236B11982180DB609864D6F0

Function 002C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002C34BA

Strings

edit, xrefs: 002C348F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 50817d131ef5d70fcf67013a9b989524ce378644c01cf2d4fc4cd701245fd532
Instruction ID: c8e14f3a5ab28b9856e44217939c4efb833af21a3a9dde0ce678abaaab2bd227
Opcode Fuzzy Hash: 50817d131ef5d70fcf67013a9b989524ce378644c01cf2d4fc4cd701245fd532
Instruction Fuzzy Hash: 9C116D71120109AAEB269E64DC44FAB376AEB05374F608B28F965931D0C771DD619B50

Function 00296C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

CharUpperBuffW.USER32(?,?,?), ref: 00296CB6
_wcslen.LIBCMT ref: 00296CC2

Strings

STOP, xrefs: 00296CBC, 00296CC1

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f8223d902a7db2f1cd460477c6c6c7dac51eb00053ac3152fd434b11cdbdc186
Instruction ID: 9876007a351fe188ccb4faece6f1cc26d4532bb36d418f42676bb9317d33a2f2
Opcode Fuzzy Hash: f8223d902a7db2f1cd460477c6c6c7dac51eb00053ac3152fd434b11cdbdc186
Instruction Fuzzy Hash: B20104326345278ACF21AFFDDC888BF77E4EE61710B100535F86292190EA71D860CA50

Function 00291CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00291D4C

Strings

ListBox, xrefs: 00291D16
ComboBox, xrefs: 00291CEB

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 39a652e96138c05c696341dbecfea54b37edad6a267330219ac04d7183b51d4c
Instruction ID: e74e02d0d025887a53ab2a3729dcd7848668c2ef43c9b923c32cf2dcedce0d9a
Opcode Fuzzy Hash: 39a652e96138c05c696341dbecfea54b37edad6a267330219ac04d7183b51d4c
Instruction Fuzzy Hash: 5301D871621219AB8F08EFA4CD55CFE7768FF47390F14091AF822572C1EA705938CA70

Function 00291BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00291C46

Strings

ListBox, xrefs: 00291C10
ComboBox, xrefs: 00291BE5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7cba813d4549cff8251d0e7971763e1767f460391aff20dacca83596986cc36d
Instruction ID: cb3bd02765cfd7c074727603a97acf8bd4a93b64b86e41887fc6fa58f4d4b3f4
Opcode Fuzzy Hash: 7cba813d4549cff8251d0e7971763e1767f460391aff20dacca83596986cc36d
Instruction Fuzzy Hash: 8D01F7B16A410966CF08EB90CA51DFF77A89F56340F10001BF50663281EAA09E38CAB2

Function 00291C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00291CC8

Strings

ListBox, xrefs: 00291C94
ComboBox, xrefs: 00291C69

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bc9ed26aee65f71be61a7b476103cbee62aac4de6d5d56f0e909e195e3d3ef1b
Instruction ID: 1f91e7bf58597a12a5cc738e69beb6c252cfa8ddeef7c93bd6cda8fd885a1f98
Opcode Fuzzy Hash: bc9ed26aee65f71be61a7b476103cbee62aac4de6d5d56f0e909e195e3d3ef1b
Instruction Fuzzy Hash: D901DBB566011967CF04EB91CA01EFE77AC9F12340F540417B90173281EAA09F38CA72

Function 0024A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0024A529

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Strings

3y(, xrefs: 0024A545, 0024A54D, 0024A552
,%0, xrefs: 0024A509

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%0$3y(
API String ID: 2551934079-2701437296
Opcode ID: ca6ed3c8556d8b0ad41aefa9ac3f6259c2d062e1599ceda166e91588a4678074
Instruction ID: 8017e00ff2781a81945538b3b165445f928835dd4c32ca5d83d90ea924b50472
Opcode Fuzzy Hash: ca6ed3c8556d8b0ad41aefa9ac3f6259c2d062e1599ceda166e91588a4678074
Instruction Fuzzy Hash: F8019E31BB161087C509F768ED6BB5D7318CB07710F800019F9061B1C3DEA09D658F9B

Function 00291D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00239CB3: _wcslen.LIBCMT ref: 00239CBD

Part of subcall function 00293CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00293CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00291DD3

Strings

ListBox, xrefs: 00291DA0
ComboBox, xrefs: 00291D75

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7a8cadbc962b4d3a1ef66c68d585033d6b13b54714a4b618cb14fa3efaad11b4
Instruction ID: 7c9501dc2ef5415f6d1e071a03aad404f0fccc895fa617fbc9c2e2e0a697972b
Opcode Fuzzy Hash: 7a8cadbc962b4d3a1ef66c68d585033d6b13b54714a4b618cb14fa3efaad11b4
Instruction Fuzzy Hash: B2F0F4B1A7021966CF08EBA4CD52EFE7768AF03340F040916F922A32C1DAA059388A70

Function 002C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00303018,0030305C), ref: 002C81BF
CloseHandle.KERNEL32 ref: 002C81D1

Strings

\00, xrefs: 002C818A

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \00
API String ID: 3712363035-1668810905
Opcode ID: 9a755d9617beeae92e3c980bfce754439e981bb85f83ddfd186ffa49f1a5ed02
Instruction ID: 2bc8fb0b6cf3dd87779adc5e5850bce42df09f6fea3a28a86a0d826f80504ca7
Opcode Fuzzy Hash: 9a755d9617beeae92e3c980bfce754439e981bb85f83ddfd186ffa49f1a5ed02
Instruction Fuzzy Hash: 07F05EF1652300BAF3216B65AC59FB73A5CEB05751F0044A2FF0DD61E2D6758A1486F8

Function 002B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002B7493
_wcslen.LIBCMT ref: 002B74B9

Strings

3, 3, 16, 1, xrefs: 002B7483

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b9bb0437da4a41708355aff23d3743ea5573cdab41d1c94c5ff9317b039fe7f5
Instruction ID: a2a936619a4c7ee8abf9befe8f3c4a060a4a2674af27544266b8bc6338d1726d
Opcode Fuzzy Hash: b9bb0437da4a41708355aff23d3743ea5573cdab41d1c94c5ff9317b039fe7f5
Instruction Fuzzy Hash: 9EE02B0663426120923126799CC29BF96A9DFC57E2710182BFD81C2266EAA48DF193A4

Function 00290B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00290B23

Strings

AutoIt, xrefs: 00290B17
Error allocating memory., xrefs: 00290B1C

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: d54ccdc459e45bb779c126edd95866abd4ed48173f21c8ca0de01b086b12dcb3
Instruction ID: 2afc25971b4fa2590ea417bf6459d05a671f1fc5ec486fc6c9bfbe1bdaeb1709
Opcode Fuzzy Hash: d54ccdc459e45bb779c126edd95866abd4ed48173f21c8ca0de01b086b12dcb3
Instruction Fuzzy Hash: 03E0D8312643183AD2183A947D07FC9BA88CF05F65F20042AFB8C554C38AE124B00AED

Function 00250D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0024F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00250D71,?,?,?,0023100A), ref: 0024F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0023100A), ref: 00250D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0023100A), ref: 00250D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00250D7F

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c55ec67a51afc564009cfe4a8268cc21e4811e789dcf7e5d3fe65432d471e7a7
Instruction ID: 3c7df5fe82c272470b884474a77e767f7eea00b0dec89d6190c52ef4c5ce2cf1
Opcode Fuzzy Hash: c55ec67a51afc564009cfe4a8268cc21e4811e789dcf7e5d3fe65432d471e7a7
Instruction Fuzzy Hash: 94E092742113418BE3709FB8E948B42BBF4EF00741F004E2DE886C6655DBB4E4588FA1

Function 0024E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0024E3D5

Strings

8%0, xrefs: 0024E3CA
0%0, xrefs: 0024E3B5

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%0$8%0
API String ID: 1385522511-139278885
Opcode ID: f6392015eddf017735ed4ee89bf78d10ef8b225ef855e044c7745a86a1359e13
Instruction ID: 565ff734671484dc5f22a264d84439f87d2c09ff152d43528766309350b78d3d
Opcode Fuzzy Hash: f6392015eddf017735ed4ee89bf78d10ef8b225ef855e044c7745a86a1359e13
Instruction Fuzzy Hash: DAE08635436910CBDE0BAF18BCBDEAEB759BB06320F5111E6F512871D19B7028518B5D

Function 002A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002A3044

Strings

aut, xrefs: 002A3038

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cc1a669740b5f9103704971f7f20214ae33f2c056a0caecfaa89542f130d2b15
Instruction ID: 45862424dd1e37f3b2bbbb6f23eab620bc9b00b1756cb4db361a57e127746436
Opcode Fuzzy Hash: cc1a669740b5f9103704971f7f20214ae33f2c056a0caecfaa89542f130d2b15
Instruction Fuzzy Hash: EBD05E7250032867DA20E7A4AC0EFDB7A6CDB05750F0002A1BA59E2091DAB09984CAD1

Function 0028D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0028D220

Strings

X64, xrefs: 0028D2A8
%.3d, xrefs: 0028D22B

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 95b6cb8c4ae26872b4261da75a1e05db23e06ea5582fdef77ee0ca5c8bd00d14
Instruction ID: 3479d136be512e5a78463f4080a603683c0f6eefd3036d7240cec87321ef5982
Opcode Fuzzy Hash: 95b6cb8c4ae26872b4261da75a1e05db23e06ea5582fdef77ee0ca5c8bd00d14
Instruction Fuzzy Hash: 3FD0126583A108FACB90A6D0DC49CB9B37CEB09341F608462FD06920C5D6A4D53C6B61

Function 002C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002C233F

Part of subcall function 0029E97B: Sleep.KERNELBASE ref: 0029E9F3

Strings

Shell_TrayWnd, xrefs: 002C2325

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a35cbccdedb1785441c541161f8d1a1cd81342392dc2ba0730adcbcf9cc1f66d
Instruction ID: f94f3edb1acc50107c73cd6aba79186cb435b260f9871142fb584084f7902797
Opcode Fuzzy Hash: a35cbccdedb1785441c541161f8d1a1cd81342392dc2ba0730adcbcf9cc1f66d
Instruction Fuzzy Hash: 48D022327E0300B7EA68B330EC0FFC6BA08DB00B00F200916B30AEA0D0C8F0A800CB00

Function 002C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002C236C
PostMessageW.USER32(00000000), ref: 002C2373

Part of subcall function 0029E97B: Sleep.KERNELBASE ref: 0029E9F3

Strings

Shell_TrayWnd, xrefs: 002C2365

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3b77b01256dd833009bc9f43844c4883caa87fc8c43e1808d0da30fe91eef12b
Instruction ID: 0bd5a31fdcdc54043daf92025563c94a30a89dd6d092605b95872924759a04a9
Opcode Fuzzy Hash: 3b77b01256dd833009bc9f43844c4883caa87fc8c43e1808d0da30fe91eef12b
Instruction Fuzzy Hash: 6CD0A9327D03007AEA68B330AC0FFC6A6089B00B00F200916B30AEA0D0C8A0A800CA04

Function 0026BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0026BE93
GetLastError.KERNEL32 ref: 0026BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0026BEFC

Memory Dump Source

Source File: 00000000.00000002.2508022434.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2507988840.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508169895.00000000002F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508394316.00000000002FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2508478690.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 7c2a7cab147eac1deb9cd0c83d7cfac4e8545bf93a644c650471f734dd04b291
Instruction ID: 15d033c799097074c47ec56a3d2331627c874d4ae947a637de0815ae8b3a5663
Opcode Fuzzy Hash: 7c2a7cab147eac1deb9cd0c83d7cfac4e8545bf93a644c650471f734dd04b291
Instruction Fuzzy Hash: BE41E435624207AFCF228FA5CC44AAABBA5AF51310F244169F959DB5B1DB318CE1CF60

Source: global traffic	TCP traffic: 192.168.2.7:60320 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.7:55455 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 13.107.246.73 13.107.246.73
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 23.44.133.38 23.44.133.38

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /ppsecure/deviceaddcredential.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 7642Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4710Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: /User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: POST /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveContent-Length: 938Content-Type: application/reports+jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=oF7u3vXeOAtHhAh&MD=DLKkyNWD HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=oF7u3vXeOAtHhAh&MD=DLKkyNWD HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 51.104.136.2
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.81.238
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.71

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1b3d88c0-ab2a-48a5-a0c0-f217361cb455.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1f438701-fdb5-484e-b9c9-665ba401b177.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4b1aae65-9646-4cbd-b859-6708119ca477.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\53dad864-d7d1-4bca-b00e-d346fb88d045.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\646d0f8f-5b21-49c2-8306-b688e9a070c1.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\95c250be-2d80-4416-ab42-66f0ec5c0d22.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9ba62745-0b23-4d96-b801-b5c543a9f470.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0A3AF-580.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0A3B0-A98.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\3644440c-f6da-4d16-8b84-3b40725898b1.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\36f3149c-c249-4373-a2e1-9f042d28c24d.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\3931c9fb-2c94-41bd-82fb-de7ac27831bf.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5715d350-d05b-4948-b9f7-2ab286f7804b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7758666c-e7b8-4ce9-9034-62e64f83dfd8.tmp

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre