Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1501435
MD5:	3fc1cbfeb55e51328b28e08a65ffc7de
SHA1:	24dc477ea6d87ece1b07a345eb16de89c55d6b36
SHA256:	681c6a6e99824e6130008ce25b9fe190dca553db173d9eec9207142e7c7f21c4
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5060 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3FC1CBFEB55E51328B28E08A65FFC7DE)

msedge.exe (PID: 528 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6976 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2076,i,13051042706878522089,9792886360243035223,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5340 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7560 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8616 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7444 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8628 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=8048 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9028 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8308 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4304 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2548 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7972 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8596 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8032 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2692 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: file.exe, 00000000.00000002.3244086694.0000000000E73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL0.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51828
Source: unknown	Network traffic detected: HTTP traffic on port 51828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:51827 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001DED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001DEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001CAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001F9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_95fb654a-1
Source: file.exe, 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_88824354-f
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83d53857-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f8f4427e-8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001CD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001CE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D2046	0_2_001D2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00168060	0_2_00168060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C8298	0_2_001C8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019E4FF	0_2_0019E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019676B	0_2_0019676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F4873	0_2_001F4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018CAA0	0_2_0018CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016CAF0	0_2_0016CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017CC39	0_2_0017CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00196DD9	0_2_00196DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017B119	0_2_0017B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001691C0	0_2_001691C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00181394	0_2_00181394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00181706	0_2_00181706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018781B	0_2_0018781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00167920	0_2_00167920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017997D	0_2_0017997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001819B0	0_2_001819B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00187A4A	0_2_00187A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00181C77	0_2_00181C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00187CA7	0_2_00187CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001EBE44	0_2_001EBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00199EEE	0_2_00199EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00181F32	0_2_00181F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016BF40	0_2_0016BF40

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00169CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0017F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00180A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@71/308@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D37B5 GetLastError,FormatMessageW,

0_2_001D37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C10BF AdjustTokenPrivileges,CloseHandle,		0_2_001C10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001C16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001D51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001EA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001D648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001642A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\1814ca14-1e08-4f49-82de-e344b69e0020.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2076,i,13051042706878522089,9792886360243035223,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7444 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=8048 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2548 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2692 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2076,i,13051042706878522089,9792886360243035223,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2692 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7444 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=8048 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2548 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2692 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00180A76 push ecx; ret

0_2_00180A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0017F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001F1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97983

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6578

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe TID: 5036

Thread sleep time: -65780s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6578 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001CDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0019C2A2 FindFirstFileExW,	0_2_0019C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D68EE FindFirstFileW,FindClose,	0_2_001D68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001D698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001CD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001CD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001D9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001D979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001D9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001D5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001642DE

Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-97361

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001DEAA2 BlockInput,

0_2_001DEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00192622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00192622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001642DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00184CE8 mov eax, dword ptr fs:[00000030h]

0_2_00184CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001C0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00192622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00192622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0018083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0018083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001809D5 SetUnhandledExceptionFilter,	0_2_001809D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00180C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00180C21

Source: C:\Users\user\Desktop\file.exe

0_2_001C1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_001A2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CB226 SendInput,keybd_event,

0_2_001CB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001E22DA

Source: C:\Users\user\Desktop\file.exe

0_2_001C0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001C1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00180698 cpuid

0_2_00180698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001D8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BD27A GetUserNameW,

0_2_001BD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0019B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001642DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001E1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	21%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL0.6.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.253.122.84	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.65.164	unknown	United States	15169	GOOGLEUS	false
142.250.72.110	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.251.35.174	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501435
Start date and time:	2024-08-29 22:52:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@71/308@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 40 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 108.177.15.84, 13.107.21.239, 204.79.197.239, 13.107.6.158, 2.22.242.11, 2.22.242.105, 216.58.212.131, 172.217.16.195, 2.23.209.156, 2.23.209.179, 2.23.209.176, 2.23.209.160, 2.23.209.175, 2.23.209.154, 2.23.209.173, 2.23.209.171, 2.23.209.166, 20.86.201.138, 2.16.100.168, 192.229.221.95, 142.251.40.99, 142.250.65.163, 142.251.41.3, 142.250.80.67
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, arc.msn.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, iris-de-ppe-azsc-v2-weu.westeurope.cloudapp.azure.com, dual-a-0036.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
22:53:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
22:53:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	OJO!!! No lo he abiertoFwd_ Message From 646___xbx2.eml	Get hash	malicious	Unknown	Browse
239.255.255.250	https://5kirp.mellifluous5.com/5kiRp/	Get hash	malicious	HTMLPhisher	Browse
	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse
	https://hardbin.com/ipfs/QmQMgsXNvcBrxtTiqDiXNirvtg2aFSGT7XRoUxFk5vCFUg	Get hash	malicious	Unknown	Browse
	nhom89337074245633707424563.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	Stacey Opted PYMT Tokyo electron limited.docx	Get hash	malicious	EvilProxy, HTMLPhisher	Browse
	https://hkwyolaw.ency.cloud/	Get hash	malicious	HTMLPhisher	Browse
	https://emp.eduyield.com/el?aid=2t26dda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/canoassuplementos.com.br//////dayo/xljj3/bWZlcmVzQHBlby5vbi5jYQ==$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	Unknown	Browse
	https://www.estampariaimagemeacao.com.br/js/images/tvavx.php?7-797967704b5369323074665079536e4f53696c4e536374495330724e4c4d38764c386f734d6741436f367a554c434d6a45304e446f2f4c537a4879396773543031474b396c4e51796651413d-cGllcnBvbnRAdW1jdS5vcmcN&c=E,1,wbWD82FzAB2JeezUv_orUrFt9Y6xAwP1SFd-LxGbn5lFQUR-ICnh2bVD8KxUbI-o1WHs4m_jH3oIrcrCtckuIPjOPE2z7IJMic3gcfP66riD2fyrofyEXyw,&typo=1	Get hash	malicious	HTMLPhisher	Browse
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5
172.64.41.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0032.t-0009.t-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	Message-ID 08282024 110831 PM.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://set.page/cdtautomotive/	Get hash	malicious	Unknown	Browse	13.107.246.60
	PO 710467.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	4QihT6CwD8.exe	Get hash	malicious	Azorult	Browse	104.21.2.6
	https://5kirp.mellifluous5.com/5kiRp/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse	104.17.246.203
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	rPEDIDO.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	COTIZACION 280824.exe	Get hash	malicious	FormBook	Browse	104.21.10.159
	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.97.3
	MT TBA VESSELPARTICULARS_PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
CLOUDFLARENETUS	4QihT6CwD8.exe	Get hash	malicious	Azorult	Browse	104.21.2.6
	https://5kirp.mellifluous5.com/5kiRp/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse	104.17.246.203
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	rPEDIDO.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	COTIZACION 280824.exe	Get hash	malicious	FormBook	Browse	104.21.10.159
	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	188.114.97.3
	MT TBA VESSELPARTICULARS_PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse	150.171.28.10
	Izvod racuna u prilogu.exe	Get hash	malicious	DBatLoader, FormBook	Browse	13.107.137.11
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	Stacey Opted PYMT Tokyo electron limited.docx	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	52.109.28.46
	66cf818156193_ldjfnsfd.exe	Get hash	malicious	LummaC	Browse	20.189.173.22
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	51.105.71.136
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.67
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.73
	https://outbound.knectit.co.uk/u/click?_t=bnBkL3ZkcGpzYnVvcHV0c2pnQW9icGUvenNzYmMwd2ZlL3RzZmxzcHgvNjYxNHNmb3NmeHQvZm9qbmJnM29wbzAwO3RxdXVp	Get hash	malicious	Unknown	Browse	20.119.0.39

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://5kirp.mellifluous5.com/5kiRp/	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.114.59.183
	https://autode.sk/4g6XSl8&c=E,1,I0OgoTIAL6zcaU4kgbWKwMGE3oDCv6iOL9CcUXdPtaitrRYDaY2yqyg5z3Y_ue3psEsBTb_33PlDmEStP6z69HizNf2ISciGwmDuh9q-ApyQjjb2ectuilD2Rn0,&typo=1	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://hardbin.com/ipfs/QmQMgsXNvcBrxtTiqDiXNirvtg2aFSGT7XRoUxFk5vCFUg	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	nhom89337074245633707424563.pdf	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://hkwyolaw.ency.cloud/	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.114.59.183
	https://emp.eduyield.com/el?aid=2t26dda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/canoassuplementos.com.br//////dayo/xljj3/bWZlcmVzQHBlby5vbi5jYQ==$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	https://www.estampariaimagemeacao.com.br/js/images/tvavx.php?7-797967704b5369323074665079536e4f53696c4e536374495330724e4c4d38764c386f734d6741436f367a554c434d6a45304e446f2f4c537a4879396773543031474b396c4e51796651413d-cGllcnBvbnRAdW1jdS5vcmcN&c=E,1,wbWD82FzAB2JeezUv_orUrFt9Y6xAwP1SFd-LxGbn5lFQUR-ICnh2bVD8KxUbI-o1WHs4m_jH3oIrcrCtckuIPjOPE2z7IJMic3gcfP66riD2fyrofyEXyw,&typo=1	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 20.114.59.183
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 20.114.59.183

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20761
Entropy (8bit):	6.06656155485936
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSJcXjQB2xj1KgzFsGCxq5+:LMGQ7FCYXGIgtDAWtJ4nyjQBEj11Bshr
MD5:	0252B9CA5F8227D406FFE250B6BA068E
SHA1:	A89878C0A346BC08B1F29AE1939C4E6D8CA8E3A0
SHA-256:	BCC27DA33EC8C852E8C03DEA464C881C02A67C5CDD13A07789B11B55AD6330CE
SHA-512:	0FEFE3561DE8380FF32B297B7D39A97534D25E014C706ADAB11C945949E231B0ABCE450C01B0DD6FBEFE5DBC10E55C68EC0DB41D5DDA93DC7986D96DC049FB16
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\14dc7186-8a83-41fe-b9c7-094621b299d0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1d8836e0-b953-41c6-8646-53bc158ab445.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70418
Entropy (8bit):	6.072270149916294
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBG0Ie3SQVGrorJcGhFEQmnaeN6ZGLgQ7zAlGZrBshUY:LMrJM8teXVGrgJcG8hLgQ7zAlGlBshr
MD5:	44F0B7DB2221DFB8EADF39E2A1AB210C
SHA1:	18A8B460220F0B123C3C32B7BD080B4B861A3A5D
SHA-256:	31B663DCEF7215028C5DB5007867CE3702B4D07583A7490A11B04BB124332D0D
SHA-512:	D0A58CAF3915C5D3FF1B172E5F85C2739B68E54E8DFF6DBF810406248C04CEC2773FAF6270FC4B477BE7367106ED971660C0F29AFEF2054ECF69F820E2262E29
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3b51c47e-d2c0-4978-ac12-3cc69f0571de.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24081
Entropy (8bit):	6.055036113104152
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NGJgXSkqdFVEQEYzz9GlG1xj1KgzFsGCr:LMGQ7FCYXGIgtDAWtJ4nQSiQ7zz9GlGq
MD5:	FC13335198F190203793323F26E5AD2F
SHA1:	E616BCB56806A25EAE2AD5E4236E8BB7EF9CE7EB
SHA-256:	6B156F89A63D58CB898BBFA1355530E447681D81DA3A247EAA63D9921BAAC78D
SHA-512:	6F1F830D36ED9C3F52CC5C16CB761F0E0ACC335F002F85211A8582CA2511A37AED71AB2E6DF133E61266B3536C23364237646A2F4358EA6F6577145B983A2189
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4b971975-d7a6-4b66-b44a-3d156934b699.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70379
Entropy (8bit):	6.072191526745455
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBGDIe3SQVGrorJcGhFEQmnaeN6ZGLgQ7zAlGZrBshUY:LMrJM8seXVGrgJcG8hLgQ7zAlGlBshr
MD5:	2A6F90AA822C398D3F6099FAA8D854FB
SHA1:	EF1521CB0BEB0667D85E8D2438F98E6DFF7A0087
SHA-256:	FD440E370A905C413191CB8F6ECE4B8134CEE2BD2A51906209F574E121062E51
SHA-512:	A88B112D0E2FD71847F1F8947A5FD6E7A13B5724565A0847522810905659F6396BD67FBFD54DD410E8F0FA71EDC7EC611CCFDDA69D2D265269EF3A4ADB7EC248
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5e7137b2-59f4-4645-960b-17e514434c18.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.61284579615123
Encrypted:	false
SSDEEP:	96:0q8NkC1f+T+EciFUBJavvJG9JkBcMSDS4S4SDSGsvI4a:/8Nbq+EcLgGTkBZ
MD5:	E98026F8F05E7053EF67059311275D74
SHA1:	9D191EA9C1987261B9D2AE2B363F9DEA795CF920
SHA-256:	02974A75AE5A540E10AB22C959E6518F18A10EC430772CB05EEC68361073C72D
SHA-512:	D96357D5FFAA313ABE479F32D55B51EF24827C7A48BACF01FF3604E246C92BC7AD491B92BA5B566451EDF4E3B55E137FBBA2F16A976FA8D370684EB94715F71C
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9ff41076-7033-4126-9f3c-2f16836f6a84.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.588808794705378
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0af+TOdEE1MMpCj7akHB+8drxIvBlWEWvRnnaJkXRcvwlRKM1Y:Xq8NkC1f+T+EcihBJavvinaJkBck9zq
MD5:	342E60CE6E19B6CC6ECB532574C587EB
SHA1:	00E665DA0D367D52693831C6656041094555671E
SHA-256:	D2C48F2FC21073C91EAACB1FFCCCF04C7A3DA32FD3BC9A976A824ABCA23CE007
SHA-512:	03E1BD56C033D29BED70CDC3E6A232DFE685C95A6485AEDC1570B638213C6943CEA72F0E2312BDB2486D87CBBD92F4BDC6FF248FC892C14EABA3E23F98E24C00
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"policy":{"last_statistics_update":"13369438370354459"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640145133154881
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Y:fwUQC5VwBIiElEd2K57P7Y
MD5:	46BC3CA050C9032312C051408F8C6227
SHA1:	4EC92F610AC217A2AB2927A8B71AD8BF5157D72D
SHA-256:	CB9C9EED0F363C3193E8676B326299AED296899E17323BA2D48619BAF5249FC6
SHA-512:	BB3126EBAD87C08B80CF3125BCDF838CEB7012F72B142B6CE67C8DAB7E57C52478876CAF19ECAC5670D5A0C2C3505F92DFB2E3013791359BFDD7094B29FC157F
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\fbe7cd92-3a00-4e9d-9525-7517026ba783.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640145133154881
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Y:fwUQC5VwBIiElEd2K57P7Y
MD5:	46BC3CA050C9032312C051408F8C6227
SHA1:	4EC92F610AC217A2AB2927A8B71AD8BF5157D72D
SHA-256:	CB9C9EED0F363C3193E8676B326299AED296899E17323BA2D48619BAF5249FC6
SHA-512:	BB3126EBAD87C08B80CF3125BCDF838CEB7012F72B142B6CE67C8DAB7E57C52478876CAF19ECAC5670D5A0C2C3505F92DFB2E3013791359BFDD7094B29FC157F
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0DFA2-14DC.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.44803561970394656
Encrypted:	false
SSDEEP:	3072:r7dheeNB82qmGMc+PfviIvTyMH0eXwsaf5MSR2Zr/ItE33kg1HFc78Ivis1ArcWj:WG7i633kaHtWISv62aHFAZHFA
MD5:	0E8BF260E3F0B1C05748D23B8C6AD54D
SHA1:	98073889297F7CA2C5BDC0028AD3F573F11FC031
SHA-256:	6C051C7AC4CFFDF158D7D5BC9396FF3026C59BCAE6BEF549374F603828F6B62A
SHA-512:	36D1C5F1D9859A3519B370426E6B45CD453C8107EE424B205822C1EE5AD64A162B4D39692AF860BA017B39781A6C0F238D91D555ED70518E2D485EE91AB1FE8E
Malicious:	false
Preview:	...@..@...@.....C.].....@................1..................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".kbmcme20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0DFA2-210.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.040492229941233825
Encrypted:	false
SSDEEP:	192:A0UjLYiVWK+ggCdRrJtD+1X9XDQoUgV8vYhXxNEq4b8GRQMkjjRn8y08Tcm2RGOD:7UjjlD6lTnhBCdwjjR08T2RGOD
MD5:	9FF31BC48F3F5E3726DB3D9DC6C9C25D
SHA1:	71645D73FCA6B19F457F17FF8A780E311BF81063
SHA-256:	FCCD8B945EC86D78AF470F7A4B1190B9EA46B264FE92EE38B479F7242D717780
SHA-512:	F58C46DF9F3E2CE0B94B48450F3EFC8903ADB046F9123F7B34DEF9BB6F460CD8BF979AE656E13644C3C0AE220A492B26F4325A358FEF58E1D40764E7A95440E8
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".kbmcme20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.............4.....................$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z.......Q.9@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.1880320360694885
Encrypted:	false
SSDEEP:	3:FiWWltl/mvx9mbe4HSRqOFhJXI2EyBl+BVP/Sh/JzvJDPHIYth3IkBiDNi/el:o1yufyRqsx+BVsJDNVuJ
MD5:	72C8D511E25FD33DE91D06FF9E0C5129
SHA1:	492D1E1359F08E51FC064F3655844938D06291D9
SHA-256:	057C25ACA6066AB9BDB35EE2E6C0623B53AC75A765F69C6922833F3850B68A6E
SHA-512:	3391C52ED7075B415B637B2A730441C37216FB2463308188D4A579C519754695B7E294338FF16036481617596A0996EDEB245086F59C110B5BDE167F1827C9B9
Malicious:	false
Preview:	sdPC.........................LN.&.E..Z."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................0eafac2b-636e-4b9c-9d08-bad8218ff333............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\09b8a60d-b8b9-4acc-b005-31bf626a5356.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6426
Entropy (8bit):	4.976417419022578
Encrypted:	false
SSDEEP:	96:stHqfmis1smb9ypcr3N8zPhH1s85eh6Cb7/x+6MhmuecmAezcdQn2MML/EJ:stHSsiB2rNkJVs88bV+FiAaPMLMJ
MD5:	CADD54C0B7287DE663010236C506D61A
SHA1:	B088FF96ADD0F4E00F523D3BB49C1CDD4459EE7A
SHA-256:	88316571AD077A120F5EF8880126AB4952DABF3F0A3F74B5F3B2846B94A4ACD1
SHA-512:	0F4E82B05212B6E5283D9361E4373CBFC799D9F4AF30ECA36C1937B16443B503AC7A4CDC699968788D9B40D1E3BCFC3F9644D1BF9B7D22438E330E2FACB036CF
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438372117449","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369438372119301"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\160e96f0-45fc-4880-bba1-e14e25104234.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.968937072907761
Encrypted:	false
SSDEEP:	96:stHqfmis1smb9ypcr3N8zPhH1s85eh6Cb7/x+6MhmuecmAezcWl2MML/EJ:stHSsiB2rNkJVs88bV+FiAqPMLMJ
MD5:	DFBD8843B2F4992279A81974634BD6C0
SHA1:	A24EC5A7C3891625D9BF30C41FD7A2717842301F
SHA-256:	2F914BD45D5C455827474D3719D153160288A965CF36FAADD7AA273AEDAB3860
SHA-512:	B8BAA4C489FB8C811BCA5749C72A919F083C044FA0B2786455C01DE4F62AD1F08881DBBA48AD916E5C4B5263871E0D38311980CE9AF893FB9AA3B88CCB13F97B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438372117449","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369438372119301"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\56f7355c-aed5-4fd4-b8dd-25a6ae075448.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\59c4f77c-dcc7-4634-a86d-b6c183b81ef8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6528
Entropy (8bit):	4.978445463494397
Encrypted:	false
SSDEEP:	96:stHqfmis1smb9ypcr3N8zPhH1s85eh6Cb7/x+6MhmuecmAezcXQn2MML/EJ:stHSsiB2rNkJVs88bV+FiAcPMLMJ
MD5:	B4C2A24E8C01DB6A3D637E16466D71AE
SHA1:	08665C23DDF8BA17D9E2BF2377498A3E90633E11
SHA-256:	77B0D967494232B520BC24D4218D5DD9C56E3306BE9AA07680130BB599AE9E32
SHA-512:	F429514B764BF3680E23E99BA254CB6D2CCC39B1FCC5A57D6BD87A5E811873045CE48770169D28F47CAC93FAD1AB15012642101BC377ECB63F6DFAF50CE8CED9
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438372117449","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369438372119301"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\91876051-ea90-4c4d-b10f-a9cc56959dc2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566038363657136
Encrypted:	false
SSDEEP:	768:HifXpaWP1UuVfs+8F1+UoAYDCx9Tuqh0VfUC9xbog/OVIVXoQrwdpGtup:HifXpaWP1UuVfs+u1jaF1ohqt6
MD5:	B5525CBADB78491B84DA0CC6582B78EE
SHA1:	62D1C6E86754E919BAE876E0CA58A97509A4D8C7
SHA-256:	26351C17167C7AC362409917FE1EC8890968EA69E379715D7BBDDA35AB1E6CCD
SHA-512:	E346FC5EE8200F4A50589495796C09D2B6468001A329B497EA4A1F6EA37E70E8A6EF770CDC88684F533E57FE20E137F1DEB284ACC2BDE873FC57185D62741E1D
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369438371062910","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369438371062910","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.320090279958984
Encrypted:	false
SSDEEP:	192:sjAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:9OEOKSXs/J7mGnQmLu5/5eNdl
MD5:	008659C69BB5E6AFA295F05F0B92DC5F
SHA1:	910A6C8DD187215B81BA8E4E2D1168659F6BEF01
SHA-256:	B3C47F25A3BF6F3ED27F4FCBB777B575CD88DF5F5D062667DC1E8861C1C5B5F2
SHA-512:	EB35FDC0E8C7DCB1BB01293ACB0D451E74A45E89B0688C44740B58F54FF1C01760914BA06F8075FADC1E3395D8D87A4A44287EB08F74A8E8950FBC39DD9608A1
Malicious:	false
Preview:	...m.................DB_VERSION.1G..T.................QUERY_TIMESTAMP:arbitration_priority_list4...13369438377231102.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.133516692283578
Encrypted:	false
SSDEEP:	6:N5EFRs1923oH+TcwtOEh1ZB2KLlL5EFI+q2P923oH+TcwtOEh1tIFUv:NipYebOEh1ZFL1iW+v4YebOEh16FUv
MD5:	2CF651A44E57ED6E22C52B8C95FAECF2
SHA1:	E4477564139A78B882014F98BD91A2CBBB0AB38A
SHA-256:	0C872322DCE42E1E6360E641552AB5C76F2125ACBB052270DE9D956D40D8CA67
SHA-512:	6CB4C0AABAAF8BCCFC03D9A7CAC85B27B1E0A370DB0333E73EEF5F81F2473A62526D3C96FEF2D529DE6B82B3515A33A07B9BB2BAA7E62535897788F300B73A31
Malicious:	false
Preview:	2024/08/29-16:52:56.448 21cc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/29-16:52:56.521 21cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.04433974943003817
Encrypted:	false
SSDEEP:	6:/Fii23KkM/lI9c4Qd/ggkM/UF8sk/PXb2QLR/lR:d2/E57ggkM/UF81PrH
MD5:	6219887F160A838EC3944EB5460C5EDF
SHA1:	4B79034EEAFE62CB6EF53BEABADC75F6004D9182
SHA-256:	F2A0BE187797105C9549BEF0D1E29822CC940052BC50ED4A26202D005C6C9FEA
SHA-512:	E8D55595402728910D98E04E1BE01FB0CBF00A360B8A1F1894823B94CF1D95D3A8E3678349A05286E6B184336143740DD6B17D77D2BCBA256B0CBA24E224DA6D
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09565677236848706
Encrypted:	false
SSDEEP:	48:VtV4A3esqV4XesLsX5T3lWp43Afa6NUeGO:/V4A33qV4X3L+3L3AC6NLGO
MD5:	18F7ACCB49E2B3C890E9B3318DCF2271
SHA1:	6C4E713C8C84C17E6D564D79B1564EFEBCFB9549
SHA-256:	3FA0A48798DEE8A96AA49A4201DD55B8D3E021B3551F7D96579E1BB348024ACC
SHA-512:	02168F69E2FE19ED4F0F422E66F2B0622E28171E98EDF5D8E82A9643AB036953E70BCF0EDDB302FBD57594DDC33B19193B639739F95D2042920409347A1BB783
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.28356835851184364
Encrypted:	false
SSDEEP:	384:V/iT+JtMi/iT+JtMDpiPiJtb4gijJt4UWiPiJtb:VXJtFXJt/iJtyJtffiJt
MD5:	6419D37C41F44C8C0B66A0F16C1BD11B
SHA1:	F9BB2CE94F7266093E149B2522B2A4E783F20909
SHA-256:	B48B4BA9ED403F299AD8FE6CBB7F9D5E46A018DB53C2BC20CDBE1A20D70E5B92
SHA-512:	E056BAE73216479E050550A6182747FA93C636B11D243C8323E82AD639FC3A8FF98F462BB0954A94E393709496D070238FBD156565058D79E2D50F2C0BF7E7A6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsultuKt:Lsct
MD5:	CABF99E3833983DAA1B7826EF2D5F3BF
SHA1:	7DA4788E8BA2B9DA73E579240BD8B30F03CE52DE
SHA-256:	59FC3B6DAC71007C578C91568ADB6C690C5DC34E67207DA1843685C7FFA4CCB4
SHA-512:	E2EDA5E6F71F3753FB10AE35FB33A48C9766121C1EE87446379A8F9A5FD33FD2A4A86DE3D82F74857BFAAB35E3CB5155391B8DAB819C41DE63FEA23C052222BA
Malicious:	false
Preview:	........................................GP..n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.872224320061398
Encrypted:	false
SSDEEP:	3:l2QR0E0NTLln:sQ90Nn
MD5:	AA258AC5BD4BB46C7EFF67732B9918B2
SHA1:	2D83794039FE730C730762E08FE47620B1AB4A1A
SHA-256:	69DB946C521F54F1A5CB773F81D9850B1C87350C294D4629007EE891E8A3D947
SHA-512:	B7795C13FD4114F2D96C0E5FCCA9F9BF9DEC21D6189FE0A59E51DCE894C30AF051279512531E3B69FFA3B13615FB3FB16D54D8F7B255B0673974E45D6C52BA46
Malicious:	false
Preview:	(....S..oy retne........................hh..n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.872224320061398
Encrypted:	false
SSDEEP:	3:l2QR0E0NTLln:sQ90Nn
MD5:	AA258AC5BD4BB46C7EFF67732B9918B2
SHA1:	2D83794039FE730C730762E08FE47620B1AB4A1A
SHA-256:	69DB946C521F54F1A5CB773F81D9850B1C87350C294D4629007EE891E8A3D947
SHA-512:	B7795C13FD4114F2D96C0E5FCCA9F9BF9DEC21D6189FE0A59E51DCE894C30AF051279512531E3B69FFA3B13615FB3FB16D54D8F7B255B0673974E45D6C52BA46
Malicious:	false
Preview:	(....S..oy retne........................hh..n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:uiDXAyEtO:uUQ9tO
MD5:	082A3A044E235BD5CBE2F22F01A6FC34
SHA1:	F14F774109DC6AF71F9BB071BFEF9469496868D8
SHA-256:	0FD72CAAD2B1C5A2EB0B160B7BE7F262167809F1C9E170990CFCB2EA6F3B09FF
SHA-512:	54A3751B888D8839E52319540056767A6269EB2D80AB6BEBDD0CF299419781EF4467166721DE2B32D1EEF3A25EC97861836E0F12408C259E25B9DA961B96005D
Malicious:	false
Preview:	(....7.oy retne........................q...n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:uiDXAyEtO:uUQ9tO
MD5:	082A3A044E235BD5CBE2F22F01A6FC34
SHA1:	F14F774109DC6AF71F9BB071BFEF9469496868D8
SHA-256:	0FD72CAAD2B1C5A2EB0B160B7BE7F262167809F1C9E170990CFCB2EA6F3B09FF
SHA-512:	54A3751B888D8839E52319540056767A6269EB2D80AB6BEBDD0CF299419781EF4467166721DE2B32D1EEF3A25EC97861836E0F12408C259E25B9DA961B96005D
Malicious:	false
Preview:	(....7.oy retne........................q...n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl0UT/:Ls30UT/
MD5:	E58AF6A179EBE0744D31229AEABD8CF0
SHA1:	FE3FE79BCF96DDF7049F1AF4ADC65ADD0CAF7E28
SHA-256:	F4F42D2042F57C5D7ADB42ABA0DF7F9CE3DFFDFFF29964117776C7503AAF9BD4
SHA-512:	777DF1F5B8B4C3F579C2DCC560389E38686859DEDC9944C7B69623802D3D88744EC9F8D2D949BB70D5AF92A4FEAF538EA66DC1AAFBE80A837E935E4922DFB8A3
Malicious:	false
Preview:	............................................n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354108299121946
Encrypted:	false
SSDEEP:	6144:SA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:SFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	19FB8BF958092845E5539A11BE8810DC
SHA1:	C1127301D6277E29E5F6E132FB3509DC6C54CA33
SHA-256:	4B410C98161D0E5763C3A4D8F89D0F60C26555FF7CBC7C86CF8701CEDB535A87
SHA-512:	A4F9AE0818072B2C3F5D6B65749FE79D235586A3E04AACCF92972561C84F8C620BC889FC824D43944CA3CCEADD2DD0F45177BD5CF201390EA5E388C34D3B5ED0
Malicious:	false
Preview:	...m.................DB_VERSION.1v.M.q...............&QUERY_TIMESTAMP:domains_config_gz2...13369438377284931..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.198208708963251
Encrypted:	false
SSDEEP:	6:N5EFGc3GR1923oH+Tcwtj2WwnvB2KLlL5EFLQ+q2P923oH+Tcwtj2WwnvIFUv:NiJG8YebjxwnvFL1ie+v4YebjxwnQFUv
MD5:	3A19A2A7B8818A5B1407A4A1F12AC439
SHA1:	618AABA530ACEF8187D857BE485F549E71E48D55
SHA-256:	7712BF73A89C0752512FAB3DA05B2B4CE018A32DCE735E6D95CA9F2CFB20F011
SHA-512:	33BCDC0AA7D7333BF5CF3B45258C104656C6D0AFF244CCCA37ED26C1C13CEEAB290ED15AF3E074139F728647FE0C2AF98AAE514E3D1A9D716A8841D8D4F54983
Malicious:	false
Preview:	2024/08/29-16:52:56.499 21ec Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/29-16:52:56.592 21ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.324623007358861
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RQ:C1gAg1zfvo
MD5:	7AB0C72F46AAEE1F500928D51EBBC902
SHA1:	040CC6E200174EA386385B9D2376F7020C365D05
SHA-256:	324B36704D0DAB2639C17119C731851FA6A5F53945646E01E9B9F759C5BEA320
SHA-512:	C3BCE51089D0EC1CE70C638A737883E9B323612DE75678D6D00DC25547B3F187DEB4D7B6AF481E687A95F1FBAB1EBADD2CF65E1CBB246733297E08A84D54B5DD
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.215686021987035
Encrypted:	false
SSDEEP:	6:N5EAp1923oH+TcwttaVdg2KLlL5EVd3+q2P923oH+TcwttaPrqIFUv:NiAEYebDL1iVdOv4Yeb83FUv
MD5:	029FEA0C70E1151611230D50A7C14308
SHA1:	9C3724D68910612479F7D0C24127DF758A0B7A1A
SHA-256:	28D0BA9948A61D1D6E244A6BFD4D44508677CADE94288FA0A44217475B40D007
SHA-512:	46FC2CD8DEBAF7E19C66E34239C017DDAA4FE2A43A25C3D553BDAA14F8F7869AFDC185B1C6C25FB5A0F17E2FB64E2737CFB69E066CFA538D5D23B0AFFDD6813D
Malicious:	false
Preview:	2024/08/29-16:52:51.089 1d48 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/29-16:52:51.314 1d48 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.214903217804553
Encrypted:	false
SSDEEP:	6:N5E1ORj1923oH+Tcwtt6FB2KLlL5E/O7+q2P923oH+Tcwtt65IFUv:Ni1+GYeb8FFL1iWiv4Yeb8WFUv
MD5:	AA449763124E322BA094165FD894702A
SHA1:	08143A6EC098E2BEDD2625DD2D02236AB6F4393A
SHA-256:	E83F7E671714E6644E3680D16A2DCF4049287E3570EE4674E6608E08B763735B
SHA-512:	364633E500426A34DD2BAA92A8B532C8344C5EF1BC162A74403834E59FFDDBF977E59E91A94E7FE034EC7A433A55264E6284578F4DE92E15A0DA79C206EAED3B
Malicious:	false
Preview:	2024/08/29-16:52:51.315 1d48 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/29-16:52:51.353 1d48 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.187448259765568
Encrypted:	false
SSDEEP:	6:N5Ea61923oH+TcwttYg2KLlL5EaVXDM+q2P923oH+TcwttNIFUv:NiqYebJL1iIM+v4Yeb0FUv
MD5:	87ACF96C6FCF8DA99DFE25B62CD85DE9
SHA1:	E44D3D8728BB8B5F3DAA7D5E225B418717BD91D5
SHA-256:	8FE484B79833AD6485B446D3B96FA91E8B9DFE5C75A752E768C06ACD765D2A62
SHA-512:	BCC5F8A3B7F6403244417FD27C80DC4D41A18C3D1783B4DBBFC7D5A57E0B27741092E088A8DC0501CD8F345A55BF5CA017ADE9E9F790EC417C285ED3CC094002
Malicious:	false
Preview:	2024/08/29-16:52:53.024 1cfc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/29-16:52:53.037 1cfc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlWll:Ls3G
MD5:	9C610ED09396F6B3902A1C2E197AF0A0
SHA1:	52180C7F21229B79B424102A50028910D696EE3F
SHA-256:	905E2A1F561159E7BD8E14BC51DDE4C04139C65786F0121CC6C67391D734477F
SHA-512:	692D537127A2D2C8839F4269BABE55D6F44870ED96C09B5A2CE99F99D7DDC97E3C7F07646849ADDEF852DAA5A07F3BA0C692BF28FEA410B74D90B832E62A0F76
Malicious:	false
Preview:	............................................n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2191763562065486
Encrypted:	false
SSDEEP:	3:xet59tFlljq7A/mhWJFuQ3yy7IOWUB6/otdweytllrE9SFcTp4AGbNCV9RUI7:0C75fOuwtd0Xi99pEY1
MD5:	C9C9C1E4CFAC1F943B28D60A16EFE8CE
SHA1:	34E0AF034D0D909322C27CE3AA4C00962F1A4DFB
SHA-256:	AF9D2E4E43C147EBE65567C44743B4DF1137F17EF1D1284583B0B6EAE5CACFCC
SHA-512:	E154EDDD29A2EEDF240147FE3E7B284EBAA4B9DFB1D1FC3562F83CDBBEE424E94F56F09B09200B0D5BF6B55171B2FCF43BE3195BE0E96E708E01E3324A8EB1AC
Malicious:	false
Preview:	..............q....&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.257510160896799
Encrypted:	false
SSDEEP:	6:N5ESWjuM1923oH+TcwtRage8Y55HEZzXELIx2KLlL5ESZq2P923oH+TcwtRage8j:Ni+hYebRrcHEZrEkVL1iCv4YebRrcHEz
MD5:	09BDA91ED689CA5753CAD65D740DB317
SHA1:	5661BADA195DB7E5BD5591900BD41D5F6E180CC9
SHA-256:	76D1A17ADCC416C3E1FF10FD904CD456F45D9E0DE4B72FFD2DEB091A5E305BBF
SHA-512:	E9E006622CFD35E62BEFB1EBEC68FC3E58ED78A49F90B765DA7B6B67075FC3F071275BC16BED75F8EB50F2F92BAC4222C1ED762533E19A1CF0D5F6EED6BDE7A3
Malicious:	false
Preview:	2024/08/29-16:52:53.843 1cf4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/29-16:52:53.856 1cf4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.19794124582073
Encrypted:	false
SSDEEP:	6:N5EYRFpCRM1923oH+TcwtRa2jM8B2KLlL5EBwuvq2P923oH+TcwtRa2jMGIFUv:NiYRF8RhYebRjFL1iXvv4YebREFUv
MD5:	8F383114707DED1200AE69A2026434F5
SHA1:	07705686E47B41966FFA9EE4C8D30610AEFFD800
SHA-256:	20A4468BB5C3AC83070AFE4BFE1D9C8FCC2643A89D977E4C013C60C9F27ACFC2
SHA-512:	A403846A55E6271F7794D1226DC443DA2407A42A9215FD99497636A50FEFFB24CC11A250249A8B7966A6468232217F02ED2744C8AE4598963CAD50914FA4899E
Malicious:	false
Preview:	2024/08/29-16:52:51.624 1e24 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/29-16:52:52.706 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\191bdda0-70c2-40b7-a11f-420481c77c55.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\3c639a3c-0f11-4e23-b15f-5f175a0f2c53.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\5d52889d-e274-440b-8ac1-76a002a16941.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\79ddc629-a36e-4c7b-8060-7ef2a2c96e0e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\9fdd111b-0d0e-4fa7-b534-ad8f42d91575.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF37ade.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF43ae2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7601320068157191
Encrypted:	false
SSDEEP:	48:TKIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBk/p:eIEumQv8m1ccnvS6E
MD5:	7197775B850F4C848F3A6D958A15909F
SHA1:	7843BB7BBCFC14ECD6517CA1025CEB75BE100795
SHA-256:	B8A4C36C97D354B57C10E178B0B57997385F6611283A4D2C0BDFC588BC65C669
SHA-512:	A43EE2D9B5D0911E729B92F6DB291E7C626DA026D206A3581047253C40267C4672EDB1D9CCFD679DB0FE387AD127B3CA379E5719CAF0064CF3E73839A7658DEE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF318a9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\b6b41bb8-13a4-4ae9-bf45-56a7a80f6d82.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.968937072907761
Encrypted:	false
SSDEEP:	96:stHqfmis1smb9ypcr3N8zPhH1s85eh6Cb7/x+6MhmuecmAezcWl2MML/EJ:stHSsiB2rNkJVs88bV+FiAqPMLMJ
MD5:	DFBD8843B2F4992279A81974634BD6C0
SHA1:	A24EC5A7C3891625D9BF30C41FD7A2717842301F
SHA-256:	2F914BD45D5C455827474D3719D153160288A965CF36FAADD7AA273AEDAB3860
SHA-512:	B8BAA4C489FB8C811BCA5749C72A919F083C044FA0B2786455C01DE4F62AD1F08881DBBA48AD916E5C4B5263871E0D38311980CE9AF893FB9AA3B88CCB13F97B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438372117449","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369438372119301"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3a912.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.968937072907761
Encrypted:	false
SSDEEP:	96:stHqfmis1smb9ypcr3N8zPhH1s85eh6Cb7/x+6MhmuecmAezcWl2MML/EJ:stHSsiB2rNkJVs88bV+FiAqPMLMJ
MD5:	DFBD8843B2F4992279A81974634BD6C0
SHA1:	A24EC5A7C3891625D9BF30C41FD7A2717842301F
SHA-256:	2F914BD45D5C455827474D3719D153160288A965CF36FAADD7AA273AEDAB3860
SHA-512:	B8BAA4C489FB8C811BCA5749C72A919F083C044FA0B2786455C01DE4F62AD1F08881DBBA48AD916E5C4B5263871E0D38311980CE9AF893FB9AA3B88CCB13F97B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438372117449","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369438372119301"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF41e23.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.968937072907761
Encrypted:	false
SSDEEP:	96:stHqfmis1smb9ypcr3N8zPhH1s85eh6Cb7/x+6MhmuecmAezcWl2MML/EJ:stHSsiB2rNkJVs88bV+FiAqPMLMJ
MD5:	DFBD8843B2F4992279A81974634BD6C0
SHA1:	A24EC5A7C3891625D9BF30C41FD7A2717842301F
SHA-256:	2F914BD45D5C455827474D3719D153160288A965CF36FAADD7AA273AEDAB3860
SHA-512:	B8BAA4C489FB8C811BCA5749C72A919F083C044FA0B2786455C01DE4F62AD1F08881DBBA48AD916E5C4B5263871E0D38311980CE9AF893FB9AA3B88CCB13F97B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438372117449","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369438372119301"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566291948505433
Encrypted:	false
SSDEEP:	768:HifXpaWP1UuVfb+8F1+UoAYDCx9Tuqh0VfUC9xbog/OVIVXoQrwnpGtuR:HifXpaWP1UuVfb+u1jaF1ohYtq
MD5:	90C042298590510E676679E0CB9CE5A2
SHA1:	BF8AA122148C338AF2D385CDC7BEC5DEC373BDC1
SHA-256:	1E1DB39713A5E3DF53B41C6D24902A222652AB173D50D8A1A54C9E0466DBA3F5
SHA-512:	E853CA97ACD118973C6D1053CBA5FBB24A3F04263668672C8B731676409833D4DD410E94AA92AD5B232D5B27F04B21C0E1B8DE9AAA27E662779A5D031130B946
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369438371062910","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369438371062910","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF378ea.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566291948505433
Encrypted:	false
SSDEEP:	768:HifXpaWP1UuVfb+8F1+UoAYDCx9Tuqh0VfUC9xbog/OVIVXoQrwnpGtuR:HifXpaWP1UuVfb+u1jaF1ohYtq
MD5:	90C042298590510E676679E0CB9CE5A2
SHA1:	BF8AA122148C338AF2D385CDC7BEC5DEC373BDC1
SHA-256:	1E1DB39713A5E3DF53B41C6D24902A222652AB173D50D8A1A54C9E0466DBA3F5
SHA-512:	E853CA97ACD118973C6D1053CBA5FBB24A3F04263668672C8B731676409833D4DD410E94AA92AD5B232D5B27F04B21C0E1B8DE9AAA27E662779A5D031130B946
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369438371062910","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369438371062910","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.178563725972145
Encrypted:	false
SSDEEP:	6:N5EJPRM1923oH+TcwtSQM72KLlL5EJ2Iq2P923oH+TcwtSQMxIFUv:NixRhYeb0L1i4Iv4YebrFUv
MD5:	8108B9E1D776EA2A5D0D67D0824B1235
SHA1:	0322D68E3579069F4DA3788B88A4F2A1B5BA7189
SHA-256:	D46CE506CF1714ED504552FDF771021408692C9F7937F52F89776D46C758826B
SHA-512:	7785911B7870AF626C143679553861D7414BD12193CE88D1732796DD506673747368210EA2172AB915EA112C57A11268CF8D651242ED482DCD3080F4001D29AB
Malicious:	false
Preview:	2024/08/29-16:53:08.715 1e24 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/29-16:53:08.733 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.123846075691015
Encrypted:	false
SSDEEP:	6:N5EMXw1923oH+TcwtgUh2gr52KLlL5EABQ39+q2P923oH+TcwtgUh2ghZIFUv:NiMXtYeb3hHJL1iABQN+v4Yeb3hHh2F2
MD5:	55CA41515846499BF6B61943313DDF8E
SHA1:	9A41D9CC889AA5A2355A6B6E122440FE463267BA
SHA-256:	E9D5D0BEA7096DE768F91DBA5021169CAF741953C715A229F969B8BDB2C994BC
SHA-512:	BBBDD13C255913D8B8203F9048C9A9AE31584619C76A3D2C8C3758B05E1019324D5D140B6876A0DC5D8B892288737F34D80E64719940543CBE819288BB4B3B34
Malicious:	false
Preview:	2024/08/29-16:52:51.043 1d2c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/29-16:52:51.085 1d2c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulW:LsL
MD5:	4EDC75CDAE55E9E4109284D4029F4A23
SHA1:	2AF22E73F9369AE6FC8063BACD4819BF9CC06C61
SHA-256:	FC1B213B7DFBCB48A403B25BF3D407381C678C4FB634AEB8D7D3962B78CBE11E
SHA-512:	97156D39177C32225CE2960C0A419BE851A6261F63F4835C0BF837E20B266403E19D2E61CD48DE4B06FC79A10BFE20D80022F46E65ABDE399D58EAE1E8621465
Malicious:	false
Preview:	.........................................W[.n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:uxFQR0EPjWl:uxFQ9PCl
MD5:	1A19B0559409F62A97AEF9EF9F24A253
SHA1:	8F5A950C725DC90148C98E2D948CAA1F8C6399DA
SHA-256:	038DA6A005679DFE02D206A739667427A23D5EFCE4AB58DEA6DECBD43FF102FE
SHA-512:	FBFF0196C50FE5268FCEB38F8CFFEBFCE3618DCD8D32964BB61B3ECE974EA8F942EC080D3905D4341950D2F34C1033F6A8833CD3CD1B06AD92F46ADB6FECC2E9
Malicious:	false
Preview:	(...3..Qoy retne............................n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:uxFQR0EPjWl:uxFQ9PCl
MD5:	1A19B0559409F62A97AEF9EF9F24A253
SHA1:	8F5A950C725DC90148C98E2D948CAA1F8C6399DA
SHA-256:	038DA6A005679DFE02D206A739667427A23D5EFCE4AB58DEA6DECBD43FF102FE
SHA-512:	FBFF0196C50FE5268FCEB38F8CFFEBFCE3618DCD8D32964BB61B3ECE974EA8F942EC080D3905D4341950D2F34C1033F6A8833CD3CD1B06AD92F46ADB6FECC2E9
Malicious:	false
Preview:	(...3..Qoy retne............................n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:uxFQR0EPjWl:uxFQ9PCl
MD5:	1A19B0559409F62A97AEF9EF9F24A253
SHA1:	8F5A950C725DC90148C98E2D948CAA1F8C6399DA
SHA-256:	038DA6A005679DFE02D206A739667427A23D5EFCE4AB58DEA6DECBD43FF102FE
SHA-512:	FBFF0196C50FE5268FCEB38F8CFFEBFCE3618DCD8D32964BB61B3ECE974EA8F942EC080D3905D4341950D2F34C1033F6A8833CD3CD1B06AD92F46ADB6FECC2E9
Malicious:	false
Preview:	(...3..Qoy retne............................n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:uxFQR0EPjWl:uxFQ9PCl
MD5:	1A19B0559409F62A97AEF9EF9F24A253
SHA1:	8F5A950C725DC90148C98E2D948CAA1F8C6399DA
SHA-256:	038DA6A005679DFE02D206A739667427A23D5EFCE4AB58DEA6DECBD43FF102FE
SHA-512:	FBFF0196C50FE5268FCEB38F8CFFEBFCE3618DCD8D32964BB61B3ECE974EA8F942EC080D3905D4341950D2F34C1033F6A8833CD3CD1B06AD92F46ADB6FECC2E9
Malicious:	false
Preview:	(...3..Qoy retne............................n./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlk/l:Ls3kt
MD5:	EBA9EEC616DEB3C275BD2FE4A5ACB222
SHA1:	CE8FBF8F95BB781B0A2A092FD78966D6A9F07FBB
SHA-256:	89AD05526B8F7872F4E3E224C2CB48C287C471EA2200EF401AC1027C883A4549
SHA-512:	D1C69D9658DEC8543EB1DB226943994488A381469ED6DA1AD94925F8F8AA9E210853CA1F7796BD1709378D4F7C8488B5C98097E3F756E4C927B15657D86AFCFF
Malicious:	false
Preview:	............................................n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlz//:Ls3z
MD5:	05BB8899675508AFC1C636EA1F73741A
SHA1:	C614C93D3551A1A783EFA3D97FCC4834572BAE8C
SHA-256:	5CBAD06AC456D7D04924D29E06B8242E6B786D761A266BDE354CCF6F9571890E
SHA-512:	3D5D513E9280169486E7014C8ACD8D8B58659E51343E4183962169EFFEDE22B8F3E891AF0772E0E8EFDABEE9ECB40C55961D7ABE970B99E3F8C549A1620D8657
Malicious:	false
Preview:	........................................l...n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.2189465565946165
Encrypted:	false
SSDEEP:	6:N5Ea/Az+RM1923oH+Tcwt0jqEKj3K/2jM8B2KLlL5ECIq2P923oH+Tcwt0jqEKjl:NiSG+RhYebqqBvFL1iCIv4YebqqBQFUv
MD5:	5951C7FEF25729D933E8FEDCB802FB17
SHA1:	C06F743D7F1416BDF7211974BA62B51E2DF1F189
SHA-256:	C1D03DD91DFA14070CEF93936A68A49223615B5D19C36408D340C979E091966D
SHA-512:	C90BF092E2C75AAC9BDA3D934E46A70BFCF68632815CB871D7621B38F30C48FE84DDC8DB217B2B970E880E32301E2E8A0443688FA4973BFB47A5E4496D74DA31
Malicious:	false
Preview:	2024/08/29-16:52:53.001 1e24 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/29-16:52:53.923 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\5dd3e467-b13e-4f22-b6a0-5d1e5bf2b1dd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\767d5ef2-3744-4f52-800a-f03df6467bc4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF37ade.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF43b5f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\e16e32b7-c866-46d4-94db-ffc064bc82df.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKqk1Yn:YHkVKJTnMRKXk1Yn
MD5:	78BFCECB05ED1904EDCE3B60CB5C7E62
SHA1:	BF77A7461DE9D41D12AA88FBA056BA758793D9CE
SHA-256:	C257F929CFF0E4380BF08D9F36F310753F7B1CCB5CB2AB811B52760DD8CB9572
SHA-512:	2420DFF6EB853F5E1856CDAB99561A896EA0743FCFF3E04B37CB87EDDF063770608A30C6FFB0319E5D353B0132C5F8135B7082488E425666B2C22B753A6A4D73
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\ebce4a93-120b-423c-8a6a-9c87bb360995.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\fc4bbe85-9fa3-4f94-9b6e-27d1474ead10.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.21840024116762
Encrypted:	false
SSDEEP:	6:N5EJiURM1923oH+Tcwt0jqEKj0QM72KLlL5EJsJUCOq2P923oH+Tcwt0jqEKj0Qe:NiAURhYebqqB6L1iNCOv4YebqqBZFUv
MD5:	7A80D7F69600A4F66B5CF5A160B0C448
SHA1:	A67EB7CF64FC7F20456116DE17A6D6605E9AE56F
SHA-256:	60836929CA0B4AD8E7EDC2111C051CDFD3FF76A742EA91FD1F23AFF6A0E71DC6
SHA-512:	5273C7388BF51A74D1ED49E501453BAFF2D3897F7C5E9188F95FC9B2D13353F2511611C08B4110696603236DA9AF0D752376923AFFAAE10038D4C6CBBED75ADF
Malicious:	false
Preview:	2024/08/29-16:53:08.760 1e24 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/29-16:53:08.786 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.255108590587014
Encrypted:	false
SSDEEP:	6:N5EMmGXhq1923oH+Tcwtkx2KLlL5EX+q2P923oH+TcwtCIFUv:NiMzYebkVL1iuv4YebLFUv
MD5:	2B42E60E291AE3A9E0DE1F413E740267
SHA1:	2D4DA43E74D55DCB7EABB5E21A5825D4C0752135
SHA-256:	4DF126FD9CDE02FB6BF25B452DC5DE42433C20510B88BA4BAA430153CE583004
SHA-512:	4E69EED67BDD2F798EC51B8B9E6326B1071CE2F707482EF8C04FE6F61B30DABABF6D810D553FE61F13D07F580B0BDF6B20793F0023CB29C764F5BC220B0822F6
Malicious:	false
Preview:	2024/08/29-16:52:51.045 1d38 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/29-16:52:51.344 1d38 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVj:IiVj
MD5:	77D50E6D132956A4A8FA600679BC8BB8
SHA1:	83FD0F6CD1DCA6F517BD39D29F13D1C477E66675
SHA-256:	1E20F6939551D54FBD96F446823FB2136174F37461BCE30876313A18573E9FC2
SHA-512:	9C1D1A3D8FD42FD413AB9B7C129463AE27F946BF344BD9E7A7A94E08605893243B9A0A6E007666192722392FB829363D6954155C60CBE5D883FFFF2F1B17D0EA
Malicious:	false
Preview:	VLnk.....?......fS_-..h.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0769390311282947
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkO4SAE+WslKOMq+vVumYDln66:e/2qOB1nxCkO4SAELyKOMq+vVumSp
MD5:	C3C59C4C90F763272808981A51410F4F
SHA1:	176F1A96C93DC9A7A63115AB25D4818215B1F4D3
SHA-256:	6AF77627B5FF533D922EA3AB96AF9948331699E62C91F0F33A98F4ADA452990C
SHA-512:	82EECA8E22E282C18C3F8C8DEC53D7086182B1DAEC1F0E2F004AC7A5F9CFD25627BC6159559CF45BCD8D66A431FB530CD30D420C38A907072551853465034293
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c3626da1-a23f-4cb2-81ce-c7e8cb3d61be.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\cbafeb86-5cae-4d75-9695-288049eb667c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566291948505433
Encrypted:	false
SSDEEP:	768:HifXpaWP1UuVfb+8F1+UoAYDCx9Tuqh0VfUC9xbog/OVIVXoQrwnpGtuR:HifXpaWP1UuVfb+u1jaF1ohYtq
MD5:	90C042298590510E676679E0CB9CE5A2
SHA1:	BF8AA122148C338AF2D385CDC7BEC5DEC373BDC1
SHA-256:	1E1DB39713A5E3DF53B41C6D24902A222652AB173D50D8A1A54C9E0466DBA3F5
SHA-512:	E853CA97ACD118973C6D1053CBA5FBB24A3F04263668672C8B731676409833D4DD410E94AA92AD5B232D5B27F04B21C0E1B8DE9AAA27E662779A5D031130B946
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369438371062910","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369438371062910","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/3M6tl/lFll:7+/l/3M6
MD5:	49BCF5FF0AFF6CF17C7CC82AA1B4D220
SHA1:	10F50290B87A64420C13254B74E04A1E46D12D41
SHA-256:	732359777F4740E3FD5A795B5A0461C49009494BE2AEBDAE00898CA9EAC3237A
SHA-512:	DA8261D649FCAAB21392939E9403F0B1E70853AED003EBF8F90B4C47AF807AE9AAB87F4FADB6E61641E2982FF53E1BA828AD5F2F6BFD80DF4DDBD4A6B580972F
Malicious:	false
Preview:	.... .c.....R.d................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04984514804431803
Encrypted:	false
SSDEEP:	6:GLW0Cy+W0C4kL9X8hslotGLNl0ml/XoQDeX:aC1C4AGEjVl/XoQ
MD5:	640429AD21F5A2F706489485FED80B3B
SHA1:	33275376E59360FA936BD69BB0BE90118FA13101
SHA-256:	10218AE451F09F9C0629FD0A0F12ACC377BC301CC0186096271FAEDFCF80F887
SHA-512:	004A87E317F2FAF0D4F715C0E6F8A8BA9095F0D18AF9CEE960483AE0C918CD93A9CA828695CBC403ED7C23DCD6B13A7B7B1F36CB5F5961EC43D84774549012DC
Malicious:	false
Preview:	..-.......................o..B=.......WN/.......-.......................o..B=.......WN/.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9983821171442555
Encrypted:	false
SSDEEP:	48:tWzxoXlO+o9cbX+H3n9VAKAFXX+p2VAKAFXX+fXxOqVAKAFXX+HCnUYVAKAFXX+A:tOxoP20NsXNsJO5NsHtNsP4
MD5:	B891EA8C8D0610792E6F6B1DDF2EAA7B
SHA1:	2382FE74E43C73635F6F7D0767031535C4A8910F
SHA-256:	B7F5D9E39EA0C6C25B86A3ECD20AE3790B211A68CEA83F90BE7A89628F15E4CA
SHA-512:	D415FB4E60FB1A49DA7F555D332E56B9F6A5AD3F54D92E3AD7C05C4213D9D0AD9F0153017438D7D40B7A86AF95E98270CE93E4B7617827124B7FA0415947BE6A
Malicious:	false
Preview:	7....-................WN.....................WN]..y.r.fSQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.489788036359761
Encrypted:	false
SSDEEP:	48:gk8wSBSoQmPJHRHlxTIYjIYVzVqkEMYjMYzyGAlkfAlkq3:q0oQAIYjIYVzVbEMYjMYzYcYH3
MD5:	E40652966F0D7703A6C06E8EB93F1791
SHA1:	A99834EA2A4CFDAFD42A6A581D89CB92BE686AEE
SHA-256:	183FF14B3A311B7E7AF8E1D259B8E962645D6185EB168F9D254241DE75EC77F3
SHA-512:	2CB4015597EC505CA1B1555AE3BBB8185CA5814AE010D7386F86EF2912B4FD7904A3D6E685341D86933FF25C80A3AE60FCEA6C234EA37FF1E9DB0EF418D7A176
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f...................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.271260555488571
Encrypted:	false
SSDEEP:	6:N5EBsgVR1923oH+Tcwt0rl2KLlL5EBYyq2P923oH+Tcwt0rK+IFUv:NitV8YebeL1i/v4Yeb13FUv
MD5:	5D8F9CC5743AB4CFA03B4F13E5DC04BB
SHA1:	EDA2C4E418FF7E726CB5470E29C61DDDA5DCC3B5
SHA-256:	BF576C79BA0014604AC931331402FBA5AF2060816C19D84A7B0AC3148E943FAF
SHA-512:	F0554CAB88D97128C7DD7743249F80B66C9014ADA993FAD7219FB03E491DA41894F1A8658A42ED0AFB05941341551EC0C112FA3C1FB2C0101C1F587645E9D4EF
Malicious:	false
Preview:	2024/08/29-16:52:52.307 1d30 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/29-16:52:52.317 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.958141412815535
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Wui+it/4JbZfPStub/RG0lbANqa:G0nYUtypD3RXi6FZfc25m
MD5:	FBC524D02048C176A0A5D1B8B752932A
SHA1:	294C48557549A4C978326D9B7969E293A024F157
SHA-256:	F3FC95AE128DB918FC126F15CD9D96618482BA6ACCC622AAA19B10CE80B15EA0
SHA-512:	9B6434442E11610B8B5DDA43AA56656599925C9C8F0A364DDB69D15B37A912D223EE600012468E0DB723CAF3546FFBDF56F085A0159EA7968BBACE894AAFF856
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................37_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.2245763918250825
Encrypted:	false
SSDEEP:	6:N5EBlR1923oH+Tcwt0rzs52KLlL5EBipyq2P923oH+Tcwt0rzAdIFUv:NiL8Yeb99L1iwMv4YebyFUv
MD5:	CCADCB71D99576FC8D4543BDF0C9E05F
SHA1:	6E16162AFA768618BC0A68C9285B44A5CC51756E
SHA-256:	728B8059FFC90E7B16DC63AF2ADA6C4909EDB05DBCA4C449B0C31093E31AED4C
SHA-512:	9C4CA7655385D5314FC75FC5C0CBA6DC17952EED7572AE3CD7F22DB03D1AD0ADAA65014AE4699F55EA14540AC2435C8A8D626EC1AA283855E52BD30161CF6AF3
Malicious:	false
Preview:	2024/08/29-16:52:52.127 1d30 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/29-16:52:52.304 1d30 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlGal:Ls3Gu
MD5:	A65FC5803835DCCE42E9374D85169635
SHA1:	B09AE24270F06F9E626C17F3A718B168E6373622
SHA-256:	A0AF6D3BCDFC8F9C7249B076AA7EF39620E38E53E5BCDD23D2B1FE8A55F66035
SHA-512:	2CA6BACC99C263BE2479A168D1961ECDB7853D0970A82C6E0705680813A5A964A9BBB7AFB54CDACC585F7822D5A7F26362DE70E642153B246E51BF134C25E762
Malicious:	false
Preview:	........................................;C..n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlnCau:Ls3Cau
MD5:	AD75A3CF04C87D05007D91E0FBD4B01F
SHA1:	E3D30F298A621F0DCE6601C67377517FACD2021E
SHA-256:	52A4A752F459513E58A49FCAF84F09F2411D2F59D0E63C1D050DC4B0EA56CDA3
SHA-512:	C4DD550FB7F184E26E6E9DC7749B0F1F45B31610019C412CEE5BA4FA1D4CB85811288FBC72C5FF88883A97E23B41C5BBE6C08AD531A5E3356F7293B828B2E897
Malicious:	false
Preview:	............................................n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF30aaf.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF30abf.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF30cd2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF30d9d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3346f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF35bae.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3f6e4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF41df4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF48096.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.543021557720748
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt8TO9Zd6vv2HI+sp4MMA4VyikE8JdXBuBuwBVvarnNhWzbX6Qq:YuBqDPaf+TOdEE1MMph7agBzBlWzWzb+
MD5:	32231DD1658D7657F72F4718FFEB4520
SHA1:	52D6210E8A60F25E089451FDA3CE951E3AB67741
SHA-256:	3B45D7ECBF75269D9DAC901BFE9A10DE197A3BD1590D1CE79C323170A0A60D27
SHA-512:	005B97D867D8CA7ED38E771DF49495C2D73BFBE26CD1CE67D1A865668A02E06C209722AC53CD3D28C3BA4681921C6D85F80400FD94CC9FF7253078382DCBFC6A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369438370314533","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1724964770"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNln:Ls3n
MD5:	8F968C6F586188ED94FF3D753E5A8687
SHA1:	4BD1C6A78F5A7D92217C5A4B5F02DFBACC4A3742
SHA-256:	B48E915BDBB23CCAC40ED49465E13C3CEADAFE7D77570E6AE2523A9250BE5B7A
SHA-512:	5E78121C998DAA13F9A1DC8FC6CFE10E2711C0AD103E654D3C632875918909D487D78C8EE9CE8F33953757600ADEA0D881F0B2A3DD59C5EAD274ED457CFDA548
Malicious:	false
Preview:	.........................................K..n./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\b591ce98-3bbf-48ca-9ac7-04c2ae6887df.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.588808794705378
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0af+TOdEE1MMpCj7akHB+8drxIvBlWEWvRnnaJkXRcvwlRKM1Y:Xq8NkC1f+T+EcihBJavvinaJkBck9zq
MD5:	342E60CE6E19B6CC6ECB532574C587EB
SHA1:	00E665DA0D367D52693831C6656041094555671E
SHA-256:	D2C48F2FC21073C91EAACB1FFCCCF04C7A3DA32FD3BC9A976A824ABCA23CE007
SHA-512:	03E1BD56C033D29BED70CDC3E6A232DFE685C95A6485AEDC1570B638213C6943CEA72F0E2312BDB2486D87CBBD92F4BDC6FF248FC892C14EABA3E23F98E24C00
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcHXTnbQ=="},"policy":{"last_statistics_update":"13369438370354459"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\f29c9b48-1db2-4dbe-8d67-eabd280b7106.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20761
Entropy (8bit):	6.066517842046125
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSJgXjQB2xj1KgzFsGCxq5+:LMGQ7FCYXGIgtDAWtJ4nmjQBEj11Bshr
MD5:	0D01383A075433858E8BD1A9FB1792BC
SHA1:	CC7755EFCDFF099E42AC0009AE1F7D6A93F7E34F
SHA-256:	484C64A0D08BF942E1AB6BC9D13F4AD2E121372A8B89329B1DCB086B811E2403
SHA-512:	73FD6DC53BB50E97BA2F62E7CBD405B86C16C6BE8D7462A2657093091D7691D30302BD7498FC9F0597225725C2DCDF1D4CA5A0C21638D99CE3C3A2125D2E4B3A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\f3b8f19e-017f-4903-ae71-5a57d63f3907.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.498905303184921
Encrypted:	false
SSDEEP:	96:0q8NkGS1f+T+Eci58rh/cI9URoDotoq8BJavvJG9JkBcMSDS4S4SDSGsvI4a:/8NBSq+EcLeoDUKgGTkBZ
MD5:	C91BACF5153CD261B18E3A01D801B325
SHA1:	661EEBD794EE89EF8ED4AB2E1269D0D0AAF52F0C
SHA-256:	6C614B653241180B9AF73F7D7BD45DB2BD0311304C6410903E4CBBDBCE969D54
SHA-512:	78573538ADE2A734837800483DD765856F64743B8EC6838DCD59DF19CB520FFE607FB5AE772E71A1A9AF88FB5283276CC34B87EBB22D670C3B5162A9174FA65D
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABfu+ShhkeTRZIoBrJiP9y8EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAA7/KdhcVMilHw7w5ubTVmuXZ+Bdd/jsnyUmDi1Niwn6AAAAAAOgAAAAAIAACAAAACK+OAMxJk9h4lqjkblURMqRjR5yr9Llz/pj9ucc2o6HzAAAAAZuyjBDAju7YYEMKLG/h1wFSr/H8OL6CxI+wtXP4RW8AHrS2/6EnWSGqnbEpfRwH9AAAAAXXT88dTQAwDKi6dGQQLq4+mTvqCyWGcjuGaJA/apNiPWjbPFokn0uZ4TblEUhQRw7800E/05WG4icTvcH

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0ab0123a-42c7-465a-a02d-7c593ee10d98.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096225500586861
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBXFughDO6vP6Oc6ngB/nxvEFNcGoup1Xl3jVzXr4z:z/Ps+wsI7yOEy68Cchu3VlXr4CRo1
MD5:	9818327413401DFD5BF676A78CF6F9BA
SHA1:	28A93CFFF720722C874996B7B4D34261456B432F
SHA-256:	C1246BD8644C9C81C15108583E2EC6F62B0D0DD937D6523DEAE8A9BF1F902C8B
SHA-512:	B2D07290D9F7F5D5FDDA5458A2681454898BC4E14D402329F7F3CAC80ADE51186B6F9C3987E2DD8566179E3D7D74764C5DD6A123D073A59886965AE555AD2C09
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\830f81f5-dfc0-4e50-b3f5-9ad6d08ed277.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8a969297-bd98-40c5-997e-c7abdb995176.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44672
Entropy (8bit):	6.096268775163464
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBXwughDO6vP6Oc6nFB/nxvEFNcGoup1Xl3jVzXr4z:z/Ps+wsI7yOEN68pchu3VlXr4CRo1
MD5:	F1E40CC84A1C0740C902EAD81DFE3A48
SHA1:	BAD1BF999A06A3B273258D56D93AD14D53CC7B7B
SHA-256:	C23873959DE55ADED94126B5218B900CE9974046E95E229E2A5962CBCD1B0AB5
SHA-512:	30AEC535B487ECCB2C79CA7C14033678C84B963FF111C9C2DB0BA321C65AC0AA7815DDD48B2DD19FE7CE623C112111D0928FA01BD9139DB5067AC47C62E47FE8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D0DFBD-1F24.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1465019790226351
Encrypted:	false
SSDEEP:	1536:BvhtpDXiFHTbFqRo8txRGa9HlUmEnQRG:BptpeFHTbFcmaHlUmEnd
MD5:	AFD93CD88A21330B07CCE471A57E3518
SHA1:	5CF4AD086F091FBF217CF846214617A803F1D98A
SHA-256:	522965BF103E307F74DD7500A6D4904DCCD38E29B71831A5654686C4264D9AAE
SHA-512:	392A24D1EAEB053508576FF36E4816C03BEFF77C5554498A9CACC10E1BB56092D6FADEC947A0B966358DE97D69B2467547DB46403DAB496107B6E4C272261241
Malicious:	false
Preview:	...@..@...@.....C.].....@...................x...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".kbmcme20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U].0r........>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2............... .2........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1d4120d8-e90d-45b3-9369-1420c83a80bb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568482898291424
Encrypted:	false
SSDEEP:	768:0PMAIrWP/ifsj8F1+UoAYDCx9Tuqh0VfUC9xbog/OVh0RZ/rwoApMtub:0PMAIrWP/ifsju1jaQiZMo7tg
MD5:	9B45160D3F24D4C4615E205264994AF2
SHA1:	CBC548FB6EF2A8D0C195E8BDD937534AD1C052D2
SHA-256:	3F14C7F4097318EFF15D334257158462F8EBA4CD23A4C3B854A34880A8CDEC56
SHA-512:	D4A17F72D301E888D94736DDAFEC8DEF942247174F765808A4870CDFC14B406B7FDEBFB347048917C362B4E8CEB01EB2C56DF64F98B3C8C38E571EDDF17D5D73
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369438389439446","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369438389439446","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\32212878-948e-4571-a09b-dbfd204fccc8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3c8682ab-2987-4f9a-acd1-436f5b3bbc0c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.091797974058039
Encrypted:	false
SSDEEP:	192:stO/Rswx8CZihnk0sY8bV+FiA66WblaFIMY7bLMJ:stO/Rswx8xhIbGix6WblaTYk
MD5:	281B5F597A7AAC29C6BD3C7E73A02263
SHA1:	2D00F34C911BC8E99E5EA075B1CC3982D3C1A9F7
SHA-256:	FC038810C250D414559923DE16A0C1C7318D51950D66FB1D10B18E21C03DB958
SHA-512:	79784E5A6FF934C19C9205F451E31B6F5A271668A11B00B190BA5F988C6B7C7EBE2C2B530996511710A42B6E2C659978F5398473981F1FD42E67D3BFB97D99EB
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438389679974","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8efaa2ad-4fe3-4287-9e7d-ad98aae701af.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.243491556847922
Encrypted:	false
SSDEEP:	6:N5EJu91yq2P923oH+TcwtnG2tMsIFUt885EJ53j1Zmw+85EJ531RkwO923oH+Tci:Ni091yv4Yebn9GFUt88irJ/+8ir1R5L5
MD5:	E1FA42878C0D7D5BC89D2E9857FC0BEA
SHA1:	DD30E3B997D81E5FC3F5EDDDA0B83C2843C6E900
SHA-256:	F50313E61213237CDA36A4DEBCB2610F538E7D087A6E3BFD288EAE1A0C03954A
SHA-512:	7B40B2822C191F58C858337D4103DDAA345A243CB152AC565DD1997225F56A54A272D23B4DA1BAE4C941FF5DF646F4161A25F07EDB073AB7E95C1747348A5559
Malicious:	false
Preview:	2024/08/29-16:53:09.545 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-16:53:09.546 23c4 Recovering log #3.2024/08/29-16:53:09.546 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.243491556847922
Encrypted:	false
SSDEEP:	6:N5EJu91yq2P923oH+TcwtnG2tMsIFUt885EJ53j1Zmw+85EJ531RkwO923oH+Tci:Ni091yv4Yebn9GFUt88irJ/+8ir1R5L5
MD5:	E1FA42878C0D7D5BC89D2E9857FC0BEA
SHA1:	DD30E3B997D81E5FC3F5EDDDA0B83C2843C6E900
SHA-256:	F50313E61213237CDA36A4DEBCB2610F538E7D087A6E3BFD288EAE1A0C03954A
SHA-512:	7B40B2822C191F58C858337D4103DDAA345A243CB152AC565DD1997225F56A54A272D23B4DA1BAE4C941FF5DF646F4161A25F07EDB073AB7E95C1747348A5559
Malicious:	false
Preview:	2024/08/29-16:53:09.545 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-16:53:09.546 23c4 Recovering log #3.2024/08/29-16:53:09.546 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF37418.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.243491556847922
Encrypted:	false
SSDEEP:	6:N5EJu91yq2P923oH+TcwtnG2tMsIFUt885EJ53j1Zmw+85EJ531RkwO923oH+Tci:Ni091yv4Yebn9GFUt88irJ/+8ir1R5L5
MD5:	E1FA42878C0D7D5BC89D2E9857FC0BEA
SHA1:	DD30E3B997D81E5FC3F5EDDDA0B83C2843C6E900
SHA-256:	F50313E61213237CDA36A4DEBCB2610F538E7D087A6E3BFD288EAE1A0C03954A
SHA-512:	7B40B2822C191F58C858337D4103DDAA345A243CB152AC565DD1997225F56A54A272D23B4DA1BAE4C941FF5DF646F4161A25F07EDB073AB7E95C1747348A5559
Malicious:	false
Preview:	2024/08/29-16:53:09.545 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/29-16:53:09.546 23c4 Recovering log #3.2024/08/29-16:53:09.546 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.210907322163027
Encrypted:	false
SSDEEP:	6:N5EJ5N1yq2P923oH+Tcwt8aPrqIFUt885EJi13j1Zmw+85EJi131RkwO923oH+Ts:NiR1yv4YebL3FUt88iQ13J/+8iQ131RS
MD5:	8DF2CFBF55C639C0A8AB1884E586C8D7
SHA1:	D6F5F1D598E0768B7E46706B9109CEB89DB59E2F
SHA-256:	7B9F2F1ED27A230E2DB3C37DBA0D0CD8EA2377DE9001F9B61DE039327149038D
SHA-512:	BDDC866C1DBDC85C31CDB3CE7644BFF4E35A8AF439DA44D34A98A0047570AD417701E4C7568374CE57A3BE1E2EFEA49DA699DFAD947C257B3B3055B917CCAA60
Malicious:	false
Preview:	2024/08/29-16:53:09.548 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/29-16:53:09.549 23c4 Recovering log #3.2024/08/29-16:53:09.549 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.210907322163027
Encrypted:	false
SSDEEP:	6:N5EJ5N1yq2P923oH+Tcwt8aPrqIFUt885EJi13j1Zmw+85EJi131RkwO923oH+Ts:NiR1yv4YebL3FUt88iQ13J/+8iQ131RS
MD5:	8DF2CFBF55C639C0A8AB1884E586C8D7
SHA1:	D6F5F1D598E0768B7E46706B9109CEB89DB59E2F
SHA-256:	7B9F2F1ED27A230E2DB3C37DBA0D0CD8EA2377DE9001F9B61DE039327149038D
SHA-512:	BDDC866C1DBDC85C31CDB3CE7644BFF4E35A8AF439DA44D34A98A0047570AD417701E4C7568374CE57A3BE1E2EFEA49DA699DFAD947C257B3B3055B917CCAA60
Malicious:	false
Preview:	2024/08/29-16:53:09.548 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/29-16:53:09.549 23c4 Recovering log #3.2024/08/29-16:53:09.549 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.2210367671814595
Encrypted:	false
SSDEEP:	6:N5EJJN1yq2P923oH+Tcwt865IFUt885EJh3j1Zmw+85EJh31RkwO923oH+Tcwt8e:NiLN1yv4Yeb/WFUt88iTJ/+8iT1R5LY4
MD5:	A6FCA69A48A88D3E6E15E701D03B8EE1
SHA1:	B59699F42817CE4758A41327BBB00E0E4456CD59
SHA-256:	948F9D1DC7081EF8DAD254AE92B946149E76B643A7F9F41206550367511BF01B
SHA-512:	7B640693D1594707228DDBE5B9E0724D759E660F0AD76F8D10B1D3EEF06704F88BC25642898AC7F3FA0408457030B6F0BD8CE89F0B85B7A4F9AB719DD9512B59
Malicious:	false
Preview:	2024/08/29-16:53:09.562 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/29-16:53:09.564 23c4 Recovering log #3.2024/08/29-16:53:09.564 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.2210367671814595
Encrypted:	false
SSDEEP:	6:N5EJJN1yq2P923oH+Tcwt865IFUt885EJh3j1Zmw+85EJh31RkwO923oH+Tcwt8e:NiLN1yv4Yeb/WFUt88iTJ/+8iT1R5LY4
MD5:	A6FCA69A48A88D3E6E15E701D03B8EE1
SHA1:	B59699F42817CE4758A41327BBB00E0E4456CD59
SHA-256:	948F9D1DC7081EF8DAD254AE92B946149E76B643A7F9F41206550367511BF01B
SHA-512:	7B640693D1594707228DDBE5B9E0724D759E660F0AD76F8D10B1D3EEF06704F88BC25642898AC7F3FA0408457030B6F0BD8CE89F0B85B7A4F9AB719DD9512B59
Malicious:	false
Preview:	2024/08/29-16:53:09.562 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/29-16:53:09.564 23c4 Recovering log #3.2024/08/29-16:53:09.564 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.194303165395706
Encrypted:	false
SSDEEP:	6:N5EJ2X91yq2P923oH+Tcwt8NIFUt885EJ2Mr3j1Zmw+85EJ2Mr31RkwO923oH+TG:NiQX91yv4YebpFUt88iQE3J/+8iQE31u
MD5:	B26E2A4563C8E98399EAF6C6BEECE137
SHA1:	0A615C55ED07A96416C5BE5654B35134C00357B2
SHA-256:	26241EE18C7AAD3DBF4291ADB48B5C7D34208360DEFDEDF9B76CC469407E7E98
SHA-512:	25E6ED2DC9A2411CD9A59277F0D8016BD81CA91099AC6524A5AEAA84E4DE1A4E88E78BAFA6E2C84CDD399F32A364469120ED1DD05DE0C73BDB0A4A58C18035D6
Malicious:	false
Preview:	2024/08/29-16:53:09.828 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-16:53:09.829 23c4 Recovering log #3.2024/08/29-16:53:09.829 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.194303165395706
Encrypted:	false
SSDEEP:	6:N5EJ2X91yq2P923oH+Tcwt8NIFUt885EJ2Mr3j1Zmw+85EJ2Mr31RkwO923oH+TG:NiQX91yv4YebpFUt88iQE3J/+8iQE31u
MD5:	B26E2A4563C8E98399EAF6C6BEECE137
SHA1:	0A615C55ED07A96416C5BE5654B35134C00357B2
SHA-256:	26241EE18C7AAD3DBF4291ADB48B5C7D34208360DEFDEDF9B76CC469407E7E98
SHA-512:	25E6ED2DC9A2411CD9A59277F0D8016BD81CA91099AC6524A5AEAA84E4DE1A4E88E78BAFA6E2C84CDD399F32A364469120ED1DD05DE0C73BDB0A4A58C18035D6
Malicious:	false
Preview:	2024/08/29-16:53:09.828 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-16:53:09.829 23c4 Recovering log #3.2024/08/29-16:53:09.829 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF37485.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.194303165395706
Encrypted:	false
SSDEEP:	6:N5EJ2X91yq2P923oH+Tcwt8NIFUt885EJ2Mr3j1Zmw+85EJ2Mr31RkwO923oH+TG:NiQX91yv4YebpFUt88iQE3J/+8iQE31u
MD5:	B26E2A4563C8E98399EAF6C6BEECE137
SHA1:	0A615C55ED07A96416C5BE5654B35134C00357B2
SHA-256:	26241EE18C7AAD3DBF4291ADB48B5C7D34208360DEFDEDF9B76CC469407E7E98
SHA-512:	25E6ED2DC9A2411CD9A59277F0D8016BD81CA91099AC6524A5AEAA84E4DE1A4E88E78BAFA6E2C84CDD399F32A364469120ED1DD05DE0C73BDB0A4A58C18035D6
Malicious:	false
Preview:	2024/08/29-16:53:09.828 23c4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/29-16:53:09.829 23c4 Recovering log #3.2024/08/29-16:53:09.829 23c4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\6e394de0-ec8f-488b-a1f0-93e28be9152c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\a93da2b5-aeb9-45bd-a293-dd0f5074c98d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.091797974058039
Encrypted:	false
SSDEEP:	192:stO/Rswx8CZihnk0sY8bV+FiA66WblaFIMY7bLMJ:stO/Rswx8xhIbGix6WblaTYk
MD5:	281B5F597A7AAC29C6BD3C7E73A02263
SHA1:	2D00F34C911BC8E99E5EA075B1CC3982D3C1A9F7
SHA-256:	FC038810C250D414559923DE16A0C1C7318D51950D66FB1D10B18E21C03DB958
SHA-512:	79784E5A6FF934C19C9205F451E31B6F5A271668A11B00B190BA5F988C6B7C7EBE2C2B530996511710A42B6E2C659978F5398473981F1FD42E67D3BFB97D99EB
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438389679974","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF37502.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.091797974058039
Encrypted:	false
SSDEEP:	192:stO/Rswx8CZihnk0sY8bV+FiA66WblaFIMY7bLMJ:stO/Rswx8xhIbGix6WblaTYk
MD5:	281B5F597A7AAC29C6BD3C7E73A02263
SHA1:	2D00F34C911BC8E99E5EA075B1CC3982D3C1A9F7
SHA-256:	FC038810C250D414559923DE16A0C1C7318D51950D66FB1D10B18E21C03DB958
SHA-512:	79784E5A6FF934C19C9205F451E31B6F5A271668A11B00B190BA5F988C6B7C7EBE2C2B530996511710A42B6E2C659978F5398473981F1FD42E67D3BFB97D99EB
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369438389679974","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568482898291424
Encrypted:	false
SSDEEP:	768:0PMAIrWP/ifsj8F1+UoAYDCx9Tuqh0VfUC9xbog/OVh0RZ/rwoApMtub:0PMAIrWP/ifsju1jaQiZMo7tg
MD5:	9B45160D3F24D4C4615E205264994AF2
SHA1:	CBC548FB6EF2A8D0C195E8BDD937534AD1C052D2
SHA-256:	3F14C7F4097318EFF15D334257158462F8EBA4CD23A4C3B854A34880A8CDEC56
SHA-512:	D4A17F72D301E888D94736DDAFEC8DEF942247174F765808A4870CDFC14B406B7FDEBFB347048917C362B4E8CEB01EB2C56DF64F98B3C8C38E571EDDF17D5D73
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369438389439446","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369438389439446","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.184729975072336
Encrypted:	false
SSDEEP:	6:N5EJ68AQyq2P923oH+Tcwt7Uh2ghZIFUt885EJ68AG1Zmw+85EJ6dAQRkwO923oz:NicRQyv4YebIhHh2FUt88icRg/+8icCj
MD5:	E1EB1930D7C75EF0231204E7CDEB3AE3
SHA1:	513FC6841523C3D972D9198D197844521787B46C
SHA-256:	8304C7559795595ED29034BAE0529A8517CA537EEEA8AF2A9C82017CEC93C08A
SHA-512:	D42D99A1DB451A00CD1892C48707FEA57B9B3A522792202E7DA7D7AB62A20952A4F83F8233AAE539BB98C46118DB60238C99256C4320370EBBD6195C2687E634
Malicious:	false
Preview:	2024/08/29-16:53:09.437 2094 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-16:53:09.437 2094 Recovering log #3.2024/08/29-16:53:09.438 2094 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.184729975072336
Encrypted:	false
SSDEEP:	6:N5EJ68AQyq2P923oH+Tcwt7Uh2ghZIFUt885EJ68AG1Zmw+85EJ6dAQRkwO923oz:NicRQyv4YebIhHh2FUt88icRg/+8icCj
MD5:	E1EB1930D7C75EF0231204E7CDEB3AE3
SHA1:	513FC6841523C3D972D9198D197844521787B46C
SHA-256:	8304C7559795595ED29034BAE0529A8517CA537EEEA8AF2A9C82017CEC93C08A
SHA-512:	D42D99A1DB451A00CD1892C48707FEA57B9B3A522792202E7DA7D7AB62A20952A4F83F8233AAE539BB98C46118DB60238C99256C4320370EBBD6195C2687E634
Malicious:	false
Preview:	2024/08/29-16:53:09.437 2094 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-16:53:09.437 2094 Recovering log #3.2024/08/29-16:53:09.438 2094 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF373f8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.184729975072336
Encrypted:	false
SSDEEP:	6:N5EJ68AQyq2P923oH+Tcwt7Uh2ghZIFUt885EJ68AG1Zmw+85EJ6dAQRkwO923oz:NicRQyv4YebIhHh2FUt88icRg/+8icCj
MD5:	E1EB1930D7C75EF0231204E7CDEB3AE3
SHA1:	513FC6841523C3D972D9198D197844521787B46C
SHA-256:	8304C7559795595ED29034BAE0529A8517CA537EEEA8AF2A9C82017CEC93C08A
SHA-512:	D42D99A1DB451A00CD1892C48707FEA57B9B3A522792202E7DA7D7AB62A20952A4F83F8233AAE539BB98C46118DB60238C99256C4320370EBBD6195C2687E634
Malicious:	false
Preview:	2024/08/29-16:53:09.437 2094 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/29-16:53:09.437 2094 Recovering log #3.2024/08/29-16:53:09.438 2094 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\175ac16f-a18f-4267-81c6-2b39bbc227db.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\dc76b53a-34d3-45c2-a21b-f448bcd97e14.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1954837978388095
Encrypted:	false
SSDEEP:	6:N5EJ4pENIq2P923oH+TcwtpIFUt885EJ4pENZZmw+85EJ4pENzkwO923oH+Tcwt7:Ni8v4YebmFUt88it/+8if5LYebaUJ
MD5:	2F73FB2FD85D6B528DA3CA5484F954F2
SHA1:	41B398FB076E7AE02B57F1BE992AAF9B6B047F6A
SHA-256:	068897D33B582291FB1DE93CAE0EB6E32E3D210CDBC8F29B8E1F0289B1CBB8E1
SHA-512:	84255B50DC9279187E533CBDBC39F6A93DFE67E3DF9DD15DD9A37830BC90C370F3AABA8407A4D257DA0F89B56903E79C9E4BDD5D031980CAECA9D2480CD7A7C3
Malicious:	false
Preview:	2024/08/29-16:53:09.640 2100 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-16:53:09.640 2100 Recovering log #3.2024/08/29-16:53:09.640 2100 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1954837978388095
Encrypted:	false
SSDEEP:	6:N5EJ4pENIq2P923oH+TcwtpIFUt885EJ4pENZZmw+85EJ4pENzkwO923oH+Tcwt7:Ni8v4YebmFUt88it/+8if5LYebaUJ
MD5:	2F73FB2FD85D6B528DA3CA5484F954F2
SHA1:	41B398FB076E7AE02B57F1BE992AAF9B6B047F6A
SHA-256:	068897D33B582291FB1DE93CAE0EB6E32E3D210CDBC8F29B8E1F0289B1CBB8E1
SHA-512:	84255B50DC9279187E533CBDBC39F6A93DFE67E3DF9DD15DD9A37830BC90C370F3AABA8407A4D257DA0F89B56903E79C9E4BDD5D031980CAECA9D2480CD7A7C3
Malicious:	false
Preview:	2024/08/29-16:53:09.640 2100 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-16:53:09.640 2100 Recovering log #3.2024/08/29-16:53:09.640 2100 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF373d9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1954837978388095
Encrypted:	false
SSDEEP:	6:N5EJ4pENIq2P923oH+TcwtpIFUt885EJ4pENZZmw+85EJ4pENzkwO923oH+Tcwt7:Ni8v4YebmFUt88it/+8if5LYebaUJ
MD5:	2F73FB2FD85D6B528DA3CA5484F954F2
SHA1:	41B398FB076E7AE02B57F1BE992AAF9B6B047F6A
SHA-256:	068897D33B582291FB1DE93CAE0EB6E32E3D210CDBC8F29B8E1F0289B1CBB8E1
SHA-512:	84255B50DC9279187E533CBDBC39F6A93DFE67E3DF9DD15DD9A37830BC90C370F3AABA8407A4D257DA0F89B56903E79C9E4BDD5D031980CAECA9D2480CD7A7C3
Malicious:	false
Preview:	2024/08/29-16:53:09.640 2100 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/29-16:53:09.640 2100 Recovering log #3.2024/08/29-16:53:09.640 2100 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1222126478428025
Encrypted:	false
SSDEEP:	384:b2qOB1nxCktSAELyKOMq+8yC8F/YfU5m+OlT:Kq+n0y9ELyKOMq+8y9/Ow
MD5:	EC12C57FC9708B2C8563F61137C9F793
SHA1:	239688AD8F27AF1CE8963187F8FF434CEF27A0FC
SHA-256:	F3E72161F3F49A59422BAD5BC9D0E46067FDF23F934FAFA8AC13160C794891F1
SHA-512:	0C06BEB21D96A515B1AEA9D0BD06733D0E758257ACF21D86AF1AD479CA7A08E82C953BF951EA1DC2B4F8C15B43B22A78A28682916A2071A02A4FB173C359CD6F
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\d236fab8-ed47-4f59-b662-c512b42101ff.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\e2757981-9efd-4af8-a8e2-5cab4f11688a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049731726990245535
Encrypted:	false
SSDEEP:	6:Gd0JAmu8jH0JAmu8rtCL9XCChslotGLNl0ml/XoQDeX:zJXsJXQpEjVl/XoQ
MD5:	C54B3D1870E84B11D259971CBC7B34F7
SHA1:	5F3D7D108711BA075CC8DFD4A079363B4F36DADB
SHA-256:	AC3A97348BF70C13B6BA0618708EE0F39FCA5644BAC0D2CD12CD9B5647D18F15
SHA-512:	4A0033E46E0309DC121922D795DC011FF830BA85FA02681A80C1FC1F145820526C328980034B21F20DFE4F83FA15F8D9D7FBB6F85024A614021E73AD24CFEFAD
Malicious:	false
Preview:	..-.....................:Db.W.v..4..}..tT...l...-.....................:Db.W.v..4..}..tT...l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.273195889293739
Encrypted:	false
SSDEEP:	6:N5EJ4VBGSQL+q2P923oH+TcwtfrK+IFUt885EJ4VBGSGKWZmw+85EJ2IpQLVkwOg:NisDQL+v4Yeb23FUt88isDdW/+8iQIp6
MD5:	4963F358FA7216250C3562763A664283
SHA1:	5DF76EF69814CEC08E7ACB965123B2BD6631B69A
SHA-256:	F83E589769A70C69FD0F4EFF1F636CE929EECE6DE53D83A112EE980F231E9043
SHA-512:	60493A7AE7C31D1027790B105CD179FE99444130FD2C7DAE3C234209BACD0D20F943D5F103A89DC6FC0C584AEF84BA7E7B56776404ABF8742CD7E33D5C0F0C74
Malicious:	false
Preview:	2024/08/29-16:53:09.679 23cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/29-16:53:09.679 23cc Recovering log #3.2024/08/29-16:53:09.898 23cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.273195889293739
Encrypted:	false
SSDEEP:	6:N5EJ4VBGSQL+q2P923oH+TcwtfrK+IFUt885EJ4VBGSGKWZmw+85EJ2IpQLVkwOg:NisDQL+v4Yeb23FUt88isDdW/+8iQIp6
MD5:	4963F358FA7216250C3562763A664283
SHA1:	5DF76EF69814CEC08E7ACB965123B2BD6631B69A
SHA-256:	F83E589769A70C69FD0F4EFF1F636CE929EECE6DE53D83A112EE980F231E9043
SHA-512:	60493A7AE7C31D1027790B105CD179FE99444130FD2C7DAE3C234209BACD0D20F943D5F103A89DC6FC0C584AEF84BA7E7B56776404ABF8742CD7E33D5C0F0C74
Malicious:	false
Preview:	2024/08/29-16:53:09.679 23cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/29-16:53:09.679 23cc Recovering log #3.2024/08/29-16:53:09.898 23cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF37495.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.273195889293739
Encrypted:	false
SSDEEP:	6:N5EJ4VBGSQL+q2P923oH+TcwtfrK+IFUt885EJ4VBGSGKWZmw+85EJ2IpQLVkwOg:NisDQL+v4Yeb23FUt88isDdW/+8iQIp6
MD5:	4963F358FA7216250C3562763A664283
SHA1:	5DF76EF69814CEC08E7ACB965123B2BD6631B69A
SHA-256:	F83E589769A70C69FD0F4EFF1F636CE929EECE6DE53D83A112EE980F231E9043
SHA-512:	60493A7AE7C31D1027790B105CD179FE99444130FD2C7DAE3C234209BACD0D20F943D5F103A89DC6FC0C584AEF84BA7E7B56776404ABF8742CD7E33D5C0F0C74
Malicious:	false
Preview:	2024/08/29-16:53:09.679 23cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/29-16:53:09.679 23cc Recovering log #3.2024/08/29-16:53:09.898 23cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.059252238767438
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvB1ys:G0nYUtypD3RUovhC+lvBOL+t3IvB8s
MD5:	D8D8899761F621B63AD5ED6DF46D22FE
SHA1:	23E6A39058AB3C1DEADC0AF2E0FFD0D84BB7F1BE
SHA-256:	A5E0A78EE981FB767509F26021E1FA3C506F4E86860946CAC1DC4107EB3B3813
SHA-512:	4F89F556138C0CF24D3D890717EB82067C5269063C84229E93F203A22028782902FA48FB0154F53E06339F2FDBE35A985CE728235EA429D8D157090D25F15A4E
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.266909577996447
Encrypted:	false
SSDEEP:	6:N5EJ4itDQL+q2P923oH+TcwtfrzAdIFUt885EJ4VGKWZmw+85EJ4VQLVkwO923o/:NiDxQL+v4Yeb9FUt88iwdW/+8iwQLV5u
MD5:	4EB6BCB691AF02C915A0087EE9FD6484
SHA1:	A3B1B6A974D0E5AFA94A33F933F92E86074FAB25
SHA-256:	FA10C7BD54074B3AB3A6F8F120D20EB9108D0106797A44D2EB8F18A4C8B12193
SHA-512:	17EFACC56E26E6179DD81FCF0F0C8C04626B3A0592BBA76D86A58DC446AB5A77FC501D828FA6F152732693901F01A1E73D8F8B6B36E5BC126F57B7CDB5224DF1
Malicious:	false
Preview:	2024/08/29-16:53:09.674 23cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/29-16:53:09.675 23cc Recovering log #3.2024/08/29-16:53:09.675 23cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.266909577996447
Encrypted:	false
SSDEEP:	6:N5EJ4itDQL+q2P923oH+TcwtfrzAdIFUt885EJ4VGKWZmw+85EJ4VQLVkwO923o/:NiDxQL+v4Yeb9FUt88iwdW/+8iwQLV5u
MD5:	4EB6BCB691AF02C915A0087EE9FD6484
SHA1:	A3B1B6A974D0E5AFA94A33F933F92E86074FAB25
SHA-256:	FA10C7BD54074B3AB3A6F8F120D20EB9108D0106797A44D2EB8F18A4C8B12193
SHA-512:	17EFACC56E26E6179DD81FCF0F0C8C04626B3A0592BBA76D86A58DC446AB5A77FC501D828FA6F152732693901F01A1E73D8F8B6B36E5BC126F57B7CDB5224DF1
Malicious:	false
Preview:	2024/08/29-16:53:09.674 23cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/29-16:53:09.675 23cc Recovering log #3.2024/08/29-16:53:09.675 23cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF37485.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.266909577996447
Encrypted:	false
SSDEEP:	6:N5EJ4itDQL+q2P923oH+TcwtfrzAdIFUt885EJ4VGKWZmw+85EJ4VQLVkwO923o/:NiDxQL+v4Yeb9FUt88iwdW/+8iwQLV5u
MD5:	4EB6BCB691AF02C915A0087EE9FD6484
SHA1:	A3B1B6A974D0E5AFA94A33F933F92E86074FAB25
SHA-256:	FA10C7BD54074B3AB3A6F8F120D20EB9108D0106797A44D2EB8F18A4C8B12193
SHA-512:	17EFACC56E26E6179DD81FCF0F0C8C04626B3A0592BBA76D86A58DC446AB5A77FC501D828FA6F152732693901F01A1E73D8F8B6B36E5BC126F57B7CDB5224DF1
Malicious:	false
Preview:	2024/08/29-16:53:09.674 23cc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/29-16:53:09.675 23cc Recovering log #3.2024/08/29-16:53:09.675 23cc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35516.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35768.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35843.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37437.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF374f2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37502.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090743887185456
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMHwuF9hDO6vP6O+itbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEP6ntbz8hu3VlXr4CRo1
MD5:	F71D78BD83F1B792BF24B36614F59FF7
SHA1:	C0EA0B25B03BEC37F43DB2ADA9F8F7F1A64FB526
SHA-256:	9820D536155AA5FBAC2470F08B2F15A304A183E598709093DD66ADB8CE4CB44D
SHA-512:	A582D84035E01EF9D3E2FB4E974D78FED782DF11C87327A56E024981BEBDAD84CC6BBBA3AA56F8928F831ABB02772779ABA776861C537BED22D2ECBBD84358BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zET:/M/xT02z8
MD5:	AC81EF9540AC3DDCC4546B82AC3801BD
SHA1:	1AC27855FABFA8AF62752DA91E2A6EADC815CBBC
SHA-256:	4A2C8BA05BE86A2182B9BCC9AEC916588CC9502F4F505CD79991AF8326EC11E4
SHA-512:	D27635D446F0AEA20E138F96BEDEDF118CCF0BC8560CB2E11AB0AACE9D320E989164E2971DAB20571A9B6D9A1B4A52CAAF78084D2141372D77516F52ABD222AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\cdd4cb3f-c971-4e11-bb28-5dbf6e698c68.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096082024921152
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBXFughDO6vP6Oc6bRBZKEINcGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEy68Vchu3VlXr4CRo1
MD5:	D040319B60644FA50CEA94EBB0575C7C
SHA1:	1D2B6ACC51E6B07683A77849419E0E8F81E52E03
SHA-256:	9350EB7814F00A7101E169E10398B3D5C41A3A53DD0AE27AC56C007FF7A617A4
SHA-512:	7E1235C644B93202914E42B29A23466A1C20BABF7B318ED7818313A6CFCF4EB775EF30E026F8C44201AA3FA95BF2C0205C96BEE05F3FF39A3A36204362E0258B
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\e4f3af4f-63a6-4a21-94b8-e317a27a9f5e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096120863805471
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBXFughDO6vP6Oc6b+BZKEINcGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEy68ochu3VlXr4CRo1
MD5:	467FE1CB54FC72966B75AF9BE860AF1A
SHA1:	09186AC2333AEF7F92B5D73DD221FF83964CAA7B
SHA-256:	2AE0352006F24063FED279813CEC864E491B3B485B355A0927DDE08A454D954C
SHA-512:	0D00C8999166924C27104640D32683B4479F38841B10603BDAB4F7D9985CA6B28505FC18B1B6491D700C2326C893DB81FEEDEA91D3C583B4ABBAB6A2885B9F33
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ea500f9b-274b-43c3-a3d8-263295b9a33e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096225500586861
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBXFughDO6vP6Oc6ngB/nxvEFNcGoup1Xl3jVzXr4z:z/Ps+wsI7yOEy68Cchu3VlXr4CRo1
MD5:	9818327413401DFD5BF676A78CF6F9BA
SHA1:	28A93CFFF720722C874996B7B4D34261456B432F
SHA-256:	C1246BD8644C9C81C15108583E2EC6F62B0D0DD937D6523DEAE8A9BF1F902C8B
SHA-512:	B2D07290D9F7F5D5FDDA5458A2681454898BC4E14D402329F7F3CAC80ADE51186B6F9C3987E2DD8566179E3D7D74764C5DD6A123D073A59886965AE555AD2C09
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8369349722405133
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxIxl9Il8uqttvEd3JEQhlr269d1rc:mVY4HEYoI
MD5:	36D57AB611B918278124C3CCF65E08CC
SHA1:	BB57DB0D13B26FF1A2C52004E453657C5D2629A0
SHA-256:	1AAAD38869D296868BA49CE0AFAF7AAE9AA9BA54002F801D09789BB34AC7AB96
SHA-512:	EFFD732386B1B6A102BA2FD1A5E44C39F4EEE7B890C6B2BFAB427F5023BD109D754BA9D00833B9814487A7D42B15C2B1105798F29CAF3FA34C895B6B65E8A741
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.P.8.N.z.V.3.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.X.7.v.k.o.Y.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.005242327040295
Encrypted:	false
SSDEEP:	96:jY4DfSiq96e6uWHOIJDREuSPhdrRmDKgkGhiIHGD6itCnnB:jnDfHvJDSuoPmDKgkEPG2wCB
MD5:	77BD67D905D5419BD9C1BA481709E1FE
SHA1:	73C3709FEF2ABBCF127CDA897AD02B0E6EFC2708
SHA-256:	8F4ECA2ECA0F68469B7FB51F2F5CB06CD830A8CA49FADF7EC6D826387D221570
SHA-512:	832720149FC0B9A301512CFAE577CCA3868A8FA09AFE22A211A25C9AC72ACDF1D810C1BF257BE6AD2780D546A1C5169652CDE983669C2E66FA345C8E07BB60A0
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".F.7.z.k.s.l.X.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.X.7.v.k.o.Y.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.398279465775227
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854Rrm:8e2Fa116uCntc5toYm
MD5:	E78AB74974860E229A08AFE61F82ED75
SHA1:	D36E4F68049DCDF7B2615638C8781900DCE96B3E
SHA-256:	DAFF836BDA18545E2F16D78F9EBF32EB3E42C209EB7CED85480570B0563F1174
SHA-512:	56075F0435F5E097FB89ABC9F0A21F6E008B4CB9969A00A31D29197EFDD5A7E55B4340682E52F8019BAB16D0D254716DEFDFBE77D76E1F9D197C2A5EB1D03DB2
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1PT1LJGVKVQPDN44NENV.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.513360476664309
Encrypted:	false
SSDEEP:	48:yEdgbdO6BXsJ4rmzBdLXuHgvkDpk2AdgbdO6BXsJ4rmzngdLXuHgvk+21:GW3u4kD3fWnIu4kz
MD5:	106483744E997E78AE6C9E6CCCACF16B
SHA1:	09AC636A5E7B5FF1EA362CBD6E1E597BCEF2B341
SHA-256:	1517FBDC49D15FDA41FC65060456331321A4730D04C3BC356AD57D6A74222B77
SHA-512:	5057A138135181B748DFD55F9CC0F98F227F9DE6E5375C6EEF641F86F0E36D0F0A15842EF1741A0B25B23EFEADE1F065A0A291378221B7C58B2F9D5D4A53D81C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......lU....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.....}CF.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y............................D.m.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y.............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........!........C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\81RE97MMHG9PNFPBDL3R.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5137810628482
Encrypted:	false
SSDEEP:	48:yEKGudO6n+XsJ4rmzBdLXuHgvkDpk2AdgbdO6BXsJ4rmzngdLXuHgvk+21:UD3u4kD3fWnIu4kz
MD5:	AAFC888ABC8624AAAFCA0BCC30B6D374
SHA1:	07CA23766A1C8564C82D96A6FB1B6499F12FA0EE
SHA-256:	4ADC2CC20FBA9AF799D06ABB3BECF5B8C2015D53D883466E7A8FB6CFFA04A2F0
SHA-512:	8F910F18D17AE68FC7BD17A18CC347CB03CBD674FBE08BF2AA1B4D9586634469AE1B7A3552C4CEE28BEECB85B29F52D7839641AA4D57BC74D279AA468C705164
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......lU....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V.......2.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y............................D.m.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........!........C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5137810628482
Encrypted:	false
SSDEEP:	48:yEKGudO6n+XsJ4rmzBdLXuHgvkDpk2AdgbdO6BXsJ4rmzngdLXuHgvk+21:UD3u4kD3fWnIu4kz
MD5:	AAFC888ABC8624AAAFCA0BCC30B6D374
SHA1:	07CA23766A1C8564C82D96A6FB1B6499F12FA0EE
SHA-256:	4ADC2CC20FBA9AF799D06ABB3BECF5B8C2015D53D883466E7A8FB6CFFA04A2F0
SHA-512:	8F910F18D17AE68FC7BD17A18CC347CB03CBD674FBE08BF2AA1B4D9586634469AE1B7A3552C4CEE28BEECB85B29F52D7839641AA4D57BC74D279AA468C705164
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......lU....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V.......2.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y............................D.m.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........!........C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.513360476664309
Encrypted:	false
SSDEEP:	48:yEdgbdO6BXsJ4rmzBdLXuHgvkDpk2AdgbdO6BXsJ4rmzngdLXuHgvk+21:GW3u4kD3fWnIu4kz
MD5:	106483744E997E78AE6C9E6CCCACF16B
SHA1:	09AC636A5E7B5FF1EA362CBD6E1E597BCEF2B341
SHA-256:	1517FBDC49D15FDA41FC65060456331321A4730D04C3BC356AD57D6A74222B77
SHA-512:	5057A138135181B748DFD55F9CC0F98F227F9DE6E5375C6EEF641F86F0E36D0F0A15842EF1741A0B25B23EFEADE1F065A0A291378221B7C58B2F9D5D4A53D81C
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K......lU....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.....}CF.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y............................D.m.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y.............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y......u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........!........C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5797694684201815
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	3fc1cbfeb55e51328b28e08a65ffc7de
SHA1:	24dc477ea6d87ece1b07a345eb16de89c55d6b36
SHA256:	681c6a6e99824e6130008ce25b9fe190dca553db173d9eec9207142e7c7f21c4
SHA512:	42fc58c51e9d31f38fc245428df83a6d46fdadeb63e361a97072f537d4267cfbfee64db5a2c84783804a03b04ae80f29453a4fd1967661187360fe23da2d670a
SSDEEP:	12288:pqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTy:pqDEvCTbMWu7rQYlBQcBiT6rprG8asy
TLSH:	DF159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D0D7FA [Thu Aug 29 20:20:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F226CFE7DC3h
jmp 00007F226CFE76CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F226CFE78ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F226CFE787Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F226CFEA46Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F226CFEA4B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F226CFEA4A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	6fa2bd3d4da0270aecacefe6467cd757	False	0.2869010416666667	data	5.165659121419521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 22:52:48.465640068 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:52:48.465641975 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:52:48.574883938 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:52:58.080689907 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:52:58.080729008 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:52:58.174499035 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:52:58.394922972 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:58.394963980 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:58.395071030 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:58.395345926 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:58.395361900 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:58.440105915 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:58.440149069 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:58.440231085 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:58.444768906 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:58.444787025 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:58.980314016 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:58.980333090 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:58.980405092 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:58.980684042 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:58.980694056 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:58.981600046 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:58.981609106 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:58.981703997 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:58.981898069 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:58.981909037 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:58.982115984 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:58.982121944 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:58.982173920 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:58.982325077 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:58.982332945 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:58.984811068 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:58.984817028 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:58.984913111 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:58.985045910 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:58.985059977 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.037379026 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.038140059 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.038165092 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.039160967 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.039236069 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.040647030 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.040709019 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.040947914 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.040956974 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.046842098 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.046860933 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.046991110 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.047749043 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.047760963 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.081413984 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.081635952 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.081645966 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.082632065 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.082690954 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.083025932 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.083084106 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.083185911 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.083194017 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.096420050 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.127681971 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.146392107 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146411896 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146419048 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146441936 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146450996 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146465063 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146466970 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.146472931 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.146502972 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.146543980 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.147768974 CEST	49725	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.147782087 CEST	443	49725	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194866896 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194886923 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194895029 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194921970 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194952011 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.194957018 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194972038 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.194996119 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.195019007 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.275435925 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.275460958 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.275553942 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.275564909 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.275598049 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.275614977 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.277631998 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.277658939 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.277698994 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.277707100 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.277730942 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.277750015 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.354399920 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:52:59.354429007 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:52:59.354660034 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:52:59.356408119 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:52:59.356420040 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:52:59.361257076 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.361272097 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.361341953 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.361346960 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.361356974 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.361397028 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.361402035 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.361464977 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.362180948 CEST	49726	443	192.168.2.5	13.107.246.60
Aug 29, 2024 22:52:59.362190962 CEST	443	49726	13.107.246.60	192.168.2.5
Aug 29, 2024 22:52:59.443588972 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.443820000 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.443833113 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.444135904 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.444161892 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.444308043 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.444314957 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.444426060 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.444432020 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.444849968 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.444910049 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.445348024 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.445421934 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.445444107 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.445559978 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.446540117 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.446597099 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.446800947 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.446808100 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.446991920 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.447051048 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.447120905 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.447176933 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.447221041 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.447225094 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.447381973 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.447386980 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.457988024 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.458182096 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.458188057 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.459203005 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.459264040 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.460170984 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.460226059 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.460470915 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.460475922 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.487066984 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.487066984 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.487066984 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.502690077 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.536286116 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.536565065 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.536581039 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.537666082 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.537719965 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.538651943 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.538717985 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.539004087 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.539011002 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.561247110 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.561299086 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.561383963 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.561532021 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.561541080 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.576962948 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.577012062 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.577017069 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.577065945 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.577068090 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.577115059 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.577425003 CEST	49731	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.577430010 CEST	443	49731	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.577697039 CEST	49733	443	192.168.2.5	162.159.61.3
Aug 29, 2024 22:52:59.577699900 CEST	443	49733	162.159.61.3	192.168.2.5
Aug 29, 2024 22:52:59.580226898 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.580270052 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.580338955 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.580414057 CEST	49730	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.580419064 CEST	443	49730	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.580810070 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.674122095 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.674187899 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.674283028 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.674402952 CEST	49734	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:52:59.674412966 CEST	443	49734	172.64.41.3	192.168.2.5
Aug 29, 2024 22:52:59.927419901 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 29, 2024 22:52:59.927535057 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 29, 2024 22:53:00.009856939 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.009942055 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.014659882 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.014669895 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.014920950 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.064430952 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.125072956 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.168503046 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.335000038 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.335159063 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.335175991 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.335186958 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.335326910 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.335372925 CEST	443	49735	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.335459948 CEST	49735	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.367836952 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.367856026 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.367922068 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.368165016 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:00.368179083 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:00.630502939 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.630551100 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.630707979 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.630836010 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.630842924 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.630898952 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.631262064 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.631274939 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.631371975 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.631381035 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.011578083 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.011694908 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:01.101878881 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.101938963 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.133996964 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.134017944 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.134347916 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.134356976 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.134454966 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.134752989 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.135270119 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.135302067 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.135510921 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.135711908 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.135750055 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.135879040 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.174815893 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.177648067 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.177675962 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.178165913 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.178179026 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.178471088 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.178565025 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.178834915 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.178971052 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.223373890 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.223408937 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.443042994 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:01.443063974 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.443402052 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.444396973 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:01.484508038 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.525746107 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.525772095 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:01.525860071 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.526191950 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.526202917 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:01.631256104 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.631345034 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.631390095 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:01.640239954 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:01.640264988 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.640276909 CEST	49736	443	192.168.2.5	184.28.90.27
Aug 29, 2024 22:53:01.640284061 CEST	443	49736	184.28.90.27	192.168.2.5
Aug 29, 2024 22:53:01.655893087 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.656248093 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.656261921 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.656630039 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.656694889 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.656728029 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.657205105 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.657222986 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.657300949 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.657354116 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.657598972 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.657644987 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.658273935 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.658318996 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.658565044 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.658626080 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.659395933 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.659401894 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.659648895 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.659729004 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.660161972 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.660166979 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.706399918 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.706403017 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.831602097 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.832264900 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.832298994 CEST	443	49740	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.832357883 CEST	49740	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.837007046 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.837558985 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.837593079 CEST	443	49739	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:01.837642908 CEST	49739	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:01.990835905 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:01.995076895 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.995094061 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:01.996104002 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:01.996160984 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.997534990 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.997596979 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:01.998544931 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:01.998552084 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.039947987 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:02.093215942 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.093270063 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.093305111 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.093313932 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:02.093328953 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.093365908 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.093374968 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:02.093381882 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.093415976 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:02.094115019 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.094165087 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.094208956 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:02.139355898 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.139384031 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.139460087 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.140019894 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.140058041 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.140091896 CEST	49741	443	192.168.2.5	142.250.65.164
Aug 29, 2024 22:53:02.140100956 CEST	443	49741	142.250.65.164	192.168.2.5
Aug 29, 2024 22:53:02.140114069 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.141177893 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.141189098 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.141474009 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.141484976 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.612715960 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.613095045 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.613111019 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.613455057 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.613559961 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.614164114 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.614228964 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.614440918 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.614496946 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.627784967 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.633443117 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.633460045 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.633800983 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.634397030 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.634525061 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.634535074 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.634696007 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.634696007 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.634757996 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.659090042 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.659100056 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.677536964 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.677546978 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.707052946 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.722676039 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:08.456438065 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:08.456469059 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:08.456548929 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:08.457495928 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:08.457510948 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:09.275245905 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:09.275367022 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:09.277098894 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:09.277107000 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:09.277334929 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:09.330792904 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.082967043 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.128500938 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350176096 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350208998 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350215912 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350255013 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350271940 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350271940 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.350286007 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350310087 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.350325108 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.350325108 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.350358009 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.351083994 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.351165056 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:10.351171017 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:10.351210117 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:11.310559034 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:11.310585022 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:11.312378883 CEST	49744	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:11.312386990 CEST	443	49744	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:16.008614063 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:16.008655071 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:16.008687973 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:16.008718967 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:16.008815050 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:16.008815050 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:38.309312105 CEST	51825	53	192.168.2.5	162.159.36.2
Aug 29, 2024 22:53:38.314160109 CEST	53	51825	162.159.36.2	192.168.2.5
Aug 29, 2024 22:53:38.314395905 CEST	51825	53	192.168.2.5	162.159.36.2
Aug 29, 2024 22:53:38.319309950 CEST	53	51825	162.159.36.2	192.168.2.5
Aug 29, 2024 22:53:38.787798882 CEST	51825	53	192.168.2.5	162.159.36.2
Aug 29, 2024 22:53:38.793131113 CEST	53	51825	162.159.36.2	192.168.2.5
Aug 29, 2024 22:53:38.793215036 CEST	51825	53	192.168.2.5	162.159.36.2
Aug 29, 2024 22:53:38.844157934 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:38.844216108 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:38.844309092 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:38.844671011 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:38.844686031 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:39.670389891 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:39.670459032 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:39.674431086 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:39.674442053 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:39.674678087 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:39.683969021 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:39.728502989 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.004386902 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.004411936 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.004426003 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.004513025 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.004542112 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.004601002 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.006915092 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.006956100 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.006989956 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.006995916 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.007011890 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.007026911 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.007050991 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.008276939 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.008290052 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:40.008302927 CEST	51827	443	192.168.2.5	20.114.59.183
Aug 29, 2024 22:53:40.008306980 CEST	443	51827	20.114.59.183	192.168.2.5
Aug 29, 2024 22:53:47.661458969 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:47.661509991 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:47.692663908 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:47.692692041 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:53.289885044 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.289910078 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.289988041 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.290100098 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.290128946 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.290186882 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.290287018 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.290298939 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.290410042 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.290421009 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.747452974 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.777393103 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.777401924 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.777822018 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.778578043 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.778644085 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.778763056 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.785216093 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.785424948 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.785435915 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.785733938 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.786068916 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.786119938 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.820506096 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.830307007 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.898782969 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.898839951 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.898926973 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.899141073 CEST	51828	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.899154902 CEST	443	51828	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:01.018019915 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:01.018050909 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:01.018086910 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:01.018100023 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.712496042 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.712570906 CEST	443	51829	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.712727070 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:32.674338102 CEST	49742	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:54:32.674360037 CEST	443	49742	142.251.35.174	192.168.2.5
Aug 29, 2024 22:54:32.706610918 CEST	49743	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:54:32.706629992 CEST	443	49743	142.251.35.174	192.168.2.5
Aug 29, 2024 22:54:46.033132076 CEST	49737	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:46.033133030 CEST	49738	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:46.033171892 CEST	443	49737	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:46.033185005 CEST	443	49738	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:53.721473932 CEST	51829	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:53.721524000 CEST	443	51829	172.64.41.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 22:52:54.203661919 CEST	53	62514	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:55.776175976 CEST	61565	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:55.776519060 CEST	56046	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:56.629534006 CEST	53	60825	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:56.640690088 CEST	53	62818	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.972337961 CEST	65284	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.972784996 CEST	64106	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.973659039 CEST	50865	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.974148989 CEST	61389	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.974860907 CEST	50417	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.975126982 CEST	50914	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.976187944 CEST	49388	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.976695061 CEST	64092	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:58.979363918 CEST	53	65284	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.979650021 CEST	53	64106	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.980151892 CEST	53	50865	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.981138945 CEST	53	61389	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.981463909 CEST	53	50417	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.981813908 CEST	53	50914	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.983109951 CEST	53	49388	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:58.983256102 CEST	53	64092	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:59.038852930 CEST	65417	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:59.039002895 CEST	59691	53	192.168.2.5	1.1.1.1
Aug 29, 2024 22:52:59.045914888 CEST	53	65417	1.1.1.1	192.168.2.5
Aug 29, 2024 22:52:59.046000004 CEST	53	59691	1.1.1.1	192.168.2.5
Aug 29, 2024 22:53:00.320764065 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.629848957 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.777941942 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.778095961 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.778107882 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.778306961 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.778318882 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.778481007 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.783097029 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.783562899 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.783746004 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.784794092 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.784996033 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.883332968 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.883764029 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.883774042 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.883781910 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.883884907 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.883955002 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.885626078 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.887243986 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.887875080 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:00.888086081 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.974832058 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.974941015 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:00.988131046 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.044567108 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.080622911 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.081703901 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.081929922 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.133160114 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.420416117 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.420551062 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.521280050 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.522085905 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.522248030 CEST	443	59455	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:01.525058031 CEST	59455	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:01.833848953 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.138561964 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.292675972 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.292927027 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.293586969 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.298893929 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.298938036 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.298948050 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.298958063 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.299134970 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.300108910 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.300786972 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.300904036 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.301304102 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.301517963 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.394252062 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.394270897 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.394819021 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.395441055 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.422477007 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.422668934 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.489938021 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.489953041 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.489962101 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.490581989 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:02.491353035 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.491463900 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.532651901 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:02.586026907 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:10.104922056 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:10.104978085 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:10.199279070 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:10.269254923 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:10.305155039 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:10.307764053 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:10.309948921 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:10.355180979 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:10.429572105 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:31.067562103 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:31.067622900 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:31.162554979 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:31.189758062 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:31.251247883 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:31.251508951 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:31.251722097 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:31.283607960 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:31.389920950 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.287292957 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.287343979 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.290076971 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.290096045 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.381558895 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.384574890 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.384850979 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.463977098 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.464270115 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.465162992 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.471297979 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.471616030 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.473620892 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.507237911 CEST	64976	443	192.168.2.5	142.251.35.174
Aug 29, 2024 22:53:34.585957050 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:34.613111973 CEST	443	64976	142.251.35.174	192.168.2.5
Aug 29, 2024 22:53:38.308623075 CEST	53	59900	162.159.36.2	192.168.2.5
Aug 29, 2024 22:53:38.797621965 CEST	53	49839	1.1.1.1	192.168.2.5
Aug 29, 2024 22:53:53.289529085 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.598397017 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.740950108 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.741203070 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.741214991 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.741221905 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.741229057 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.777847052 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.779848099 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.779968977 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.780426025 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.880856037 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.880875111 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.881222010 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.881231070 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.881382942 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.881475925 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.883328915 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:53.908539057 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:53:53.979269981 CEST	443	61424	172.64.41.3	192.168.2.5
Aug 29, 2024 22:53:54.008455038 CEST	61424	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.116786957 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.116898060 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.117243052 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.117362022 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.573709011 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.574707031 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.673391104 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.704642057 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.768739939 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.768754959 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.768764019 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.768779039 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.769507885 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.769618988 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.864698887 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.865236998 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.961921930 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.963251114 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.963536024 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:03.963792086 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:03.964593887 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:03.964756012 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.439215899 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.439912081 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.440009117 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.440022945 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.440033913 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.440974951 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.440974951 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.441203117 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.545051098 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.545062065 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.545109987 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.545413017 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.545449972 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.581180096 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.598370075 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.598695993 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:04.598711014 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.628052950 CEST	60833	443	192.168.2.5	172.253.122.84
Aug 29, 2024 22:54:04.727298021 CEST	443	60833	172.253.122.84	192.168.2.5
Aug 29, 2024 22:54:08.210592031 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:08.210809946 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:08.309086084 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.309283972 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.309832096 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.310657024 CEST	443	62273	172.64.41.3	192.168.2.5
Aug 29, 2024 22:54:08.312057018 CEST	62273	443	192.168.2.5	172.64.41.3
Aug 29, 2024 22:54:08.313498020 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.313631058 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.659581900 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.796175957 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.802793026 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.802844048 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.804063082 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.804328918 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.804797888 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.804820061 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.804933071 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.804953098 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.820792913 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.903302908 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.904311895 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.904498100 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.940030098 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.979768038 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.980190992 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.981393099 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.981576920 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:08.981611967 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.983424902 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:08.983592033 CEST	55153	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:09.083918095 CEST	443	55153	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.305416107 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.305579901 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.784343958 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.833247900 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.833265066 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.833271980 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.833945036 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.833945036 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.834234953 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.834249973 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.834371090 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.834389925 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.965075016 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.965492010 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.971524000 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.971534967 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.971544027 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.971793890 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.971903086 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:39.972579002 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:39.982130051 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:40.002866030 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:40.028609037 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:40.028969049 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:40.030772924 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:40.030972958 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:40.033252954 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:40.033320904 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:40.033416033 CEST	59878	443	192.168.2.5	142.250.72.110
Aug 29, 2024 22:54:40.060539961 CEST	443	59878	142.250.72.110	192.168.2.5
Aug 29, 2024 22:54:40.125773907 CEST	443	59878	142.250.72.110	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 22:52:55.776175976 CEST	192.168.2.5	1.1.1.1	0x96b2	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:55.776519060 CEST	192.168.2.5	1.1.1.1	0xe95d	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 29, 2024 22:52:58.972337961 CEST	192.168.2.5	1.1.1.1	0x280a	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.972784996 CEST	192.168.2.5	1.1.1.1	0x230	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 22:52:58.973659039 CEST	192.168.2.5	1.1.1.1	0xb085	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.974148989 CEST	192.168.2.5	1.1.1.1	0x2939	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 22:52:58.974860907 CEST	192.168.2.5	1.1.1.1	0x99dc	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.975126982 CEST	192.168.2.5	1.1.1.1	0xf241	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 22:52:58.976187944 CEST	192.168.2.5	1.1.1.1	0x6942	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.976695061 CEST	192.168.2.5	1.1.1.1	0xfc80	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 29, 2024 22:52:59.038852930 CEST	192.168.2.5	1.1.1.1	0xbe7c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:59.039002895 CEST	192.168.2.5	1.1.1.1	0x2764	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 22:52:55.782944918 CEST	1.1.1.1	192.168.2.5	0x96b2	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 22:52:55.783905983 CEST	1.1.1.1	192.168.2.5	0xe95d	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 22:52:58.393168926 CEST	1.1.1.1	192.168.2.5	0x1bee	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 22:52:58.393168926 CEST	1.1.1.1	192.168.2.5	0x1bee	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.979363918 CEST	1.1.1.1	192.168.2.5	0x280a	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.979363918 CEST	1.1.1.1	192.168.2.5	0x280a	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.979650021 CEST	1.1.1.1	192.168.2.5	0x230	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 22:52:58.980151892 CEST	1.1.1.1	192.168.2.5	0xb085	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.980151892 CEST	1.1.1.1	192.168.2.5	0xb085	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.981138945 CEST	1.1.1.1	192.168.2.5	0x2939	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 22:52:58.981463909 CEST	1.1.1.1	192.168.2.5	0x99dc	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.981463909 CEST	1.1.1.1	192.168.2.5	0x99dc	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.981813908 CEST	1.1.1.1	192.168.2.5	0xf241	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 22:52:58.983109951 CEST	1.1.1.1	192.168.2.5	0x6942	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.983109951 CEST	1.1.1.1	192.168.2.5	0x6942	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:58.983256102 CEST	1.1.1.1	192.168.2.5	0xfc80	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 29, 2024 22:52:59.045914888 CEST	1.1.1.1	192.168.2.5	0xbe7c	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:59.045914888 CEST	1.1.1.1	192.168.2.5	0xbe7c	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 22:52:59.046000004 CEST	1.1.1.1	192.168.2.5	0x2764	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49725	13.107.246.60	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 20:52:59 UTC	559	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 903262f1-801e-001b-4826-f94695000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240829T205259Z-165795675766wv96mecap1swx400000002hg000000004z2v Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-29 20:52:59 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49726	13.107.246.60	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-29 20:52:59 UTC	583	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 66f87118-601e-001a-2116-f94768000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240829T205259Z-16579567576l4p9bs8an1npq1n000000025g00000000g0y6 Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-29 20:52:59 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-29 20:52:59 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-08-29 20:52:59 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-08-29 20:52:59 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-08-29 20:52:59 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49731	162.159.61.3	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 20:52:59 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 20:52:59 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8baf6d901fd28c9c-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:52:59 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 cb 00 04 8e fa 41 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49733	162.159.61.3	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 20:52:59 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 20:52:59 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8baf6d901e5f41d9-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:52:59 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 a0 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49732	172.64.41.3	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 20:52:59 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 20:52:59 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8baf6d8ffaf50cc8-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:52:59 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 c5 00 04 8e fb 28 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom(c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49730	172.64.41.3	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 20:52:59 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 20:52:59 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8baf6d901971435e-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:52:59 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 10 00 04 8e fa 41 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49734	172.64.41.3	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:52:59 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 20:52:59 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-29 20:52:59 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 20:52:59 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8baf6d90a9960f7b-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:52:59 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 09 00 04 8e fa 50 43 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPC)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49735	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:00 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-29 20:53:00 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=132233 Date: Thu, 29 Aug 2024 20:53:00 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49736	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:01 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-29 20:53:01 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=132185 Date: Thu, 29 Aug 2024 20:53:01 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-29 20:53:01 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49739	142.251.35.174	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:01 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 20:53:01 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 29 Aug 2024 20:53:01 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49740	142.251.35.174	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:01 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 20:53:01 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Thu, 29 Aug 2024 20:53:01 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49741	142.250.65.164	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:01 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-29 20:53:02 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Thu, 29 Aug 2024 20:31:47 GMT Expires: Fri, 06 Sep 2024 20:31:47 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 1275 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-29 20:53:02 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-29 20:53:02 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-29 20:53:02 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-29 20:53:02 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-29 20:53:02 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49744	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:10 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=c991HGxKpb62D1M&MD=D+ptRclH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-29 20:53:10 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 907a0712-f0e4-47b6-8ea1-b05488976033 MS-RequestId: 8d1c5d6e-2fea-4af0-8f3a-2bd3c2cd83f8 MS-CV: HQvRmb1g5USgG1hy.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 29 Aug 2024 20:53:09 GMT Connection: close Content-Length: 24490
2024-08-29 20:53:10 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-29 20:53:10 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	51827	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:39 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=c991HGxKpb62D1M&MD=D+ptRclH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-29 20:53:39 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 921569e8-001c-4958-82fb-3e434eadd526 MS-RequestId: 1a43e69b-91ed-48b5-8991-217bc7969ffb MS-CV: PArH5lT6n0eMJatC.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 29 Aug 2024 20:53:39 GMT Connection: close Content-Length: 30005
2024-08-29 20:53:39 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-29 20:53:40 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	51828	172.64.41.3	443	7560	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 20:53:53 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-29 20:53:53 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM
2024-08-29 20:53:53 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Thu, 29 Aug 2024 20:53:53 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8baf6ee38a3c4366-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 20:53:53 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 04 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0d e5 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 30 00 05 00 01 00 00 00 11 00 02 c0 43 c0 43 00 01 00 01 00 00 00 11 00 04 0d 6b 15 ef c0 43 00 01 00 01 00 00 00 11 00 04 cc 4f c5 ef 00 00 29 04 d0 00 00 00 00 01 3e 00 0c 01 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom-edge-microsoft-comdual-a-0036a-msedgenet0CCkCO)>:

Target ID:	0
Start time:	16:52:49
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x160000
File size:	917'504 bytes
MD5 hash:	3FC1CBFEB55E51328B28E08A65FFC7DE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:52:50
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:52:50
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=2076,i,13051042706878522089,9792886360243035223,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:52:50
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	16:52:51
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2252 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	16:52:56
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7444 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:52:56
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=8048 --field-trial-handle=2188,i,13235482263947715896,10099027810127236665,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:53:09
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:53:09
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:53:10
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2548 --field-trial-handle=2136,i,8849430213272609994,7604835595753544960,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:53:17
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:53:17
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2672 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:53:17
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2692 --field-trial-handle=2500,i,17146880862222756229,18347558762585213172,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1383
Total number of Limit Nodes:	30

Executed Functions

Function 001642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0016430D

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

GetCurrentProcess.KERNEL32(?,001FCB64,00000000,?,?), ref: 00164422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00164429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00164454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00164466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00164474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0016447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001644A0

Strings

GetNativeSystemInfo, xrefs: 00164460
kernel32.dll, xrefs: 0016444F
|O, xrefs: 001A36F8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 6a39be6de23fc014afdfdfb52c433b5e466e543b88d01fb173ae6efbb0c07471
Instruction ID: b4f1e8b58969ce1843dd0f290d2f6069b2d28b41722da3e7e0d3213687b9f7cb
Opcode Fuzzy Hash: 6a39be6de23fc014afdfdfb52c433b5e466e543b88d01fb173ae6efbb0c07471
Instruction Fuzzy Hash: 7BA1A27690A3C4DFC716CBB97C492E57FA47B26340B0858D9E09193B62D73046B8DB61

Function 001642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001650AA,?,?,00000000,00000000), ref: 001642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001650AA,?,?,00000000,00000000), ref: 001642C9
LoadResource.KERNEL32(?,00000000,?,?,001650AA,?,?,00000000,00000000,?,?,?,?,?,?,00164F20), ref: 001A35BE
SizeofResource.KERNEL32(?,00000000,?,?,001650AA,?,?,00000000,00000000,?,?,?,?,?,?,00164F20), ref: 001A35D3
LockResource.KERNEL32(001650AA,?,?,001650AA,?,?,00000000,00000000,?,?,?,?,?,?,00164F20,?), ref: 001A35E6

Strings

SCRIPT, xrefs: 001642BF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 898aaf85376becea2a1b600c045b8ec8816762437b653846f447506c4e499c59
Instruction ID: 8888b6c948784f6af7aa47914c4af4a4f7cc79446b78417c29927bf031ee1496
Opcode Fuzzy Hash: 898aaf85376becea2a1b600c045b8ec8816762437b653846f447506c4e499c59
Instruction Fuzzy Hash: C611AC71200304BFD7218B65ED58F277BB9EBC5B51F20416DF402C6650DB71DC20DA60

Function 001A2BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00162B6B

Part of subcall function 00163A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00162E7F,?,?,?,00000000), ref: 00163A78

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00222224), ref: 001A2C10
ShellExecuteW.SHELL32(00000000,?,?,00222224), ref: 001A2C17

Strings

runas, xrefs: 001A2C0B
?, xrefs: 001A2BD9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas$?
API String ID: 448630720-3422060978
Opcode ID: c52b795a622f64f1a055d73988210ec394e170754747f36849ab45a2a4f7dc31
Instruction ID: 77c337a8518645b880706405d80ff75af5725dbdcd01fb3f4ad72aecc72bedba
Opcode Fuzzy Hash: c52b795a622f64f1a055d73988210ec394e170754747f36849ab45a2a4f7dc31
Instruction Fuzzy Hash: 3D11D031208345ABC714FFA4EC529BEB7A8EBB2340F44042DF192531A2CF318A7AD752

Function 001CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,001A5222), ref: 001CDBCE
GetFileAttributesW.KERNELBASE(?), ref: 001CDBDD
FindFirstFileW.KERNEL32(?,?), ref: 001CDBEE
FindClose.KERNEL32(00000000), ref: 001CDBFA

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 471e59793bb7c7f2d10a8fe26da65bfc35dd76e23c8721c477de501342b754d9
Instruction ID: 5705a3ba8f85ce670afffa9c8d7b05a0c71e4f1d5cd45313c012f6b22ede005c
Opcode Fuzzy Hash: 471e59793bb7c7f2d10a8fe26da65bfc35dd76e23c8721c477de501342b754d9
Instruction Fuzzy Hash: E8F0A0308149185783206B78AE0D9BA376D9F02334B14471AF83AC24E0EBB0A994D6D9

Function 001EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001EB1D4
_wcslen.LIBCMT ref: 001EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001EB236
_wcslen.LIBCMT ref: 001EB332

Part of subcall function 001D05A7: GetStdHandle.KERNEL32(000000F6), ref: 001D05C6

_wcslen.LIBCMT ref: 001EB34B
_wcslen.LIBCMT ref: 001EB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001EB3B6
GetLastError.KERNEL32(00000000), ref: 001EB407
CloseHandle.KERNEL32(?), ref: 001EB439
CloseHandle.KERNEL32(00000000), ref: 001EB44A
CloseHandle.KERNEL32(00000000), ref: 001EB45C
CloseHandle.KERNEL32(00000000), ref: 001EB46E
CloseHandle.KERNEL32(?), ref: 001EB4E3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4fc2b88b14cd5323ce542f2c2027913ece87b27e473be6dfced22cbdfb0215c6
Instruction ID: 1ff87b249b68008b794af4accbae9a6de8066d353c8345d3e6cb53f0312727a1
Opcode Fuzzy Hash: 4fc2b88b14cd5323ce542f2c2027913ece87b27e473be6dfced22cbdfb0215c6
Instruction Fuzzy Hash: 4BF19B315087409FC714EF25C891B6FBBE1AF95314F14845DF89A9B2A2DB31EC44CB92

Function 0016D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0016D807
timeGetTime.WINMM ref: 0016DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0016DB28
TranslateMessage.USER32(?), ref: 0016DB7B
DispatchMessageW.USER32(?), ref: 0016DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0016DB9F
Sleep.KERNELBASE(0000000A), ref: 0016DBB1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: c2c6308bdbe63493699cb4d1609d32863f5a2913ccbbe812247b7dc66595212a
Instruction ID: 3dd11138f4a76c6f7716a64b3dfe85d5370bb7e5cfff5262abbe6cf46d9affcc
Opcode Fuzzy Hash: c2c6308bdbe63493699cb4d1609d32863f5a2913ccbbe812247b7dc66595212a
Instruction Fuzzy Hash: 6342D130B08342EFD729CF24DC98BAABBE0BF56304F55855DE45587291D770E8A8CB92

Function 00162CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00162D07
RegisterClassExW.USER32(00000030), ref: 00162D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00162D42
InitCommonControlsEx.COMCTL32(?), ref: 00162D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00162D6F
LoadIconW.USER32(000000A9), ref: 00162D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00162D94

Strings

TaskbarCreated, xrefs: 00162D37
`k, xrefs: 00162D80, 00162D8E
+, xrefs: 00162CF0
0, xrefs: 00162CE9
AutoIt v3 GUI, xrefs: 00162D23

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated$`k
API String ID: 2914291525-4184186048
Opcode ID: 4d6cb94c311b4363a91e5b6466307e25a01364d83e93d339ff34422983cd317a
Instruction ID: 5951a29330394cb8fbd94423be6f926f2171f45d5740c035da5b6a5d47868e21
Opcode Fuzzy Hash: 4d6cb94c311b4363a91e5b6466307e25a01364d83e93d339ff34422983cd317a
Instruction Fuzzy Hash: 1021C3B590121CEFDB00DFA4EA49BEDBBB4FB08704F00811AF611A62A0D7B15594DF91

Function 001A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001A039A: CreateFileW.KERNELBASE(00000000,00000000,?,001A0704,?,?,00000000,?,001A0704,00000000,0000000C), ref: 001A03B7

GetLastError.KERNEL32 ref: 001A076F
__dosmaperr.LIBCMT ref: 001A0776
GetFileType.KERNELBASE(00000000), ref: 001A0782
GetLastError.KERNEL32 ref: 001A078C
__dosmaperr.LIBCMT ref: 001A0795
CloseHandle.KERNEL32(00000000), ref: 001A07B5
CloseHandle.KERNEL32(?), ref: 001A08FF
GetLastError.KERNEL32 ref: 001A0931
__dosmaperr.LIBCMT ref: 001A0938

Strings

H, xrefs: 001A08BD

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 90eb41f736d89ddef4d85ae6048a7e9c3d7ca4dfa0f2b4c1744542dc9f68622f
Instruction ID: 29731abb5e386c670430df13e0067371192769d35d9bc96dce1515c1338a3bf4
Opcode Fuzzy Hash: 90eb41f736d89ddef4d85ae6048a7e9c3d7ca4dfa0f2b4c1744542dc9f68622f
Instruction Fuzzy Hash: 45A12536A001088FDF1AAF68D895BAE7BA1AB0A324F14015DF815EB3D1DB359D12CB91

Function 0016344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00163A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00162E7F,?,?,?,00000000), ref: 00163A78

Part of subcall function 00163357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00163379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0016356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 001A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001A31CE
RegCloseKey.ADVAPI32(?), ref: 001A3210
_wcslen.LIBCMT ref: 001A3277
_wcslen.LIBCMT ref: 001A3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00163560
Include, xrefs: 001A3184, 001A31C5
\Include\, xrefs: 00163527
\, xrefs: 001A328C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 90a8598ad9cfacf9651f151774ec820c859d02f2fe29e746797168d0d1f8a993
Instruction ID: 7cff90a1ca7268824273302f86a9fefe992915640bda03a62ac6923c6f911f4d
Opcode Fuzzy Hash: 90a8598ad9cfacf9651f151774ec820c859d02f2fe29e746797168d0d1f8a993
Instruction Fuzzy Hash: 32719C71404305DFC314EF65EC86AABBBE8FFA5740F50486EF555931A0EB309A48CBA2

Function 00162B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00162B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00162B9D
LoadIconW.USER32(00000063), ref: 00162BB3
LoadIconW.USER32(000000A4), ref: 00162BC5
LoadIconW.USER32(000000A2), ref: 00162BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00162BEF
RegisterClassExW.USER32(?), ref: 00162C40

Part of subcall function 00162CD4: GetSysColorBrush.USER32(0000000F), ref: 00162D07
Part of subcall function 00162CD4: RegisterClassExW.USER32(00000030), ref: 00162D31
Part of subcall function 00162CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00162D42
Part of subcall function 00162CD4: InitCommonControlsEx.COMCTL32(?), ref: 00162D5F
Part of subcall function 00162CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00162D6F
Part of subcall function 00162CD4: LoadIconW.USER32(000000A9), ref: 00162D85
Part of subcall function 00162CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00162D94

Strings

AutoIt v3, xrefs: 00162C2F
0, xrefs: 00162C0F
#, xrefs: 00162C16

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 277c273d3358dde55e44f73f822d74ac3a6eb056ffcce390ff70c6e3131d81fc
Instruction ID: 4edfb7439b1e141e9e88f09d3afa83aeaff9e93c2fc9f232cc242a8477c098f8
Opcode Fuzzy Hash: 277c273d3358dde55e44f73f822d74ac3a6eb056ffcce390ff70c6e3131d81fc
Instruction Fuzzy Hash: E8213B71E00318AFDB109FA6FD59BAD7FB4FB48B50F04009AF600A66A0D7B11564DF90

Function 0016B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0016BB4E

Strings

x##, xrefs: 001B0207
p%#, xrefs: 0016B8DC
x##, xrefs: 001B0168
p%#, xrefs: 0016BB32
p##, xrefs: 0016BB6B
p##, xrefs: 0016BA72
p##, xrefs: 001B024F
p##, xrefs: 001B0263

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p##$p##$p##$p##$p%#$p%#$x##$x##
API String ID: 1385522511-1113405841
Opcode ID: 533244efe345a2959eca7aa9e8474832e9497933280e1964de4a87f0d678407b
Instruction ID: bc0c41d803f7b8512c609395ed4583ea3eafa3733573d66a39d0d5d9119a2aff
Opcode Fuzzy Hash: 533244efe345a2959eca7aa9e8474832e9497933280e1964de4a87f0d678407b
Instruction Fuzzy Hash: F432E070A04209DFDB29CF58C8D8ABEB7B9FF48304F158099E905AB261C774ED95CB91

Function 00163170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0016316A,?,?), ref: 001631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0016316A,?,?), ref: 00163204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00163227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0016316A,?,?), ref: 00163232
CreatePopupMenu.USER32 ref: 00163246
PostQuitMessage.USER32(00000000), ref: 00163267

Strings

TaskbarCreated, xrefs: 0016322D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f2963c65ab2f6ed5b2b09ff5356d77fbccef92b2582cb21041fb173dc6209abb
Instruction ID: e63bdc48b158b8a9abd978842bf75c611d003de7c23a7ea7a5d162cd7f26f7a6
Opcode Fuzzy Hash: f2963c65ab2f6ed5b2b09ff5356d77fbccef92b2582cb21041fb173dc6209abb
Instruction Fuzzy Hash: 5F417C39254204ABDB182B7CED5DB793A69EB07300F05012DFA22C65A2CB71DFB0D7A1

Function 00162C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00162C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00162CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00161CAD,?), ref: 00162CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00161CAD,?), ref: 00162CCF

Strings

AutoIt v3, xrefs: 00162C89, 00162C8E, 00162C8F
edit, xrefs: 00162CAC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: f1380bbb687e3d7b6f2ab0ae372b5933d3a687c6485a97db1fc90d4e7c2b78d6
Instruction ID: c835641d850ded9d10589437fe391043d560b39565d1fc41edd4d7f94bc68330
Opcode Fuzzy Hash: f1380bbb687e3d7b6f2ab0ae372b5933d3a687c6485a97db1fc90d4e7c2b78d6
Instruction Fuzzy Hash: EDF0DA755402987AEB311717BC0CEB77EBDE7C6F50B00009AFA00A35A0C6611864EEB0

Function 001610F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00161BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00161BF4
Part of subcall function 00161BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00161BFC
Part of subcall function 00161BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00161C07
Part of subcall function 00161BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00161C12
Part of subcall function 00161BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00161C1A
Part of subcall function 00161BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00161C22

Part of subcall function 00161B4A: RegisterWindowMessageW.USER32(00000004,?,001612C4), ref: 00161BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0016136A
OleInitialize.OLE32 ref: 00161388
CloseHandle.KERNEL32(00000000,00000000), ref: 001A24AB

Strings

}, xrefs: 0016116A
X], xrefs: 00161174

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: X]$}
API String ID: 1986988660-3930791086
Opcode ID: 14f1070e53b673ef3b87037e67497559f5c5b4de2b0a0c91b7f8dfa75b34f335
Instruction ID: dca0b253e8474876a00f5c011a2f396008cb9e0af02ce72c2c39736fe019758f
Opcode Fuzzy Hash: 14f1070e53b673ef3b87037e67497559f5c5b4de2b0a0c91b7f8dfa75b34f335
Instruction Fuzzy Hash: A771CBB59113048FD384EF79BE4D6657AE4FB98344798822AD50AD7361EB308431CF94

Function 001CE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001CE9A5
Sleep.KERNEL32(00000000), ref: 001CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001CE9B7
Sleep.KERNELBASE ref: 001CE9F3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 19af1540f1cc67303f3a263969e7b4843af7c0b76b388a1755e717f5276e0684
Instruction ID: c1a34a2c6ee5dac762bb77e1857b86006a22270f512f4fd0c7f9f27371d49a32
Opcode Fuzzy Hash: 19af1540f1cc67303f3a263969e7b4843af7c0b76b388a1755e717f5276e0684
Instruction Fuzzy Hash: B8016931C0562DDBCF00AFE4DD59AEDBBB8FF19304F01054AE902B2240CB3096A1DBA2

Function 001986AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001985CC,?,00228CC8,0000000C), ref: 00198704
GetLastError.KERNEL32(?,001985CC,?,00228CC8,0000000C), ref: 0019870E
__dosmaperr.LIBCMT ref: 00198739

Strings

`, xrefs: 001986C8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID: `
API String ID: 490808831-4168407445
Opcode ID: 676ce00bef2279572542912dc7b9afa0c96a5112c8dd375250cbabf0eb7fc8ff
Instruction ID: 89d93aef37a7996696d2435f2e8d084c394b51f78985a61f3945212b071ae6b6
Opcode Fuzzy Hash: 676ce00bef2279572542912dc7b9afa0c96a5112c8dd375250cbabf0eb7fc8ff
Instruction Fuzzy Hash: A4012633E0562026DF296274A849B7E6B5A5B93B74F390119F9189F1D2DFA0CD81C290

Function 00163B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00163B0F,SwapMouseButtons,00000004,?), ref: 00163B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00163B0F,SwapMouseButtons,00000004,?), ref: 00163B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00163B0F,SwapMouseButtons,00000004,?), ref: 00163B83

Strings

Control Panel\Mouse, xrefs: 00163B3E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5d0ff80b39b03de3f2c6542165e0e380d2446faf5a3cdd2a9197cf8bb993ce87
Instruction ID: d5b8042f68e4304d2b5a6827f1fb0e73ea6286b6073826d8e99597c79c0c50d6
Opcode Fuzzy Hash: 5d0ff80b39b03de3f2c6542165e0e380d2446faf5a3cdd2a9197cf8bb993ce87
Instruction Fuzzy Hash: B81157B5610208FFDB208FA4DC84EEEBBB8EF41740B10846AB811D7110E7319E50ABA0

Function 00163923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001A33A2

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00163A04

Strings

Line: , xrefs: 001A33EB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b27fa87ac4a2ed55e059395b5caf4c92dd6e669d70de4d572377f54a1265ae3f
Instruction ID: 7b7b59ce5f5a85d8a3ca56a7b76bc5938341c46f2795fcf4433c1aff1c0deeeb
Opcode Fuzzy Hash: b27fa87ac4a2ed55e059395b5caf4c92dd6e669d70de4d572377f54a1265ae3f
Instruction Fuzzy Hash: 1631E471408304ABD725EB20EC45BEBB7D8AF55714F00456EF5A9931D1DF709A68CBC2

Function 00162DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 001A2C8C

Part of subcall function 00163AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00163A97,?,?,00162E7F,?,?,?,00000000), ref: 00163AC2

Part of subcall function 00162DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00162DC4

Strings

X, xrefs: 001A2C5A
`e", xrefs: 001A2C85

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e"
API String ID: 779396738-1680629336
Opcode ID: 043fff0c1d9f7f9c2e8c0f3a81988d05d7a7db7a205aed91121e3775b151cee2
Instruction ID: c9dfe3de55f3ada5970a6c76ef71e32b10d0d7bdeb9f4a4b5026be9f3f89e74c
Opcode Fuzzy Hash: 043fff0c1d9f7f9c2e8c0f3a81988d05d7a7db7a205aed91121e3775b151cee2
Instruction Fuzzy Hash: A921A571A10298AFCB01EFD4DC49BEE7BF8AF59314F008059E405E7241DBB45A99CFA1

Function 0017FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00180668

Part of subcall function 001832A4: RaiseException.KERNEL32(?,?,?,0018068A,?,00231444,?,?,?,?,?,?,0018068A,00161129,00228738,00161129), ref: 00183304

__CxxThrowException@8.LIBVCRUNTIME ref: 00180685

Strings

Unknown exception, xrefs: 00180692

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7719997f1aae04370d88b26ffa055a1064f13992080996355496547eaa7a2783
Instruction ID: 6015b990dd0394655e8cf01338ef66c6bd21de8ed16bd41cf0cf6a38320559bf
Opcode Fuzzy Hash: 7719997f1aae04370d88b26ffa055a1064f13992080996355496547eaa7a2783
Instruction Fuzzy Hash: 46F0C23490020DB78B15BAA4E856C9E7B7C5F14710B608535B928965D1EF71DB2ACF90

Function 001CC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00163923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00163A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001CC259
KillTimer.USER32(?,00000001,?,?), ref: 001CC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001CC270

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 852d2e32fb259929ff84f1c5cfbf26c67baeb62f4b5f6773af84ec2dac945ca2
Instruction ID: 509c23fa4a6ba4fcf272d1c44278348a7ba76138ba371584ad9b36955b79715a
Opcode Fuzzy Hash: 852d2e32fb259929ff84f1c5cfbf26c67baeb62f4b5f6773af84ec2dac945ca2
Instruction Fuzzy Hash: E8319370904344AFEB329F648895BEBBBECAB26308F04049ED5DE97241C7749E84CF91

Function 0016DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0016DB7B
DispatchMessageW.USER32(?), ref: 0016DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0016DB9F
Sleep.KERNELBASE(0000000A), ref: 0016DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 001B1CC9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c9d10c5fcc1d46851703a95a588b60c780e361270f0e73cf979ee6dd282f0b6d
Instruction ID: 391cb8ebeba91b6f351e37e947c4fdcf139e8b621a933de58ceeb04a674c29fa
Opcode Fuzzy Hash: c9d10c5fcc1d46851703a95a588b60c780e361270f0e73cf979ee6dd282f0b6d
Instruction Fuzzy Hash: 56F05E316043449BE730DBA0DC59FEA73ACEB85310F504A19E61A830D0DB30A498DB55

Function 00171310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001717F6

Strings

CALL, xrefs: 001717C6

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 65e3f1d1c1087e53818f988a0629ea3efcb305816a2c69fd4c01e32cf62f7d1f
Instruction ID: 1239584d88a3373c25b5c4cd2df14750fc3789e2aa8b8e0109a8824ca770ab93
Opcode Fuzzy Hash: 65e3f1d1c1087e53818f988a0629ea3efcb305816a2c69fd4c01e32cf62f7d1f
Instruction Fuzzy Hash: D0229B70608301EFC718DF18C884A6ABBF1BFA9314F14891DF49A8B361D775E955CB92

Function 00164ECB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00164E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00164EDD,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164E9C
Part of subcall function 00164E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00164EAE
Part of subcall function 00164E90: FreeLibrary.KERNEL32(00000000,?,?,00164EDD,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164EFD

Part of subcall function 00164E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,001A3CDE,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164E62
Part of subcall function 00164E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00164E74
Part of subcall function 00164E59: FreeLibrary.KERNEL32(00000000,?,?,001A3CDE,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164E87

Strings

?, xrefs: 00164ED1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID: ?
API String ID: 2632591731-3073664681
Opcode ID: 9dd9510977ddf09fd97d6f887fc23d82b091c8bb16aec4c20d07395b1ca9768c
Instruction ID: 7df32854eb133c1500ad361091ca3b4146156cd9a54276c0c9db7efc3f14f015
Opcode Fuzzy Hash: 9dd9510977ddf09fd97d6f887fc23d82b091c8bb16aec4c20d07395b1ca9768c
Instruction Fuzzy Hash: 4E113636600305EBCF15FF64DC02FAD77A5AF60710F20842EF552A61C1EF759A259B90

Function 00163837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00163908

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: e2ad0045191f2ebd504305d37d68ca3b332a9974eea86540ac47566db46ec91d
Instruction ID: dc91eac7269e43c034003d3ef13391f8e4a11300062081ae51f737e1cc4f32c0
Opcode Fuzzy Hash: e2ad0045191f2ebd504305d37d68ca3b332a9974eea86540ac47566db46ec91d
Instruction Fuzzy Hash: 3E31A2705047019FD721DF24D8947D7BBE8FB49708F00096EF9AA83240E771AA64CB92

Function 0017F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0017F661

Part of subcall function 0016D730: GetInputState.USER32 ref: 0016D807

Sleep.KERNEL32(00000000), ref: 001BF2DE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 9359f9dc0011df12be7a567e989715f1e17b543d8b192088769ab94d273c444c
Instruction ID: f9fed2d3c471a49b661a8a05d23a26c1d1946bbfc426c6a80c906d4a2d3f7e32
Opcode Fuzzy Hash: 9359f9dc0011df12be7a567e989715f1e17b543d8b192088769ab94d273c444c
Instruction Fuzzy Hash: 77F08C312446159FD314EF69E949BAAB7E8EF55760F004029E85AC73A0EB70A850CB91

Function 001F2598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 001F2649

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: bc256ff4c77dba371842995d855fd485fe6359352de0edc212752f5a98bd3f5d
Instruction ID: 5f400d2a7315fe3585ec764d6994f7b7421ad17b5433aedd4b554b502b1e6b1a
Opcode Fuzzy Hash: bc256ff4c77dba371842995d855fd485fe6359352de0edc212752f5a98bd3f5d
Instruction Fuzzy Hash: 8D210474200619AFD710DF18CCD0D76B79AEF54368B64806CE9968B3A2C771ED41CB90

Function 001F13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 001F1420

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 8acfe8dd01951b50d0e64710c67710d8da9374fac2cb04c456e1457c7828912e
Instruction ID: 8927fb57e54d7f0dad2c3b846afcf39d19dd837931a16fec7bdf3a7b63871411
Opcode Fuzzy Hash: 8acfe8dd01951b50d0e64710c67710d8da9374fac2cb04c456e1457c7828912e
Instruction Fuzzy Hash: 64317E30604246EFD714EF29C491B79B7A2FF95328F0481A8E95A4B292DB71EC51CBD0

Function 00198402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00198440

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d7f9668cee89b557c77f5286a8c8a5328c847779b9d556a8e61626214fe1aabb
Instruction ID: 3973b582622aa4b79768e3c1d8515d51ca01870e8ee590d9f5b723cad5fcb511
Opcode Fuzzy Hash: d7f9668cee89b557c77f5286a8c8a5328c847779b9d556a8e61626214fe1aabb
Instruction Fuzzy Hash: 5011187590410AAFCF05DF58E941A9A7BF5EF49314F114069F808AB312DB31EA11CBA5

Function 001F29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,001F14B5,?), ref: 001F2A01

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 6649bf80b9064d24588948ec3981b0d8b67885be04016142bc72c24cbd953439
Instruction ID: 6b9e00f34ab9335eb7f1287e49a9501eea0dd5319e4ce84acca18453ea2a3185
Opcode Fuzzy Hash: 6649bf80b9064d24588948ec3981b0d8b67885be04016142bc72c24cbd953439
Instruction Fuzzy Hash: 6201D436300A559FD325CA2CC454F327792FBC5318F298568C2478B691DB72FC42C7A0

Function 0018E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 78fbc313d513b5382f38c3d2a70f84edd8bbbaf4cc707bbaa9f0358659c17585
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: CBF02832910B14A7DB313A699C05B5A33D89F72334F240719F424931E2EB70EA028FA5

Function 001F149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 001F14EB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 333198cca646883cde8fa23fff36dbf84410d077302e90a16fcf9eaaefc44704
Instruction ID: ccb6d9c45956bde3c70d5edaad54aa55a2a202a6b318c12f8707fd316dbffa75
Opcode Fuzzy Hash: 333198cca646883cde8fa23fff36dbf84410d077302e90a16fcf9eaaefc44704
Instruction Fuzzy Hash: 9901D435308659EF9320DF69C450836BB95FF943247548099E94A8B702D772DD82CBC0

Function 00193820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00231444,?,0017FDF5,?,?,0016A976,00000010,00231440,001613FC,?,001613C6,?,00161129), ref: 00193852

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c834b1e420f1a35b325724b54836ef779544cd7c45a15fbae322a87fec700b85
Instruction ID: 3a4fbd83b83092d7a5ac3e591bbf0fc8f53b22d3e6f260eac4b36b4072b47b1c
Opcode Fuzzy Hash: c834b1e420f1a35b325724b54836ef779544cd7c45a15fbae322a87fec700b85
Instruction Fuzzy Hash: 02E02B3110022597DF3136779C04B9B3749AF52BB0F050365BC35928D0CF10DE0196E0

Function 00164F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164F6D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e89712fd99695cf8145d039297e0ad58dd60b562379cce5b7a93f062d26c48e3
Instruction ID: 2340daccf8c86677c627349444b5502c5679321d69793dd84c00aabdc6e4f056
Opcode Fuzzy Hash: e89712fd99695cf8145d039297e0ad58dd60b562379cce5b7a93f062d26c48e3
Instruction Fuzzy Hash: 27F03071105751CFDB389F68D890822B7E4AF2431932089BEE1DA82511C7319864DF50

Function 001F2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001F2A66

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 23fb2c4087b36af5bfccaaa2c1356d4b80139cbe85e1b4667684b4dc006b2443
Instruction ID: ca0e48a04d29417f167edeea9c74f6a16ecdcf2b5bafbf88d51017ce44c7f9bc
Opcode Fuzzy Hash: 23fb2c4087b36af5bfccaaa2c1356d4b80139cbe85e1b4667684b4dc006b2443
Instruction Fuzzy Hash: 5EE04F3635411AABC715EA30EC909FA735CEB70395710453AED26C3600DB30D995D6E0

Function 00162DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00162DC4

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e796a5a4670283882a4d280c38de6779a8ccdc62a5cdf28fde0eddb01b894f02
Instruction ID: 8393c81673fe32500736616918a2101305ab8a7fc92667a69fd8810da108a32a
Opcode Fuzzy Hash: e796a5a4670283882a4d280c38de6779a8ccdc62a5cdf28fde0eddb01b894f02
Instruction Fuzzy Hash: 9EE0CD766001245BC71096589C05FEA77DDDFC8790F044071FD09D7248DA60AD84C590

Function 00162B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00163837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00163908

Part of subcall function 0016D730: GetInputState.USER32 ref: 0016D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00162B6B

Part of subcall function 001630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0016314E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: ec22352063f721ceff749c3c7851fadd66f1c6f2f537470f01c81275ed86d7f3
Instruction ID: 82aeb3c6a938de19f0fabe47d8f8d550de8a81fc2d3bb2e4219304d4e1fa0e14
Opcode Fuzzy Hash: ec22352063f721ceff749c3c7851fadd66f1c6f2f537470f01c81275ed86d7f3
Instruction Fuzzy Hash: 34E0862170424807C608BB75BC565BDB75DDBF1355F40153EF592471A2CF2485798252

Function 001C3D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001C3D18

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 753af9dc98e0cc88100e8c9849451c72fb0378ced0f8994af4b8c90509a32fa2
Instruction ID: 2ed47c4d67d32c4918c565f0171b47b4538aa21cecf9f636d1f919acbbdf4f34
Opcode Fuzzy Hash: 753af9dc98e0cc88100e8c9849451c72fb0378ced0f8994af4b8c90509a32fa2
Instruction Fuzzy Hash: 7CD012E06A43087EFB0083718D0BEBB329CC716A81F004BA47A02D69C1E9A0DE084170

Function 001A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001A0704,?,?,00000000,?,001A0704,00000000,0000000C), ref: 001A03B7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2b24a210ee8d294b497aecc09a3ea2cc8f5336e11de859150d65d7fb280d3656
Instruction ID: 6baa456517a1b61b19ccbd124c324051648cfbdbbfa919c25329b53a174b4a34
Opcode Fuzzy Hash: 2b24a210ee8d294b497aecc09a3ea2cc8f5336e11de859150d65d7fb280d3656
Instruction Fuzzy Hash: D2D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E871EB90

Function 00161CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00161CBC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: da776efd1d1c161b2e9ba1ccf28661add1d20cd45d6700d1edd940f10403b751
Instruction ID: 11544427dc05d5a1554abb591a61d85562a51d67e29d13e1bb8e437a5b798cbd
Opcode Fuzzy Hash: da776efd1d1c161b2e9ba1ccf28661add1d20cd45d6700d1edd940f10403b751
Instruction Fuzzy Hash: 34C09236380309EFF2188B80BD4EF207764A348B01F448001F609AA9F3C3A22868EA90

Non-executed Functions

Function 001F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001F96C9
SendMessageW.USER32 ref: 001F96F2
GetKeyState.USER32(00000011), ref: 001F978B
GetKeyState.USER32(00000009), ref: 001F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001F97AE
GetKeyState.USER32(00000010), ref: 001F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001F97E9
SendMessageW.USER32 ref: 001F9810
SendMessageW.USER32(?,00001030,?,001F7E95), ref: 001F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001F9941
SetCapture.USER32(?), ref: 001F994A
ClientToScreen.USER32(?,?), ref: 001F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001F99D6
ReleaseCapture.USER32 ref: 001F99E1
GetCursorPos.USER32(?), ref: 001F9A19
ScreenToClient.USER32(?,?), ref: 001F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001F9A80
SendMessageW.USER32 ref: 001F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001F9AEB
SendMessageW.USER32 ref: 001F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001F9B4A
GetCursorPos.USER32(?), ref: 001F9B68
ScreenToClient.USER32(?,?), ref: 001F9B75
GetParent.USER32(?), ref: 001F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001F9BFA
SendMessageW.USER32 ref: 001F9C2B
ClientToScreen.USER32(?,?), ref: 001F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001F9CDE
SendMessageW.USER32 ref: 001F9D01
ClientToScreen.USER32(?,?), ref: 001F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001F9D82

Part of subcall function 00179944: GetWindowLongW.USER32(?,000000EB), ref: 00179952

GetWindowLongW.USER32(?,000000F0), ref: 001F9E05

Strings

@GUI_DRAGID, xrefs: 001F997D
p##, xrefs: 001F9990
F, xrefs: 001F9D07

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p##
API String ID: 3429851547-1232008447
Opcode ID: 1b0bddfdc2f81e2d57274da857aee0dfbb44e2394861319aceef04d708c4e1b4
Instruction ID: 94259913afe305e96d65994022d39d60f6431e1b27849ac7193f275f20f051d0
Opcode Fuzzy Hash: 1b0bddfdc2f81e2d57274da857aee0dfbb44e2394861319aceef04d708c4e1b4
Instruction Fuzzy Hash: 67428C74208248AFD724EF24CD44BBABBE5FF48720F140619F699C76A1D731A8A4DF91

Function 001F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001F4A7E
IsMenu.USER32(?), ref: 001F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001F4B20
GetWindowLongW.USER32(?,000000F0), ref: 001F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001F4C82
wsprintfW.USER32 ref: 001F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001F4D5A

Strings

%d/%02d/%02d, xrefs: 001F4CA8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 15c4148eedd562c5abb4dc7900101b3cf7b3a5a6b33a9ba14f6cab0229dd451c
Instruction ID: 6deb4016bd950327e359f22e42c51c8d688b7604371bcad8e1932a26c1f96fd8
Opcode Fuzzy Hash: 15c4148eedd562c5abb4dc7900101b3cf7b3a5a6b33a9ba14f6cab0229dd451c
Instruction Fuzzy Hash: 7712BE71600258ABEB258F68CD49FBF7BF8AF45710F104129FA1AEB2E1DB749941CB50

Function 0017F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0017F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001BF474
IsIconic.USER32(00000000), ref: 001BF47D
ShowWindow.USER32(00000000,00000009), ref: 001BF48A
SetForegroundWindow.USER32(00000000), ref: 001BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001BF4AA
GetCurrentThreadId.KERNEL32 ref: 001BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 001BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 001BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 001BF4DE
SetForegroundWindow.USER32(00000000), ref: 001BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BF4F6
keybd_event.USER32(00000012,00000000), ref: 001BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BF50B
keybd_event.USER32(00000012,00000000), ref: 001BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BF519
keybd_event.USER32(00000012,00000000), ref: 001BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 001BF528
keybd_event.USER32(00000012,00000000), ref: 001BF52D
SetForegroundWindow.USER32(00000000), ref: 001BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 001BF557

Strings

Shell_TrayWnd, xrefs: 001BF46F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 8d72ed2657bc3a58d702dccde764e6486a7eb0213d2d74bd7ded9934e090f70b
Instruction ID: ea2b95e3398e723fe81772d081e01ccbc9f0a213df49b2840108267153539f68
Opcode Fuzzy Hash: 8d72ed2657bc3a58d702dccde764e6486a7eb0213d2d74bd7ded9934e090f70b
Instruction Fuzzy Hash: 15315D71B4021CBAEB206BB55D4AFBF7E6CEB44B50F104069FA01EA1D1C7B05941EEA0

Function 001C1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001C170D
Part of subcall function 001C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001C173A
Part of subcall function 001C16C3: GetLastError.KERNEL32 ref: 001C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001C12A8
CloseHandle.KERNEL32(?), ref: 001C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001C12D1
GetProcessWindowStation.USER32 ref: 001C12EA
SetProcessWindowStation.USER32(00000000), ref: 001C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001C1310

Part of subcall function 001C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001C11FC), ref: 001C10D4
Part of subcall function 001C10BF: CloseHandle.KERNEL32(?,?,001C11FC), ref: 001C10E9

Strings

default, xrefs: 001C130B
, xrefs: 001C125A
Z", xrefs: 001C1392
winsta0, xrefs: 001C12CC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z"
API String ID: 22674027-648697464
Opcode ID: 5984389799714c8ab0482d8d8db0181771a84406fcf112db57f4cedd57bc2025
Instruction ID: 44a2fb300b60f4f72637b7dc001f9fca46c8b17f63cd6f406debf59c15d1d1a2
Opcode Fuzzy Hash: 5984389799714c8ab0482d8d8db0181771a84406fcf112db57f4cedd57bc2025
Instruction Fuzzy Hash: 3881C971980209BBDF259FA4DD49FEE7BB9EF19300F14416DF910A22A2C730CA85DB60

Function 001C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001C1114
Part of subcall function 001C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C1120
Part of subcall function 001C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C112F
Part of subcall function 001C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C1136
Part of subcall function 001C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001C0C00
GetLengthSid.ADVAPI32(?), ref: 001C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001C0C6D
GetLengthSid.ADVAPI32(?), ref: 001C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001C0C8C
HeapAlloc.KERNEL32(00000000), ref: 001C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001C0CB4
CopySid.ADVAPI32(00000000), ref: 001C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C0D45
HeapFree.KERNEL32(00000000), ref: 001C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C0D55
HeapFree.KERNEL32(00000000), ref: 001C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C0D65
HeapFree.KERNEL32(00000000), ref: 001C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001C0D78
HeapFree.KERNEL32(00000000), ref: 001C0D7F

Part of subcall function 001C1193: GetProcessHeap.KERNEL32(00000008,001C0BB1,?,00000000,?,001C0BB1,?), ref: 001C11A1
Part of subcall function 001C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001C0BB1,?), ref: 001C11A8
Part of subcall function 001C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001C0BB1,?), ref: 001C11B7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 927389fb4d231771287c156bae7f641cec1764e8472696368cbcf576bdc7ff88
Instruction ID: 6ec322335061f1b7a9b0ff78773df2e8a1467990baab565b1876334e53f1c445
Opcode Fuzzy Hash: 927389fb4d231771287c156bae7f641cec1764e8472696368cbcf576bdc7ff88
Instruction Fuzzy Hash: 557199B690020AEBDF119FE4DD44FBEBBB8BF18700F044219F905A6191DB70EA45CBA0

Function 001DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001FCC08), ref: 001DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001DEB37
GetClipboardData.USER32(0000000D), ref: 001DEB43
CloseClipboard.USER32 ref: 001DEB4F
GlobalLock.KERNEL32(00000000), ref: 001DEB87
CloseClipboard.USER32 ref: 001DEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 001DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001DEBC9
GetClipboardData.USER32(00000001), ref: 001DEBD1
GlobalLock.KERNEL32(00000000), ref: 001DEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 001DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001DEC38
GetClipboardData.USER32(0000000F), ref: 001DEC44
GlobalLock.KERNEL32(00000000), ref: 001DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001DECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 001DECF3
CountClipboardFormats.USER32 ref: 001DED14
CloseClipboard.USER32 ref: 001DED59

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 61159f3203af33d901327e7a87a9f03987c386ddc840c22992eaa9b9a7bdae2b
Instruction ID: 00df3eafa7981cc232baf782f38d6ef3ca000793d62ac624312061a12551f80f
Opcode Fuzzy Hash: 61159f3203af33d901327e7a87a9f03987c386ddc840c22992eaa9b9a7bdae2b
Instruction Fuzzy Hash: A661BC342042069FD300EF64DD98F3A77E8AF94715F14451EF4569B3A2CB31E989DBA2

Function 001D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001D69BE
FindClose.KERNEL32(00000000), ref: 001D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001D6A75

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001D6ADF

Strings

%02d, xrefs: 001D6C00, 001D6C0A, 001D6C5A, 001D6CAA, 001D6CFA, 001D6D4A
%03d, xrefs: 001D6DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001D6B32
%4d%02d%02d%02d%02d%02d, xrefs: 001D6B6A
%4d, xrefs: 001D6BB1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 8a86ba2d0f3a6745662b4a3362c9a7e9f9573471722fb7ffca2d71a9b47df740
Instruction ID: 9db1204c19818dacfaf7de59cdfc10e502ac4b8aa89517f4c5558175254e7fa4
Opcode Fuzzy Hash: 8a86ba2d0f3a6745662b4a3362c9a7e9f9573471722fb7ffca2d71a9b47df740
Instruction Fuzzy Hash: 38D16072508300AFC314EBA4DD91EABB7ECAF98704F04491EF589D7291EB74DA54CB62

Function 001D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001D9663
GetFileAttributesW.KERNEL32(?), ref: 001D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001D96D3
FindClose.KERNEL32(00000000), ref: 001D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001D974A
SetCurrentDirectoryW.KERNEL32(00226B7C), ref: 001D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001D9772
FindClose.KERNEL32(00000000), ref: 001D977F
FindClose.KERNEL32(00000000), ref: 001D978F

Strings

*.*, xrefs: 001D96F5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: aba5b4f59f70844e0419ce63a19c4fb3d2e6746b8c7a3d9a2abe519e5636e284
Instruction ID: d21b04aeea836cf030c1d020ba3b0d6df019585c3bb3aeabd57df2a2211aaf66
Opcode Fuzzy Hash: aba5b4f59f70844e0419ce63a19c4fb3d2e6746b8c7a3d9a2abe519e5636e284
Instruction Fuzzy Hash: E731C03254021DAADF14AFB4ED08AEE77ADEF09320F104156F805E22A0DB34DA84DF90

Function 001D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001D9819
FindClose.KERNEL32(00000000), ref: 001D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001D9890
SetCurrentDirectoryW.KERNEL32(00226B7C), ref: 001D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001D98B8
FindClose.KERNEL32(00000000), ref: 001D98C5
FindClose.KERNEL32(00000000), ref: 001D98D5

Part of subcall function 001CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001CDB00

Strings

*.*, xrefs: 001D983B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d14305a4d50f26905c3be92e60cb7386aed8080c34c588a90cb0656276b4e6ff
Instruction ID: 43480a7c9f426c84fcab7b20d3c32317d595b882d6e666eab4848cbe23586f48
Opcode Fuzzy Hash: d14305a4d50f26905c3be92e60cb7386aed8080c34c588a90cb0656276b4e6ff
Instruction Fuzzy Hash: 7F31D43254021DBEDF14EFB4EC48AEE77ADEF06724F144156E854A22A1DB30DA85EF60

Function 001EBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001EB6AE,?,?), ref: 001EC9B5
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001EC9F1
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA68
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001EBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001EBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001EBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001EC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001EC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001EC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001EC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001EC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001EC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001EC382
RegCloseKey.ADVAPI32(00000000), ref: 001EC38F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: d9d9ada079ab495c8babbe5d1906037c20ddb51362d36765a7e62f4e86cad238
Instruction ID: 26252bec6871d76e6b697ffca719bfaca9ff57424529247e1da51f2ebc11c285
Opcode Fuzzy Hash: d9d9ada079ab495c8babbe5d1906037c20ddb51362d36765a7e62f4e86cad238
Instruction Fuzzy Hash: 4E024E716046409FD714CF29C891E2ABBE5FF49318F19849DF84ADB2A2DB31EC46CB91

Function 001D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001D8395

Strings

*.*, xrefs: 001D839B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5f1af325d09de6f3e03b906dae77304bc841e13c37e68f03a648722fd6da46cd
Instruction ID: 9d40776374814c484a7d4a82b02182c2899caceda468b2a514b01db57f9089a3
Opcode Fuzzy Hash: 5f1af325d09de6f3e03b906dae77304bc841e13c37e68f03a648722fd6da46cd
Instruction Fuzzy Hash: 8A616A72508345AFCB10EF64D8409AEB3E8FF99314F04495EF98AC7251EB31E955CB92

Function 001CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00163AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00163A97,?,?,00162E7F,?,?,?,00000000), ref: 00163AC2

Part of subcall function 001CE199: GetFileAttributesW.KERNEL32(?,001CCF95), ref: 001CE19A

FindFirstFileW.KERNEL32(?,?), ref: 001CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001CD1DD
MoveFileW.KERNEL32(?,?), ref: 001CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001CD237

Part of subcall function 001CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001CD21C,?,?), ref: 001CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001CD253
FindClose.KERNEL32(00000000), ref: 001CD264

Strings

\*.*, xrefs: 001CD0CD, 001CD0D6, 001CD0EB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 47b7451ffb1bc9e49684f12487588bc66d07160fd3de344a15c154ffba9941e1
Instruction ID: 174e4ba09a959d9876467008806bec4684217d5dd7d15c6c563e2ac02d05cfd9
Opcode Fuzzy Hash: 47b7451ffb1bc9e49684f12487588bc66d07160fd3de344a15c154ffba9941e1
Instruction Fuzzy Hash: 3B61253180110DABCF05EBA0EE92EEDB7B9AF75300F644169E40277191EB30AF19DB61

Function 001DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001DED91
EmptyClipboard.USER32 ref: 001DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001DEDAC
CloseClipboard.USER32 ref: 001DEEA3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 392c330a7fd4e10d1154c99b9be95b01df07b08a9655c82fe22235841429508a
Instruction ID: 000c025a494f312874e1517a82ea6d1cfddc1c0aa198130de7c9e53cdf331ff9
Opcode Fuzzy Hash: 392c330a7fd4e10d1154c99b9be95b01df07b08a9655c82fe22235841429508a
Instruction Fuzzy Hash: 2F418E35604611AFE720EF55D888B2ABBE5EF44329F14C09AE4558FB62C775EC81CBD0

Function 001CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001C170D
Part of subcall function 001C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001C173A
Part of subcall function 001C16C3: GetLastError.KERNEL32 ref: 001C174A

ExitWindowsEx.USER32(?,00000000), ref: 001CE932

Strings

@, xrefs: 001CE925
SeShutdownPrivilege, xrefs: 001CE902
, xrefs: 001CE920
, xrefs: 001CE95C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 6c5f4f71402e4fb8d71ecbf214bc2922fe762c772546bc79d3e777bd6b007d54
Instruction ID: 28f0166237575336444dda0fabc9a00b73e24ebea3a0e1c7815fe5b5aa36e8ff
Opcode Fuzzy Hash: 6c5f4f71402e4fb8d71ecbf214bc2922fe762c772546bc79d3e777bd6b007d54
Instruction Fuzzy Hash: 19012632610224BBEB6426B89C8AFBF729CA735748F150529F802E20D2DBB0DC80C6D0

Function 001E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 001E1276
WSAGetLastError.WSOCK32 ref: 001E1283
bind.WSOCK32(00000000,?,00000010), ref: 001E12BA
WSAGetLastError.WSOCK32 ref: 001E12C5
closesocket.WSOCK32(00000000), ref: 001E12F4
listen.WSOCK32(00000000,00000005), ref: 001E1303
WSAGetLastError.WSOCK32 ref: 001E130D
closesocket.WSOCK32(00000000), ref: 001E133C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: f66d84df68012be78759c34e2555b22ce435c7ef28f16b85827f85b2cfccae79
Instruction ID: 89e0c1358bfa59766c52d80dbe97dbccacaf9f871267b0f3e876d35f39893459
Opcode Fuzzy Hash: f66d84df68012be78759c34e2555b22ce435c7ef28f16b85827f85b2cfccae79
Instruction Fuzzy Hash: EC41B331600541AFD710DF65D988B69BBE6BF86318F288188E9569F3D2C771EC81CBE1

Function 0019B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0019B9D4
_free.LIBCMT ref: 0019B9F8
_free.LIBCMT ref: 0019BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00203700), ref: 0019BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0023121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0019BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00231270,000000FF,?,0000003F,00000000,?), ref: 0019BC36
_free.LIBCMT ref: 0019BD4B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 05b835ab7cc91082c93dd0fc6ab36aa90280fb879149dd7b91f0c55c7ea85ba5
Instruction ID: b96543e6808354c13e64ab6b01f22f94d9011f7d1a5fe328abdcbee7bb95410b
Opcode Fuzzy Hash: 05b835ab7cc91082c93dd0fc6ab36aa90280fb879149dd7b91f0c55c7ea85ba5
Instruction Fuzzy Hash: 86C13771908208AFCF24DF78AEC5BAE7BB9EF51310F14419AE895D7291E7309E41C790

Function 001CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00163AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00163A97,?,?,00162E7F,?,?,?,00000000), ref: 00163AC2

Part of subcall function 001CE199: GetFileAttributesW.KERNEL32(?,001CCF95), ref: 001CE19A

FindFirstFileW.KERNEL32(?,?), ref: 001CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001CD481
FindClose.KERNEL32(00000000), ref: 001CD498
FindClose.KERNEL32(00000000), ref: 001CD4A1

Strings

\*.*, xrefs: 001CD3F2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 7f8d1705a961adfd17e5cbd7cc50a8b58885b7e2cdd9c2588f8b214ff013e48b
Instruction ID: 91fffcd95e3cace1a6503be449332e72555706d7fca122dfa873ef4cf62a6e0b
Opcode Fuzzy Hash: 7f8d1705a961adfd17e5cbd7cc50a8b58885b7e2cdd9c2588f8b214ff013e48b
Instruction Fuzzy Hash: 8E3150710083459BC304EF64ED519AF77A8BEB1314F444A2DF5D593191EB30EA19DBA3

Function 0019E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0019E645

Strings

1#INF, xrefs: 0019F852
1#SNAN, xrefs: 0019F844
1#IND, xrefs: 0019F83D
1#QNAN, xrefs: 0019F84B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: c31ae37cdf377fa9325fa14ecea429e4d039f9b781ccc20620baed62d0d326de
Instruction ID: 21cd0916e237c05e3834358e48a5922293f442188bbed2c7586195eb0ad193b3
Opcode Fuzzy Hash: c31ae37cdf377fa9325fa14ecea429e4d039f9b781ccc20620baed62d0d326de
Instruction Fuzzy Hash: 7CC23971E046289FDF29CE28DD447EAB7B5EB48305F1541EAD84DE7241E774AE828F40

Function 001D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D64DC
CoInitialize.OLE32(00000000), ref: 001D6639
CoCreateInstance.OLE32(001FFCF8,00000000,00000001,001FFB68,?), ref: 001D6650
CoUninitialize.OLE32 ref: 001D68D4

Strings

.lnk, xrefs: 001D64BA, 001D6524, 001D65E0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c4bdaa87491ca43b74a9a037404198dc38b9b335d68b7872c3eb66cac4e6cd22
Instruction ID: 06917b75347e905af5f4ec0e18aee818301ffe0db5ff06a7bbff680ef33b923a
Opcode Fuzzy Hash: c4bdaa87491ca43b74a9a037404198dc38b9b335d68b7872c3eb66cac4e6cd22
Instruction Fuzzy Hash: F1D13971508301AFC304EF24D881E6BB7E8FFA9704F00496DF5958B291EB71E945CBA2

Function 001E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001E22E8

Part of subcall function 001DE4EC: GetWindowRect.USER32(?,?), ref: 001DE504

GetDesktopWindow.USER32 ref: 001E2312
GetWindowRect.USER32(00000000), ref: 001E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001E2355
GetCursorPos.USER32(?), ref: 001E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001E23DF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 952c9b73bae87819d99a363f2af74cbbab7dfa08e0177456b348c988e1afd111
Instruction ID: 98338a49d407cd1b6950a9173a1d1e7315535e89ca2792e1d6a31dbfafcc5213
Opcode Fuzzy Hash: 952c9b73bae87819d99a363f2af74cbbab7dfa08e0177456b348c988e1afd111
Instruction Fuzzy Hash: 3031DC72104749ABC720DF15C809BABBBAAFB88714F000A19F88597191DB34EA48CBD2

Function 001D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001D9C8B

Part of subcall function 001D3874: GetInputState.USER32 ref: 001D38CB
Part of subcall function 001D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001D9C75

Strings

*.*, xrefs: 001D9B5D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9477cd3f39fbe9a5de77c828a8c9eebe69fd8ca0ec5c6c4d0681ab82e5b7389f
Instruction ID: c8d429383b496236ed1d79daf0de4343b701015732a3c76118a22486490dd5dd
Opcode Fuzzy Hash: 9477cd3f39fbe9a5de77c828a8c9eebe69fd8ca0ec5c6c4d0681ab82e5b7389f
Instruction Fuzzy Hash: 4841717190420AAFCF14DFA4CD85AEEBBB8FF15310F144156E415A72A1EB309E94DFA0

Function 00168060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0016843C
InitializeCriticalSectionEx, xrefs: 001A5D55
ERCP, xrefs: 0016813C
VUUU, xrefs: 001A5DF0
VUUU, xrefs: 001683E8
VUUU, xrefs: 001683FA

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1173862840
Opcode ID: 24e79c5a59462966d60a62570a199033a89de1cf84458ee8f33679292b2f562b
Instruction ID: fda166afad741099bf3b6a8c96e03253278d924cfce9240a7487f4a5d401dd58
Opcode Fuzzy Hash: 24e79c5a59462966d60a62570a199033a89de1cf84458ee8f33679292b2f562b
Instruction Fuzzy Hash: 5FA2B175E0421ACBDF24CF58C8507BEB7B2BF55310F2582AAE815A7285EB709D91CF90

Function 0017997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00179A4E
GetSysColor.USER32(0000000F), ref: 00179B23
SetBkColor.GDI32(?,00000000), ref: 00179B36

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: ed453a3c0c6a8eccd419bc41b085ef88848fa22864f4b9bd6756d53799f33771
Instruction ID: b3a64305142d45bb20518e5e932033745c601f77a9100f21ae635b1f05fb426a
Opcode Fuzzy Hash: ed453a3c0c6a8eccd419bc41b085ef88848fa22864f4b9bd6756d53799f33771
Instruction Fuzzy Hash: 3CA12970209404AFE72CAA3C8C9CEBB367DDB82340F268109F506C76D5CB259D49D372

Function 001E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001E304E: inet_addr.WSOCK32(?), ref: 001E307A
Part of subcall function 001E304E: _wcslen.LIBCMT ref: 001E309B

socket.WSOCK32(00000002,00000002,00000011), ref: 001E185D
WSAGetLastError.WSOCK32 ref: 001E1884
bind.WSOCK32(00000000,?,00000010), ref: 001E18DB
WSAGetLastError.WSOCK32 ref: 001E18E6
closesocket.WSOCK32(00000000), ref: 001E1915

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 76cec3c018d79aa22ae4dcc0a31350f26769e0a6ed956d4c26abfe6b3824e95d
Instruction ID: f4bf8e162e8a3cdc986ce132448e8bc369ccab6597219b60105923a8f1bbe1ff
Opcode Fuzzy Hash: 76cec3c018d79aa22ae4dcc0a31350f26769e0a6ed956d4c26abfe6b3824e95d
Instruction Fuzzy Hash: 5B51A471A00610AFD710AF24C886F6A77E5AB54718F08809CF94A9F3D3C771AD41CBE1

Function 001F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001F1CC0
IsWindowEnabled.USER32 ref: 001F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001F1CDB
IsIconic.USER32 ref: 001F1CE9
IsZoomed.USER32 ref: 001F1CF7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b31292c569e9db174149d14eba475c040d9f60837f24e0badb9f5ba04b010f88
Instruction ID: adb278c584037f7e9dfc6e0c41b329b17930af548eb4ef93567a3f7f5eeb2a49
Opcode Fuzzy Hash: b31292c569e9db174149d14eba475c040d9f60837f24e0badb9f5ba04b010f88
Instruction Fuzzy Hash: E521A131740219EFD7208F2AC894B7A7BA5EF95324B598068E94ACB351CB71EC42CBD0

Function 001C8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001C82AA

Strings

|, xrefs: 001C82DA
tb", xrefs: 001C84F4
(, xrefs: 001C82F0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb"$|
API String ID: 1659193697-4092385309
Opcode ID: 485cf65cbe39e0b4aa25beb98cc0199de9a8de197e850849c101ac18170adb6e
Instruction ID: 92bcf100e6be96b550981184d412ee49a3ff93a9ea771303c9d8f02bba28e8e0
Opcode Fuzzy Hash: 485cf65cbe39e0b4aa25beb98cc0199de9a8de197e850849c101ac18170adb6e
Instruction Fuzzy Hash: 3B322375A006059FCB28CF59C481E6AB7F0FF58710B15856EE49ADB7A1EB70E981CB40

Function 001EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001EA6BA

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Process32NextW.KERNEL32(00000000,?), ref: 001EA79C
CloseHandle.KERNEL32(00000000), ref: 001EA7AB

Part of subcall function 0017CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,001A3303,?), ref: 0017CE8A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: f299ec0276d340ac3527c704bf4765461cde0cb151014c526c93fb1590bc7228
Instruction ID: db8f4ea76e520148267de77c82f96a69da0ca88c15dcffc8823fe237d6812e94
Opcode Fuzzy Hash: f299ec0276d340ac3527c704bf4765461cde0cb151014c526c93fb1590bc7228
Instruction Fuzzy Hash: B7514B71508340AFD310EF25D886A6BBBE8FF99754F40891DF58997291EB30E914CB92

Function 001CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001CAAAC
SetKeyboardState.USER32(00000080), ref: 001CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001CAB88

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d4e7af57198ed18413f53de5fc31777d05d0b3de13e510a3f6a388c3c9329693
Instruction ID: 5e9c2adc25ca2067eac78214388c3ba6589aa3f6e90d2b58c2d4aa739864b178
Opcode Fuzzy Hash: d4e7af57198ed18413f53de5fc31777d05d0b3de13e510a3f6a388c3c9329693
Instruction Fuzzy Hash: 7A312570A8020CAEEB368A64CC05FFA7BB6AF64724F84421EF585961D0D774DD81D7A2

Function 001DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001DCE89
GetLastError.KERNEL32(?,00000000), ref: 001DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001DCEFE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 554974c42479eb744a63b74c561694a076fa6d646ef27635609bfadb9b92c636
Instruction ID: cc1f1332abe98ba18184a880df3ce45199f3bf367c966d1b1d35295a55603351
Opcode Fuzzy Hash: 554974c42479eb744a63b74c561694a076fa6d646ef27635609bfadb9b92c636
Instruction Fuzzy Hash: 0B218CB1500306ABDB209FA5D949BA67BFCEB50354F10481AE54692251E770EA44DFA0

Function 001D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001D5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001D5D17
FindClose.KERNEL32(?), ref: 001D5D5F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 63437060bd9d6c3147265b2dd30add4c02dd81abaa3284d6190be2f644cd2dff
Instruction ID: 6453accac288ff9894529088d7ab80b479163809df1005582ea59a36c746fc8d
Opcode Fuzzy Hash: 63437060bd9d6c3147265b2dd30add4c02dd81abaa3284d6190be2f644cd2dff
Instruction Fuzzy Hash: EA519A34604A019FC714DF68C894EA6B7E6FF49314F14855EE99A8B3A2CB30ED44CFA1

Function 00192622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0019271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00192724
UnhandledExceptionFilter.KERNEL32(?), ref: 00192731

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9a3d80f7823c2d7d6ceac470351a1f88aa391ce2131f4f859845d5af50d6cccf
Instruction ID: acb22c1d407fcfdbf140a2e2ca671a0fd8f2b2708b33be0eb70ad614fdbf917b
Opcode Fuzzy Hash: 9a3d80f7823c2d7d6ceac470351a1f88aa391ce2131f4f859845d5af50d6cccf
Instruction Fuzzy Hash: 3731D37490122CABCB25DF68DD8879CBBB8BF18710F5041EAE81CA7260E7309F858F44

Function 001D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001D5238
SetErrorMode.KERNEL32(00000000), ref: 001D52A1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: de3a05f73d52e79e9a3d549a17264f5cc4cf6b2118783aa109e1ee2435ae455d
Instruction ID: 89ea404802ac75acc4a9825ac3c5501f240c9b69fdd51a49dbf061e72afc7ef4
Opcode Fuzzy Hash: de3a05f73d52e79e9a3d549a17264f5cc4cf6b2118783aa109e1ee2435ae455d
Instruction Fuzzy Hash: FE314175A00518DFDB00DF94D884EADBBF5FF59314F058099E8459B392DB31E859CB90

Function 001C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0017FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00180668
Part of subcall function 0017FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00180685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001C173A
GetLastError.KERNEL32 ref: 001C174A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b90e8c3884328ef8e77a429f7ee43f4cbe666877e8b406e4d9195d0190ce7c82
Instruction ID: 13e23fff0b271d46e8434c0ca3763b5c4215a20b784a8d93d635c4660ba4854b
Opcode Fuzzy Hash: b90e8c3884328ef8e77a429f7ee43f4cbe666877e8b406e4d9195d0190ce7c82
Instruction Fuzzy Hash: F8118FB2404308BFD7289F54DC86E6BB7B9EB45754B20852EF05656641EB70FC82CA60

Function 001CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001CD650

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4f669f2ee16f3db8fa4107879b8cbc5b5c2927dfe14750250766890d28701c96
Instruction ID: 741109e1d76db52db427a3bc076c739827cc9eef7859e77ed490a20fa6572c9e
Opcode Fuzzy Hash: 4f669f2ee16f3db8fa4107879b8cbc5b5c2927dfe14750250766890d28701c96
Instruction Fuzzy Hash: 24113C75E05228BBDB108F99AD45FAFBBBCEB45B50F108126F904E7290D6704A05DBA1

Function 001C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001C16A1
FreeSid.ADVAPI32(?), ref: 001C16B1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e56f811b586a348dcbb6ea69763d2cbb8f50b8287db10d4f3d488a3ec1c1b8f4
Instruction ID: c9ab651b41f6da7d740e799599a0855b7b907528b0e55bed89f17f02dc78f52e
Opcode Fuzzy Hash: e56f811b586a348dcbb6ea69763d2cbb8f50b8287db10d4f3d488a3ec1c1b8f4
Instruction Fuzzy Hash: F1F0F47595030DFBDB00DFE49D89EAEBBBCFB08604F504965E501E2181E774AA44AA94

Function 00184CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001928E9,?,00184CBE,001928E9,002288B8,0000000C,00184E15,001928E9,00000002,00000000,?,001928E9), ref: 00184D09
TerminateProcess.KERNEL32(00000000,?,00184CBE,001928E9,002288B8,0000000C,00184E15,001928E9,00000002,00000000,?,001928E9), ref: 00184D10
ExitProcess.KERNEL32 ref: 00184D22

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 7c98a22811d3de8f67c503635ab52f4a7a931e4b8d46566444b72e47d67ba745
Instruction ID: 712a43f436407d9d520b4d324a582c5b21528e8e75aa2263eb01ef5d2ca0050e
Opcode Fuzzy Hash: 7c98a22811d3de8f67c503635ab52f4a7a931e4b8d46566444b72e47d67ba745
Instruction Fuzzy Hash: 29E0B631004549ABCF12BF94DE09A687B69FB61781B104114FC158A522CB35EE92EF80

Function 0019C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0019C36C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0a55198ec78581c8566152b4aece465f1c9be2e3f70c718e4e7b0d7510d57fa3
Instruction ID: 5543ba47048bbd539f195afc718d0c6622b53848afdd27fb2f497a7efdb92d36
Opcode Fuzzy Hash: 0a55198ec78581c8566152b4aece465f1c9be2e3f70c718e4e7b0d7510d57fa3
Instruction Fuzzy Hash: 02411576900219ABCF249FB9DC89EBB77B8EB84354F504269F945D7180E7709E818B90

Function 001BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 001BD28C

Strings

X64, xrefs: 001BD2A8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 945cf709ecc5c3a132ad9cbc0c65f3ea6be775db39b5a83cef979dae68e7a9c4
Instruction ID: b52961d968a66a7a0f9f50fcacef7061c44a6559166c126a4c91e6abcad646e0
Opcode Fuzzy Hash: 945cf709ecc5c3a132ad9cbc0c65f3ea6be775db39b5a83cef979dae68e7a9c4
Instruction Fuzzy Hash: 47D0C9B880111DEACB98CB90EC88DDAB37CBF04305F114195F106A2000DB3095499F10

Function 0018CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 0bf860063aa6516a4546995a32bcddef76711f729b397f1dfed90cf46044eb44
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: DE021B71E002199BDF14DFA9C8806ADBBF1FF58314F25826AE919E7384D731AA418FD4

Function 0016CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p##, xrefs: 0016CF7F
Variable is not of type 'Object'., xrefs: 001B0C40

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p##
API String ID: 0-4088710751
Opcode ID: 3b035190461cc5c7dd120fb4fa56ae88b4c9280e62794a2239390d0ca52914b1
Instruction ID: 2230d46355b4de744b8a2a2d7a32fcdfebe34ef30d3fff0f4f4b042c0fe206f3
Opcode Fuzzy Hash: 3b035190461cc5c7dd120fb4fa56ae88b4c9280e62794a2239390d0ca52914b1
Instruction Fuzzy Hash: A7329C30900218DFCF14DF94CD85AFEB7B5BF19304F1480A9E846AB292DB75AE55CBA0

Function 001D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001D6918
FindClose.KERNEL32(00000000), ref: 001D6961

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26ceeefa8ef6e1c3fc37e349f740b9fab22c2c05b220224fbf8176971b8829b3
Instruction ID: 521a52b8ae9f1e1236ac63568c20084a4eb7b49908465fd0bddf6aa218cbc256
Opcode Fuzzy Hash: 26ceeefa8ef6e1c3fc37e349f740b9fab22c2c05b220224fbf8176971b8829b3
Instruction Fuzzy Hash: 6A1190316042009FC714DF69D884A26BBE5FF89328F14C69AE8698F7A2C730EC45CBD1

Function 001D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001E4891,?,?,00000035,?), ref: 001D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001E4891,?,?,00000035,?), ref: 001D37F4

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 57083e79b4847cff8a2aa91193dbf4a78fce250d45643e76c06aee47920c0c87
Instruction ID: 24637da9d03be4644d3a16cbf0d93b5047d5762dade5c59c8a44899f2662da6e
Opcode Fuzzy Hash: 57083e79b4847cff8a2aa91193dbf4a78fce250d45643e76c06aee47920c0c87
Instruction Fuzzy Hash: 6EF0E5B46052292BE72057768C4DFEB3AAEEFC5761F000166F509E2281DB609944C6F1

Function 001CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001CB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 001CB270

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ecc666aa268d01abf1b7580c5915f6ed03b94952f9afe83c22ad387e692899b3
Instruction ID: fec44406811c48ed68b2a2bd72d4dcd53382d2ad04d12709218aaecfe530edc5
Opcode Fuzzy Hash: ecc666aa268d01abf1b7580c5915f6ed03b94952f9afe83c22ad387e692899b3
Instruction Fuzzy Hash: 40F01D7190428EABDB059FA0C806BBE7BB4FF14305F008409F955A51A1C379D655DF94

Function 001C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001C11FC), ref: 001C10D4
CloseHandle.KERNEL32(?,?,001C11FC), ref: 001C10E9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: db9205c62bea406131b11d20f7f9c7b4756f6469602af035306514ac1cf657d4
Instruction ID: 155b50855fd713e278692605fb7d44ff1179c355a3a77f375777379d87cd7ed7
Opcode Fuzzy Hash: db9205c62bea406131b11d20f7f9c7b4756f6469602af035306514ac1cf657d4
Instruction Fuzzy Hash: F2E0BF72018610AEE7252B51FD05F7777A9EF04310B15C82DF5A5804B1DB62ACE1EB54

Function 0016BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p##, xrefs: 001B07CE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p##
API String ID: 3964851224-3078534993
Opcode ID: 67d31ac0ce908adc1e8e7ccdb7bd302f571bcb1883da8d67d776234d913e77e0
Instruction ID: 0f12c7f56cc45b5340285cfbf928c33d918107905c1be6fdbb97af02e644e899
Opcode Fuzzy Hash: 67d31ac0ce908adc1e8e7ccdb7bd302f571bcb1883da8d67d776234d913e77e0
Instruction Fuzzy Hash: EBA257706083418FC725DF28C880B6BBBE1BF99304F15896DE89A8B352D771EC55CB92

Function 0019676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00196766,?,?,00000008,?,?,0019FEFE,00000000), ref: 00196998

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cb364c77028aecf279c8e6ab0b345de57853e7535d81aec4ad033ca57edb6de0
Instruction ID: 07aa2663226740b6819dec966a13e88a107bf36c035ee6a003e45684e42c5d2d
Opcode Fuzzy Hash: cb364c77028aecf279c8e6ab0b345de57853e7535d81aec4ad033ca57edb6de0
Instruction Fuzzy Hash: A6B13B31610609DFDB19CF28C48AB657BE0FF45368F258658E8E9CF2A2C735E991CB50

Function 0017B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001B851F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2e5c8a42f8f999780426ad6a9c4b91d22548216c1047174a3ea637abdb736d97
Instruction ID: ca52e47253dd995da82b703427ba98ebe75ba53b72cbdacda5a50aba70f4dac1
Opcode Fuzzy Hash: 2e5c8a42f8f999780426ad6a9c4b91d22548216c1047174a3ea637abdb736d97
Instruction Fuzzy Hash: 87124E759042299BCB24CF58C880BEEB7F5FF58710F15819AE84AEB255DB349E81CF90

Function 001DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001DEABD

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c8658e4319514e8888ba80506f8e6af84680124d698ff1ae2ce9337b503c561c
Instruction ID: 1ccd6c050188c93b9ee61b7f4deb7def035a295e356b51491503c4ea8936bfbd
Opcode Fuzzy Hash: c8658e4319514e8888ba80506f8e6af84680124d698ff1ae2ce9337b503c561c
Instruction Fuzzy Hash: 76E04F312042159FC710EF59D844E9AF7E9AFA8770F008417FC4ACB361DBB0E8808B90

Function 001809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001803EE), ref: 001809DA

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 479cfd4950b3ebc150000d5e07752b105521148860d026dba9e91de59ea51803
Instruction ID: a5cfb28361da62f216787cb247634b5437e635429bf3c6dbcbfb99784de2dd47
Opcode Fuzzy Hash: 479cfd4950b3ebc150000d5e07752b105521148860d026dba9e91de59ea51803
Instruction Fuzzy Hash:

Function 0018781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0018798B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: fa1ff60b48d42bc70b006f46015710213940d0ff5a3ac0605622ca7477f25139
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 58519871A0C7055BDB3CB928889E7BE67899B23398F380509E886C72C2DB11DF01DF52

Function 001D2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&#, xrefs: 001D2053

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: 0&#
API String ID: 0-3130248916
Opcode ID: 0ee333f4d26bb04518d1f0bcfb16dcea122f395e9048a5db0cb0b104b9951c19
Instruction ID: 787fd9f7dd648a40fc05eb026add094f26e26a043df4278cf01368ae8158df13
Opcode Fuzzy Hash: 0ee333f4d26bb04518d1f0bcfb16dcea122f395e9048a5db0cb0b104b9951c19
Instruction Fuzzy Hash: 7F21A8326206118BD728CE79C92367A73E5A764310F15862EE4B7C37D0DE35A904CB50

Function 00196DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a349f2f77b632c1922a42402f33c9fbe0f52168fd4acdb10998e0fbd600eca
Instruction ID: 1d232eb497c50295b0375d587ac9b4ffc039c86b17f00b9f1d338e33d1bde139
Opcode Fuzzy Hash: 25a349f2f77b632c1922a42402f33c9fbe0f52168fd4acdb10998e0fbd600eca
Instruction Fuzzy Hash: DE323522D79F018DDB279634DC2A336A249AFB73C5F15D737F81AB59A6EB29C4834100

Function 0017CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9946f5f778d1cf8c0e5ddf8e8ce756503e355a9ca88201b0188ed5dc08e6cf52
Instruction ID: 780fc10318de29d0085a9c14e3bad2d8e405dfc23809801bbc618bfc82ed2c42
Opcode Fuzzy Hash: 9946f5f778d1cf8c0e5ddf8e8ce756503e355a9ca88201b0188ed5dc08e6cf52
Instruction Fuzzy Hash: 9D320431A001158BDF39CF69C4A4AFD7BB1EB45314F29856AE49ACB291E734DD81DBC0

Function 00167920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22a416c3a743e49b70645e38f4e7efbde2e8ec3166d635d24932cb92b85d3cc
Instruction ID: c842c20a23fb9c9e657f3f898bd384f9987cd330b40e192959ad40363214ba2f
Opcode Fuzzy Hash: d22a416c3a743e49b70645e38f4e7efbde2e8ec3166d635d24932cb92b85d3cc
Instruction Fuzzy Hash: EA22E470A04609DFDF14CFA4D881AAEB3F6FF59304F244529E816E7291EB369D25CB50

Function 001691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2213f8314f046ec2d01989b120d7ea1277bf6c20476852b42c673fb615cc5b
Instruction ID: c53ed2a86562fbd4c5ad2b36f9bf693702ca29821d29e4393921426896538298
Opcode Fuzzy Hash: 8f2213f8314f046ec2d01989b120d7ea1277bf6c20476852b42c673fb615cc5b
Instruction Fuzzy Hash: C102C7B0A00109EFDB14DF64D881AAEB7F5FF55300F118169E81ADB291EB31DE21CB91

Function 00199EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f088849d1f045beed2c3c0425f9b1b8386fcc18685c2718cdae2f9eabd76e43
Instruction ID: 0fa7dbf4729bac90c3ef7102d6e5848870af0fc5ea71ec4d3de7ded24e97e533
Opcode Fuzzy Hash: 2f088849d1f045beed2c3c0425f9b1b8386fcc18685c2718cdae2f9eabd76e43
Instruction Fuzzy Hash: E0B10220E2AF404DC72397399875336B65CAFBB6D5F91D31BFC2674D62EB2286834180

Function 00181C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a25c84c7803074a05a1e95f42ea9158f93a57ae7b32fbb8b56ebc322764359fd
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0E9164735080A35ADB2E567A853817EFFE55B923A131A079DE4F2CA1C1FF208B55DB20

Function 00181F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7f75cc36fafb919bc9aeef8662269c7be0f30b47c2bd2f6020d5758a71859871
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1D9142736090A34ADB6E5239847843EFFE15B923A131A079DE4F2CA1C5EF248759DF20

Function 001819B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 68232460d9d5401428dd8cbbadf864ec91923dd62a575ca915a388ff83862fa8
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D4916F732090E25ADB2D527A857403DFFE95B923A231A079ED4F2CB1C1FF2487569B20

Function 00187A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc456430f570931e1a433708061215a0e04674b705e19ce04c98906673a08318
Instruction ID: 5aa3389dd376dbe37a3ed7f0f5bb181a5ee199c744d942e2dc42b7896623563c
Opcode Fuzzy Hash: bc456430f570931e1a433708061215a0e04674b705e19ce04c98906673a08318
Instruction Fuzzy Hash: F561497160870996DA3CBA288D95BBE7396DF61700F780919E842DB2C1DB11DF42CF65

Function 00187CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d3322f9151c3c5c911143514abb9138bf0b8ccc60074384efd40980764d531
Instruction ID: 5e00564746d4069e170d53e501024d6778eee8c016be8a26d031c07360099f0b
Opcode Fuzzy Hash: e3d3322f9151c3c5c911143514abb9138bf0b8ccc60074384efd40980764d531
Instruction Fuzzy Hash: D761893160C70996DA39BAA85891BBF7384AF52744F300A59E843DB2C1EB12EF428F51

Function 00181706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7066fc332a8e29d34914cf6a1f8b5f60ab8caa11b7e91f0609b7f07da3ce2093
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E08182336080A31ADB2D523A857547EFFE55B923A531A079EE4F2CA1C1EF248755EB20

Function 001E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001E2B30
DeleteObject.GDI32(00000000), ref: 001E2B43
DestroyWindow.USER32 ref: 001E2B52
GetDesktopWindow.USER32 ref: 001E2B6D
GetWindowRect.USER32(00000000), ref: 001E2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001E2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001E2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2CF8
GetClientRect.USER32(00000000,?), ref: 001E2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001E2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2DA8
GlobalFree.KERNEL32(00000000), ref: 001E2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001FFC38,00000000), ref: 001E2DDB
GlobalFree.KERNEL32(00000000), ref: 001E2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001E2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001E2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001E303F

Strings

AutoIt v3, xrefs: 001E2CF2
static, xrefs: 001E2D3A, 001E2E91
, xrefs: 001E2FC5
DISPLAY, xrefs: 001E2EA2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: e015a08913550b6051e579eee0ad9359e38bf865697754b4a4c68155d5b7f080
Instruction ID: b47c55644b1cd3530b96ed8c9da039932b321a90f5c42b8b757ef5ffe0bcb67d
Opcode Fuzzy Hash: e015a08913550b6051e579eee0ad9359e38bf865697754b4a4c68155d5b7f080
Instruction Fuzzy Hash: D3027A71900219EFDB14DFA4DD89EAE7BB9FF48710F008158F915AB2A1DB70AD41CBA0

Function 001F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001F712F
GetSysColorBrush.USER32(0000000F), ref: 001F7160
GetSysColor.USER32(0000000F), ref: 001F716C
SetBkColor.GDI32(?,000000FF), ref: 001F7186
SelectObject.GDI32(?,?), ref: 001F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001F71C0
GetSysColor.USER32(00000010), ref: 001F71C8
CreateSolidBrush.GDI32(00000000), ref: 001F71CF
FrameRect.USER32(?,?,00000000), ref: 001F71DE
DeleteObject.GDI32(00000000), ref: 001F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001F7230
FillRect.USER32(?,?,?), ref: 001F7262
GetWindowLongW.USER32(?,000000F0), ref: 001F7284

Part of subcall function 001F73E8: GetSysColor.USER32(00000012), ref: 001F7421
Part of subcall function 001F73E8: SetTextColor.GDI32(?,?), ref: 001F7425
Part of subcall function 001F73E8: GetSysColorBrush.USER32(0000000F), ref: 001F743B
Part of subcall function 001F73E8: GetSysColor.USER32(0000000F), ref: 001F7446
Part of subcall function 001F73E8: GetSysColor.USER32(00000011), ref: 001F7463
Part of subcall function 001F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001F7471
Part of subcall function 001F73E8: SelectObject.GDI32(?,00000000), ref: 001F7482
Part of subcall function 001F73E8: SetBkColor.GDI32(?,00000000), ref: 001F748B
Part of subcall function 001F73E8: SelectObject.GDI32(?,?), ref: 001F7498
Part of subcall function 001F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001F74B7
Part of subcall function 001F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001F74CE
Part of subcall function 001F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001F74DB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 3150647ccdd93e58b25b0f52137ff006bae82825e066a589a9c671de71c1eddb
Instruction ID: eb0f379c7032ea3f793227d2472d9611ab6a83c2760bf0f8fb6725892ea953d5
Opcode Fuzzy Hash: 3150647ccdd93e58b25b0f52137ff006bae82825e066a589a9c671de71c1eddb
Instruction Fuzzy Hash: E0A1907210C309EFD7009F64DD48EBB7BA9FB89320F100A19FA62961E1D771E985DB91

Function 00178D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00178E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 001B6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 001B6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001B6F43

Part of subcall function 00178F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00178BE8,?,00000000,?,?,?,?,00178BBA,00000000,?), ref: 00178FC5

SendMessageW.USER32(?,00001053), ref: 001B6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 001B6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 001B6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 001B6FB7

Strings

0, xrefs: 001B6DCF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 6790e9fed5e65b338e9dd583f00f33280819b000f106c93db3258968aaa9aafd
Instruction ID: 00b773b9d792bbbceeb8885a9e508ee304412f6ec7c03e797625840843e8bdd7
Opcode Fuzzy Hash: 6790e9fed5e65b338e9dd583f00f33280819b000f106c93db3258968aaa9aafd
Instruction Fuzzy Hash: 8F128B30604201DFDB25DF24D998BFABBB5FB64310F148469F489CB661CB35E8A2DB91

Function 001E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001E2900
GetClientRect.USER32(00000000,?), ref: 001E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001E2964
GetStockObject.GDI32(00000011), ref: 001E2974
SelectObject.GDI32(00000000,00000000), ref: 001E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001E2991
DeleteDC.GDI32(00000000), ref: 001E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001E2A77
GetStockObject.GDI32(00000011), ref: 001E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001E2A97

Strings

AutoIt v3, xrefs: 001E28F8
static, xrefs: 001E294F, 001E2A71
msctls_progress32, xrefs: 001E2A13
DISPLAY, xrefs: 001E295A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 77bb91fdfbf6d276a9ecf90895fe0b15b189def95377900d30b9ddde7f6dc6ad
Instruction ID: cba4f9262fd23b21b5c860a4d9d3fd8d4eed2a84e69dc47e477ac50313e0b592
Opcode Fuzzy Hash: 77bb91fdfbf6d276a9ecf90895fe0b15b189def95377900d30b9ddde7f6dc6ad
Instruction Fuzzy Hash: 75B16C71A00619AFEB14DFA9DD89FAE7BA9EF08710F004155F915E72A0D770ED50CBA0

Function 001D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001D4AED
GetDriveTypeW.KERNEL32(?,001FCB68,?,\\.\,001FCC08), ref: 001D4BCA
SetErrorMode.KERNEL32(00000000,001FCB68,?,\\.\,001FCC08), ref: 001D4D36

Strings

RAMDisk, xrefs: 001D4BF4
Unknown, xrefs: 001D4BED, 001D4C83
SAS, xrefs: 001D4CC9
ATA, xrefs: 001D4C98
1394, xrefs: 001D4C9F
PhysicalDrive, xrefs: 001D4B76
SSA, xrefs: 001D4CA6
Fixed, xrefs: 001D4C09
SCSI, xrefs: 001D4C8A
iSCSI, xrefs: 001D4CC2
FileBackedVirtual, xrefs: 001D4CEC
Removable, xrefs: 001D4C10, 001D4C15
RAID, xrefs: 001D4CBB
Fibre, xrefs: 001D4CAD
ATAPI, xrefs: 001D4C91
Virtual, xrefs: 001D4CE5
Network, xrefs: 001D4C02
SATA, xrefs: 001D4CD0
SSD, xrefs: 001D4C4A
USB, xrefs: 001D4CB4
\\.\, xrefs: 001D4B3F
CDROM, xrefs: 001D4BFB
MMC, xrefs: 001D4CDE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8ce0b75b295e320d5f6282b1b046305ee8262a06c2f74a7ed158e410943ff02c
Instruction ID: 9644a1cbc3e044400a25019d54b2df8acc5d273728d6e92e53b9cc74fb9d1170
Opcode Fuzzy Hash: 8ce0b75b295e320d5f6282b1b046305ee8262a06c2f74a7ed158e410943ff02c
Instruction Fuzzy Hash: B761E332626109EBCB08DFA4DA85D7C77B1AB15304B248417F806AB791DB32ED61DB81

Function 001F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001F7421
SetTextColor.GDI32(?,?), ref: 001F7425
GetSysColorBrush.USER32(0000000F), ref: 001F743B
GetSysColor.USER32(0000000F), ref: 001F7446
CreateSolidBrush.GDI32(?), ref: 001F744B
GetSysColor.USER32(00000011), ref: 001F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001F7471
SelectObject.GDI32(?,00000000), ref: 001F7482
SetBkColor.GDI32(?,00000000), ref: 001F748B
SelectObject.GDI32(?,?), ref: 001F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001F7572
DrawFocusRect.USER32(?,?), ref: 001F757D
GetSysColor.USER32(00000011), ref: 001F758E
SetTextColor.GDI32(?,00000000), ref: 001F7596
DrawTextW.USER32(?,001F70F5,000000FF,?,00000000), ref: 001F75A8
SelectObject.GDI32(?,?), ref: 001F75BF
DeleteObject.GDI32(?), ref: 001F75CA
SelectObject.GDI32(?,?), ref: 001F75D0
DeleteObject.GDI32(?), ref: 001F75D5
SetTextColor.GDI32(?,?), ref: 001F75DB
SetBkColor.GDI32(?,?), ref: 001F75E5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2f283b9179c2a32f048ef142ed07f60526ea1cf0a8a033bc9e70dcc549a99047
Instruction ID: 396f9d17f7ff8263e3529b35637994dcf4a01a59ea44449a1b0c0cc0130a93bc
Opcode Fuzzy Hash: 2f283b9179c2a32f048ef142ed07f60526ea1cf0a8a033bc9e70dcc549a99047
Instruction Fuzzy Hash: 9D614A7290421CAFDF019FA4DD49EEEBFB9EB08320F114115FA15AB2E1D7749980DB90

Function 001F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001F1128
GetDesktopWindow.USER32 ref: 001F113D
GetWindowRect.USER32(00000000), ref: 001F1144
GetWindowLongW.USER32(?,000000F0), ref: 001F1199
DestroyWindow.USER32(?), ref: 001F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001F1245
IsWindowVisible.USER32(00000000), ref: 001F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001F12D0
GetWindowRect.USER32(00000000,?), ref: 001F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001F130E
GetMonitorInfoW.USER32(00000000,?), ref: 001F1328
CopyRect.USER32(?,?), ref: 001F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001F13AA

Strings

tooltips_class32, xrefs: 001F11E6
(, xrefs: 001F131B
0, xrefs: 001F10D3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d79882ab537f4fce02b5dd5d9072af146fccbc28de34c70a2f532754fda01ef2
Instruction ID: 8803fc6d511d4be519812d8a11a4ff7dbd264e4e14714cab4784c0a220fcb910
Opcode Fuzzy Hash: d79882ab537f4fce02b5dd5d9072af146fccbc28de34c70a2f532754fda01ef2
Instruction Fuzzy Hash: 57B19C71608345EFD704DF64C984BAABBE4FF84350F00891CFA9A9B2A1DB71E844CB91

Function 001F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001F02E5
_wcslen.LIBCMT ref: 001F031F
_wcslen.LIBCMT ref: 001F0389
_wcslen.LIBCMT ref: 001F03F1
_wcslen.LIBCMT ref: 001F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001F0504

Part of subcall function 0017F9F2: _wcslen.LIBCMT ref: 0017F9FD

Part of subcall function 001C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001C2258
Part of subcall function 001C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001C228A

Strings

GETITEMCOUNT, xrefs: 001F0316, 001F0337
DESELECT, xrefs: 001F059C
GETTEXT, xrefs: 001F03EC, 001F0407
ISSELECTED, xrefs: 001F04DD
FINDITEM, xrefs: 001F0627
GETSELECTED, xrefs: 001F05E1
SELECTCLEAR, xrefs: 001F052D
GETSELECTEDCOUNT, xrefs: 001F0470, 001F048B
SELECTINVERT, xrefs: 001F057E
SELECT, xrefs: 001F0548
GETSUBITEMCOUNT, xrefs: 001F0384, 001F039F
VIEWCHANGE, xrefs: 001F0675
SELECTALL, xrefs: 001F0515

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 96c2c2c70eb057eb5df0e35de37205bf05a4f6580f537e0c6a83b3e854c0479f
Instruction ID: 6cbc4dba0ed4b6fa4b83187acd1c878262f171ab14c3de6dd57f5f8b41ce6541
Opcode Fuzzy Hash: 96c2c2c70eb057eb5df0e35de37205bf05a4f6580f537e0c6a83b3e854c0479f
Instruction Fuzzy Hash: EFE1D0312182159FC715DF24C99087AB3E6BFAC318F14896DF9969B3A2DB30ED45CB81

Function 00178891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00178968
GetSystemMetrics.USER32(00000007), ref: 00178970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0017899B
GetSystemMetrics.USER32(00000008), ref: 001789A3
GetSystemMetrics.USER32(00000004), ref: 001789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00178A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00178A3C
GetClientRect.USER32(00000000,000000FF), ref: 00178A5A
GetStockObject.GDI32(00000011), ref: 00178A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00178A81

Part of subcall function 0017912D: GetCursorPos.USER32(?), ref: 00179141
Part of subcall function 0017912D: ScreenToClient.USER32(00000000,?), ref: 0017915E
Part of subcall function 0017912D: GetAsyncKeyState.USER32(00000001), ref: 00179183
Part of subcall function 0017912D: GetAsyncKeyState.USER32(00000002), ref: 0017919D

SetTimer.USER32(00000000,00000000,00000028,001790FC), ref: 00178AA8

Strings

AutoIt v3 GUI, xrefs: 00178A20

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: fcbf7c06f46abff99b3a37d902aa43bc3f63dbdc2f146f3c5b0bafa21403c297
Instruction ID: 63b6e48b07c55f8b5a8c09aaae5e4828fca5cf9a69c7867bcf67190dabd9e959
Opcode Fuzzy Hash: fcbf7c06f46abff99b3a37d902aa43bc3f63dbdc2f146f3c5b0bafa21403c297
Instruction Fuzzy Hash: 3EB17B71A00209AFDB14DFA8DD49BEE7BB5FB48314F118229FA19A7290DB34E851CF51

Function 001C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001C1114
Part of subcall function 001C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C1120
Part of subcall function 001C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C112F
Part of subcall function 001C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C1136
Part of subcall function 001C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001C0E29
GetLengthSid.ADVAPI32(?), ref: 001C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001C0E96
GetLengthSid.ADVAPI32(?), ref: 001C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001C0EB5
HeapAlloc.KERNEL32(00000000), ref: 001C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001C0EDD
CopySid.ADVAPI32(00000000), ref: 001C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C0F6E
HeapFree.KERNEL32(00000000), ref: 001C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C0F7E
HeapFree.KERNEL32(00000000), ref: 001C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C0F8E
HeapFree.KERNEL32(00000000), ref: 001C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001C0FA1
HeapFree.KERNEL32(00000000), ref: 001C0FA8

Part of subcall function 001C1193: GetProcessHeap.KERNEL32(00000008,001C0BB1,?,00000000,?,001C0BB1,?), ref: 001C11A1
Part of subcall function 001C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001C0BB1,?), ref: 001C11A8
Part of subcall function 001C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001C0BB1,?), ref: 001C11B7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1a8a8ac0ecd0144d94f2fac626e8b15361a7b2d232ae1ef35cad8eb46bc7722c
Instruction ID: 89dffddf9cf58850bf2be6c195b6398ea94efa4e31c460e6e192e6a7788cc45f
Opcode Fuzzy Hash: 1a8a8ac0ecd0144d94f2fac626e8b15361a7b2d232ae1ef35cad8eb46bc7722c
Instruction Fuzzy Hash: C2716C7290020AEBDF219FA4DD45FAEBBB8BF19300F044119F919E6191DB31DA95CBA0

Function 001EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001FCC08,00000000,?,00000000,?,?), ref: 001EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001EC5A4
_wcslen.LIBCMT ref: 001EC5F4
_wcslen.LIBCMT ref: 001EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001EC84D
RegCloseKey.ADVAPI32(?), ref: 001EC881
RegCloseKey.ADVAPI32(00000000), ref: 001EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001EC960

Strings

REG_MULTI_SZ, xrefs: 001EC6F5
REG_BINARY, xrefs: 001EC913
REG_SZ, xrefs: 001EC644
REG_DWORD, xrefs: 001EC804
REG_QWORD, xrefs: 001EC8C3
REG_EXPAND_SZ, xrefs: 001EC5CD

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e2c48703d59d929850345d60bdc4bd9ffd3ceb04ce02c99e01c6c264d333bdc0
Instruction ID: 964f2d109c6c9a84d5fc9ee354b9e9f6e7a81cb22351038a1401c922cffdc257
Opcode Fuzzy Hash: e2c48703d59d929850345d60bdc4bd9ffd3ceb04ce02c99e01c6c264d333bdc0
Instruction Fuzzy Hash: 7A1277356086019FC714DF25C881E2AB7E5FF88714F04889DF88A9B3A2DB31ED52CB81

Function 001F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001F09C6
_wcslen.LIBCMT ref: 001F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001F0A54
_wcslen.LIBCMT ref: 001F0A8A
_wcslen.LIBCMT ref: 001F0B06
_wcslen.LIBCMT ref: 001F0B81

Part of subcall function 0017F9F2: _wcslen.LIBCMT ref: 0017F9FD

Part of subcall function 001C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001C2BFA

Strings

EXPAND, xrefs: 001F0BF8
GETITEMCOUNT, xrefs: 001F0C1E
ISCHECKED, xrefs: 001F0CE1
COLLAPSE, xrefs: 001F0B01, 001F0B1C
GETTEXT, xrefs: 001F0C97
UNCHECK, xrefs: 001F0D3E
GETTOTALCOUNT, xrefs: 001F09F2, 001F0A17
SELECT, xrefs: 001F0D11
GETSELECTED, xrefs: 001F0C4E
CHECK, xrefs: 001F0A85, 001F0AA0
EXISTS, xrefs: 001F0B7C, 001F0B97

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 650f06b125fd83dc0b3ba1548a29902e8c9fefb9708d76270f8874a538c08658
Instruction ID: 4aec3d2ae4e342664fab693128da1232546bd0b9b7eb6fabb6710122799fdb94
Opcode Fuzzy Hash: 650f06b125fd83dc0b3ba1548a29902e8c9fefb9708d76270f8874a538c08658
Instruction Fuzzy Hash: 22E1DC352083059FC715DF64C45093AB7E2BFA8318F11899DF99A9B3A2DB30ED56CB81

Function 001EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001EB6AE,?,?), ref: 001EC9B5
_wcslen.LIBCMT ref: 001EC9F1
_wcslen.LIBCMT ref: 001ECA68
_wcslen.LIBCMT ref: 001ECA9E
_wcslen.LIBCMT ref: 001ECAF9
_wcslen.LIBCMT ref: 001ECB2F
_wcslen.LIBCMT ref: 001ECB7F

Strings

HKLM, xrefs: 001ECA98, 001ECA9D
HKEY_USERS, xrefs: 001ECBDF
HKU, xrefs: 001ECBF0
HKEY_CURRENT_CONFIG, xrefs: 001ECB79, 001ECB7E
HKEY_CLASSES_ROOT, xrefs: 001ECAF3, 001ECAF8
HKEY_CURRENT_USER, xrefs: 001ECBBD
HKEY_LOCAL_MACHINE, xrefs: 001ECA62, 001ECA67
HKCC, xrefs: 001ECBAC
HKCR, xrefs: 001ECB29, 001ECB2E
HKCU, xrefs: 001ECBCE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 0a128b1042cedda4cc408e5d0b6ba649ca3643bfed55d4ceb3cb702739a872f5
Instruction ID: 6300717ed4b427b54778cab3e2ab3eb0a2e2068b855d9b851bcd2de648c0d3b6
Opcode Fuzzy Hash: 0a128b1042cedda4cc408e5d0b6ba649ca3643bfed55d4ceb3cb702739a872f5
Instruction Fuzzy Hash: 667107326149AA8BCB20DE7EDD415BF33A5AFB0794B250128F86697284FB31CD52C7D0

Function 001F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001F835A
_wcslen.LIBCMT ref: 001F836E
_wcslen.LIBCMT ref: 001F8391
_wcslen.LIBCMT ref: 001F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001F5BF2), ref: 001F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001F8501
FreeLibrary.KERNEL32(?), ref: 001F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001F851D
DestroyIcon.USER32(?,?,?,?,?,001F5BF2), ref: 001F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001F8555

Strings

.dll, xrefs: 001F83AB
.icl, xrefs: 001F8368
.exe, xrefs: 001F8388

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b4a63538ac406450c94aeee304e5bdd010b9feed6829979236e049d7315d5fba
Instruction ID: d5e1859f094d35865c82f7a47c56355d2575dece225e053f564c35796fce9981
Opcode Fuzzy Hash: b4a63538ac406450c94aeee304e5bdd010b9feed6829979236e049d7315d5fba
Instruction Fuzzy Hash: D861F171A0021ABBEB14DF64CC41BBE77A8BF08711F10460AF915D61E1DF74AA90DBA0

Function 00167778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0016785F, 001678B1
Cannot parse #include, xrefs: 001A5279
", xrefs: 001A5153
#requireadmin, xrefs: 001677FF
#notrayicon, xrefs: 001677E7
#cs, xrefs: 00167873, 001678C5
Unterminated group of comments, xrefs: 001A528C
#OnAutoItStartRegister, xrefs: 00167817
', xrefs: 001A5169
#pragma compile, xrefs: 001677D3
#include, xrefs: 00167847
Bad directive syntax error, xrefs: 001A519A
#comments-end, xrefs: 001678D9
#include-once, xrefs: 0016782F
#ce, xrefs: 001678ED

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 64e7092e776c5f93de2ac58b7bec717ae2fa0ef35a3ef59a8c7215c878ba3fd5
Instruction ID: 6c8603c3cdad03f58670533c0eed6ff474a9833d3cd38b78d5d385218ec53c3f
Opcode Fuzzy Hash: 64e7092e776c5f93de2ac58b7bec717ae2fa0ef35a3ef59a8c7215c878ba3fd5
Instruction Fuzzy Hash: 3C81E771644205BBDB24BF60DC46FBE37A9AF25304F154025FD05AB1D6EB70DA22CB91

Function 001D3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001D3EF8
_wcslen.LIBCMT ref: 001D3F03
_wcslen.LIBCMT ref: 001D3F5A
_wcslen.LIBCMT ref: 001D3F98
GetDriveTypeW.KERNEL32(?), ref: 001D3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001D401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001D4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001D4087

Strings

closed, xrefs: 001D3F08, 001D3F2D, 001D3F46, 001D3F7E, 001D3F97
type cdaudio alias cd wait, xrefs: 001D4001
close, xrefs: 001D3EFE, 001D3F18
wait, xrefs: 001D4044
open , xrefs: 001D3FE5
open, xrefs: 001D3F54, 001D3F59
close cd wait, xrefs: 001D4072
set cd door , xrefs: 001D4028

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 0c9f2c8efdafee9ed0a0773d1520c4201a3ebf020bb882d6ec0cc4cc77e28e38
Instruction ID: 884c9d6b03a75c2ba5c77e2a6c911c52764127d007b3d1a43d6a1471c2c99230
Opcode Fuzzy Hash: 0c9f2c8efdafee9ed0a0773d1520c4201a3ebf020bb882d6ec0cc4cc77e28e38
Instruction Fuzzy Hash: 7371C1326042169FC710EF24C88186EB7F4EFA4758F10492EF8A697351EB31EE55CB92

Function 001C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001C5A40
SetWindowTextW.USER32(?,?), ref: 001C5A57
GetDlgItem.USER32(?,000003EA), ref: 001C5A6C
SetWindowTextW.USER32(00000000,?), ref: 001C5A72
GetDlgItem.USER32(?,000003E9), ref: 001C5A82
SetWindowTextW.USER32(00000000,?), ref: 001C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001C5AC3
GetWindowRect.USER32(?,?), ref: 001C5ACC
_wcslen.LIBCMT ref: 001C5B33
SetWindowTextW.USER32(?,?), ref: 001C5B6F
GetDesktopWindow.USER32 ref: 001C5B75
GetWindowRect.USER32(00000000), ref: 001C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001C5BD3
GetClientRect.USER32(?,?), ref: 001C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001C5C2F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 4a2d0dc95485ca93ae272a248f778c37e05c19598cb3cf48be334438f8f35c71
Instruction ID: 87745c9d16accd4644b9be1c08e3208afcb46d3507eea0be5d4bced60dd02147
Opcode Fuzzy Hash: 4a2d0dc95485ca93ae272a248f778c37e05c19598cb3cf48be334438f8f35c71
Instruction Fuzzy Hash: FD715B31900A09AFDB20DFA9CE45FAEBBF6EB58714F10451CE146A25A0D775F984CB50

Function 001DFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001DFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001DFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001DFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001DFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001DFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001DFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001DFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001DFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001DFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001DFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001DFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001DFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001DFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001DFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001DFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001DFECC
GetCursorInfo.USER32(?), ref: 001DFEDC
GetLastError.KERNEL32 ref: 001DFF1E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9fb07404c7f4d29d20eba18c502797669545df773264b4312445654790c955d3
Instruction ID: 5baac013538aa74812c39c478c1dd625b1e201599e290658ba8fa240a7d85f81
Opcode Fuzzy Hash: 9fb07404c7f4d29d20eba18c502797669545df773264b4312445654790c955d3
Instruction Fuzzy Hash: 584145B1D04319AADB10DFBA8C8986EBFE8FF04754B50452AF11DE7281DB78A901CF91

Function 001C30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C318D
_wcslen.LIBCMT ref: 001C31F8

Strings

NAME, xrefs: 001C3335, 001C3346
[", xrefs: 001C339A
INSTANCE, xrefs: 001C3453
CLASSNN, xrefs: 001C31F3, 001C3204
TEXT, xrefs: 001C347C
REGEXPCLASS, xrefs: 001C3255, 001C3266
CLASS, xrefs: 001C3188, 001C31A5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$["
API String ID: 176396367-895358618
Opcode ID: bdf6a6ae8f1a6aaacd530bc2465b6141d23c5f252056903abee01823a9e0d4b8
Instruction ID: 7549cad9b7b01357bd2128b1cae539a7823557ec7e23b62563d6325a77b6966c
Opcode Fuzzy Hash: bdf6a6ae8f1a6aaacd530bc2465b6141d23c5f252056903abee01823a9e0d4b8
Instruction Fuzzy Hash: ABE1B232A00526ABCB189FA8C851FEEBBB4BF74714F55C11DE466A7240DB30EE45DB90

Function 001800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001800C6

Part of subcall function 001800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0023070C,00000FA0,CA48C224,?,?,?,?,001A23B3,000000FF), ref: 0018011C
Part of subcall function 001800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001A23B3,000000FF), ref: 00180127
Part of subcall function 001800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001A23B3,000000FF), ref: 00180138
Part of subcall function 001800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0018014E
Part of subcall function 001800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0018015C
Part of subcall function 001800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0018016A
Part of subcall function 001800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00180195
Part of subcall function 001800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001801A0

___scrt_fastfail.LIBCMT ref: 001800E7

Part of subcall function 001800A3: __onexit.LIBCMT ref: 001800A9

Strings

kernel32.dll, xrefs: 00180133
InitializeConditionVariable, xrefs: 00180148
SleepConditionVariableCS, xrefs: 00180154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00180122
WakeAllConditionVariable, xrefs: 00180162

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 929c216e31b48023b8f4341aaea6a600300f5f6ddab6f6a9d013420cffd420d7
Instruction ID: 1ed76460d477b3ffaa73ee685fce15609af1a7c3b99f614a3354627722461137
Opcode Fuzzy Hash: 929c216e31b48023b8f4341aaea6a600300f5f6ddab6f6a9d013420cffd420d7
Instruction Fuzzy Hash: 2021073264470DABE7527BA4AC49B7A73E4EF09BA0F010129F90192691DBA09D44CFA0

Function 001D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001FCC08), ref: 001D4527
_wcslen.LIBCMT ref: 001D453B
_wcslen.LIBCMT ref: 001D4599
_wcslen.LIBCMT ref: 001D45F4
_wcslen.LIBCMT ref: 001D463F
_wcslen.LIBCMT ref: 001D46A7

Part of subcall function 0017F9F2: _wcslen.LIBCMT ref: 0017F9FD

GetDriveTypeW.KERNEL32(?,00226BF0,00000061), ref: 001D4743

Strings

all, xrefs: 001D4531, 001D4536
ramdisk, xrefs: 001D46F1
fixed, xrefs: 001D4635, 001D463A
network, xrefs: 001D469D, 001D46A2
unknown, xrefs: 001D4708
removable, xrefs: 001D45EA, 001D45EF
cdrom, xrefs: 001D458F, 001D4594

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e87d8c211b4673a8218ee81202f0aa86d05e647346c1e7fc75ded8ec6d95ee40
Instruction ID: 85abf4b4f189ba21848a055a4b988bec87c2274fd8db865c9a0b926b1cc15c26
Opcode Fuzzy Hash: e87d8c211b4673a8218ee81202f0aa86d05e647346c1e7fc75ded8ec6d95ee40
Instruction Fuzzy Hash: ECB110316083029FC724DF28D890A7AB7E5BFA5764F50491EF49AC7391EB30D844CBA2

Function 001F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

DragQueryPoint.SHELL32(?,?), ref: 001F9147

Part of subcall function 001F7674: ClientToScreen.USER32(?,?), ref: 001F769A
Part of subcall function 001F7674: GetWindowRect.USER32(?,?), ref: 001F7710
Part of subcall function 001F7674: PtInRect.USER32(?,?,001F8B89), ref: 001F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001F9277
DragFinish.SHELL32(?), ref: 001F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001F9371

Strings

@GUI_DRAGID, xrefs: 001F92E9
@GUI_DROPID, xrefs: 001F929E
p##, xrefs: 001F92BB
@GUI_DRAGFILE, xrefs: 001F9320

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p##
API String ID: 221274066-3526253871
Opcode ID: cfa2cc7abacc52b64362a26e93bc250fa031152006d44b64fba5af49598b485d
Instruction ID: 228c5ef1b38a0bd2f07b7d8280ae9ee2d9e37de87f123c0706dbe3e1910dc11f
Opcode Fuzzy Hash: cfa2cc7abacc52b64362a26e93bc250fa031152006d44b64fba5af49598b485d
Instruction Fuzzy Hash: 30618B71108305AFC701EF64DD85EAFBBE8EF99750F00092EF596931A1DB309A59CB92

Function 0019DA5D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0019DAA1

Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D659
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D66B
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D67D
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D68F
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D6A1
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D6B3
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D6C5
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D6D7
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D6E9
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D6FB
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D70D
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D71F
Part of subcall function 0019D63C: _free.LIBCMT ref: 0019D731

_free.LIBCMT ref: 0019DA96

Part of subcall function 001929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000), ref: 001929DE
Part of subcall function 001929C8: GetLastError.KERNEL32(00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000,00000000), ref: 001929F0

_free.LIBCMT ref: 0019DAB8
_free.LIBCMT ref: 0019DACD
_free.LIBCMT ref: 0019DAD8
_free.LIBCMT ref: 0019DAFA
_free.LIBCMT ref: 0019DB0D
_free.LIBCMT ref: 0019DB1B
_free.LIBCMT ref: 0019DB26
_free.LIBCMT ref: 0019DB5E
_free.LIBCMT ref: 0019DB65
_free.LIBCMT ref: 0019DB82
_free.LIBCMT ref: 0019DB9A

Strings

X], xrefs: 0019DA62

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: X]
API String ID: 161543041-2199211699
Opcode ID: faeffd17c85c54ae55173ada125eaa0dfe3216423facf8952f3f3e72b5b75387
Instruction ID: e16535646067e9e6bb46b1a7ee47958545180386ae53e5a7a977d8e64be21a61
Opcode Fuzzy Hash: faeffd17c85c54ae55173ada125eaa0dfe3216423facf8952f3f3e72b5b75387
Instruction Fuzzy Hash: ED315932A04305AFEF22AA79F846B5AB7E9FF21324F554429E449D7191DF31EC90CB60

Function 0016326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00231990), ref: 001A2F8D
GetMenuItemCount.USER32(00231990), ref: 001A303D
GetCursorPos.USER32(?), ref: 001A3081
SetForegroundWindow.USER32(00000000), ref: 001A308A
TrackPopupMenuEx.USER32(00231990,00000000,?,00000000,00000000,00000000), ref: 001A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001A30A9

Strings

0, xrefs: 0016327D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: a0da5f1690a1c8c6355764ab6903686e62d1c11ad314ed9868111f27bd2fc81d
Instruction ID: 3653ba837b463cc18c0f2a1b3c92bf659e6b5c59441c02c0ef201f900a0a7dd0
Opcode Fuzzy Hash: a0da5f1690a1c8c6355764ab6903686e62d1c11ad314ed9868111f27bd2fc81d
Instruction Fuzzy Hash: DA716074644205BFFB258F68CD49FAABF64FF05324F204206F525AA1E0C7B1AD54DB90

Function 001F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001F6DEB

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001F6E94
DestroyWindow.USER32(?), ref: 001F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00160000,00000000), ref: 001F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001F6EFD
GetDesktopWindow.USER32 ref: 001F6F16
GetWindowRect.USER32(00000000), ref: 001F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001F6F4D

Part of subcall function 00179944: GetWindowLongW.USER32(?,000000EB), ref: 00179952

Strings

0, xrefs: 001F6D98
tooltips_class32, xrefs: 001F6E58, 001F6EDD

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 126368da1ca0363162f2753015b57dcaf70d5946dd676a03f7b31aa19b4e8202
Instruction ID: 7465375d38315e975a7a570e4b2476e002dd00b4e3a86aee4b7370263a98ac5f
Opcode Fuzzy Hash: 126368da1ca0363162f2753015b57dcaf70d5946dd676a03f7b31aa19b4e8202
Instruction Fuzzy Hash: D7717771104248AFDB21CF18DC58FBABBE9FB89304F04081DFA8987261C770AD5ADB51

Function 001DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001DC5F0
InternetCloseHandle.WININET(00000000), ref: 001DC5FB

Strings

, xrefs: 001DC575

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 5e3804fc79ef56ed423ec99b05fc6b8fa7dbc0fd597c9c2e85fc119d544558f6
Instruction ID: 9111d1a206e5890b186a25fa2d3c2eb84c1457eb1eed9e279e498c078fe7192e
Opcode Fuzzy Hash: 5e3804fc79ef56ed423ec99b05fc6b8fa7dbc0fd597c9c2e85fc119d544558f6
Instruction Fuzzy Hash: 92514EB160020ABFDB219FA4D948ABB7BBCFF04754F00491AF94696650DB34E944EBA0

Function 001F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001F8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001F85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001FFC38,?), ref: 001F8611
GlobalFree.KERNEL32(00000000), ref: 001F8621
GetObjectW.GDI32(?,00000018,?), ref: 001F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001F8671
DeleteObject.GDI32(?), ref: 001F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001F86AF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: deb1120f4105dcd609cd5b50fb5b3474e1fa99d16161cbe9abefbf554398fda2
Instruction ID: 0d2285c286a7cc28eadac976e4f9426459ffcf3f1ad8b992163fbed8b9035829
Opcode Fuzzy Hash: deb1120f4105dcd609cd5b50fb5b3474e1fa99d16161cbe9abefbf554398fda2
Instruction Fuzzy Hash: 67411875600208AFDB11DFA5CD48EBA7BB8FF89B55F104158F909EB260DB309D41EB60

Function 001D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001D1502
VariantCopy.OLEAUT32(?,?), ref: 001D150B
VariantClear.OLEAUT32(?), ref: 001D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001D1657
VariantInit.OLEAUT32(?), ref: 001D1708
SysFreeString.OLEAUT32(?), ref: 001D178C
VariantClear.OLEAUT32(?), ref: 001D17D8
VariantClear.OLEAUT32(?), ref: 001D17E7
VariantInit.OLEAUT32(00000000), ref: 001D1823

Strings

Default, xrefs: 001D16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001D1625

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2f2a41d52e9c2adcb49dbf9c2a18f9339799be642ed8c4dc8476f2824a374683
Instruction ID: 881ceebc84db2e27810a6dc038825aa26cfabb565536a673f8b4e5eec9fe8cc9
Opcode Fuzzy Hash: 2f2a41d52e9c2adcb49dbf9c2a18f9339799be642ed8c4dc8476f2824a374683
Instruction Fuzzy Hash: AAD12272A00115FBDB149FA5E884B7DB7B5BF46700F11805BF806AB290DB78EC51DBA1

Function 001EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001EB6AE,?,?), ref: 001EC9B5
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001EC9F1
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA68
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001EB80A
RegCloseKey.ADVAPI32(?), ref: 001EB87E
RegCloseKey.ADVAPI32(?), ref: 001EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001EB922
FreeLibrary.KERNEL32(00000000), ref: 001EB983
RegCloseKey.ADVAPI32(00000000), ref: 001EB994

Strings

RegDeleteKeyExW, xrefs: 001EB8FE
advapi32.dll, xrefs: 001EB8ED

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d6ccd2887dc0fe5383d81809b5aa2ee4936948d7d031b617d2d5e0a3f37094de
Instruction ID: c27fbd415dd498924e296dc40f6408c2301f5b7166bed3782ff9493faf3b9724
Opcode Fuzzy Hash: d6ccd2887dc0fe5383d81809b5aa2ee4936948d7d031b617d2d5e0a3f37094de
Instruction Fuzzy Hash: 9FC18B34208681EFD714DF15C895F2ABBE5BF84308F14849CF49A8B6A2CB71EC46CB91

Function 001E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001E25E8
CreateCompatibleDC.GDI32(?), ref: 001E25F4
SelectObject.GDI32(00000000,?), ref: 001E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001E26D0
SelectObject.GDI32(?,?), ref: 001E26D8
DeleteObject.GDI32(?), ref: 001E26E1
DeleteDC.GDI32(?), ref: 001E26E8
ReleaseDC.USER32(00000000,?), ref: 001E26F3

Strings

(, xrefs: 001E268D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4a58649f9af9c53ba5fc69ed18c54fdc4b158ddd6bf9e98726d1e777532df3b3
Instruction ID: 7b29222aec765e74b073e7fc53d0da10f6338641cc7bbbc3bad253e9f0f8d399
Opcode Fuzzy Hash: 4a58649f9af9c53ba5fc69ed18c54fdc4b158ddd6bf9e98726d1e777532df3b3
Instruction Fuzzy Hash: FB61E2B5D00219EFCF04CFA8D984EAEBBBAFF58310F208529E955A7250D770A951DF90

Function 001C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001C369C
_wcslen.LIBCMT ref: 001C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001C3797
GetClassNameW.USER32(?,?,00000400), ref: 001C380C
GetDlgCtrlID.USER32(?), ref: 001C385D
GetWindowRect.USER32(?,?), ref: 001C3882
GetParent.USER32(?), ref: 001C38A0
ScreenToClient.USER32(00000000), ref: 001C38A7
GetClassNameW.USER32(?,?,00000100), ref: 001C3921
GetWindowTextW.USER32(?,?,00000400), ref: 001C395D

Strings

%s%u, xrefs: 001C3734

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 88341ef32ff1d67d46925d697d2ea1dec7d7129e8dea4e937b14b91415669ecb
Instruction ID: 605d26bedbee847078bff63ea88e1f1428ff70072e1898021416e12159f82f78
Opcode Fuzzy Hash: 88341ef32ff1d67d46925d697d2ea1dec7d7129e8dea4e937b14b91415669ecb
Instruction Fuzzy Hash: E291A171204606AFDB19DF24C885FEAF7A9FF64354F00862DF9A9D2190DB30EA45CB91

Function 001C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001C4994
GetWindowTextW.USER32(?,?,00000400), ref: 001C49DA
_wcslen.LIBCMT ref: 001C49EB
CharUpperBuffW.USER32(?,00000000), ref: 001C49F7
_wcsstr.LIBVCRUNTIME ref: 001C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001C4B20
GetWindowRect.USER32(?,?), ref: 001C4B8B

Strings

ThumbnailClass, xrefs: 001C4A6F, 001C4AF1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 1a37c2ccc45acdcf56f56f82e843d198d5dc185238262a15b2b2572fa858143a
Instruction ID: 6c7570e5f31a056568031d164e1044f7fd5d94080a633a0bdd56a564cb76aa9d
Opcode Fuzzy Hash: 1a37c2ccc45acdcf56f56f82e843d198d5dc185238262a15b2b2572fa858143a
Instruction Fuzzy Hash: DF91CE710082099FDB04DF14C995FAA77E9FFA4314F04846DFD869A196EB30EE45CBA1

Function 001F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001F8D5A
GetFocus.USER32 ref: 001F8D6A
GetDlgCtrlID.USER32(00000000), ref: 001F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001F8ECF
GetMenuItemCount.USER32(?), ref: 001F8EEC
GetMenuItemID.USER32(?,00000000), ref: 001F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001F8FA1

Strings

0, xrefs: 001F8E9F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: b2cd2bdd4da804d18ca0abefbdc15d5e0ed8c5eac202ad599cb47e19c48ba0bd
Instruction ID: 1bdb4a65a59dcbd15f2b12a550b3b740b290670bc685ebf9e75e6e2c3e035e80
Opcode Fuzzy Hash: b2cd2bdd4da804d18ca0abefbdc15d5e0ed8c5eac202ad599cb47e19c48ba0bd
Instruction Fuzzy Hash: EB81AD71608309AFDB10CF24D884ABBBBE9FF98314F140959FA85D7292DB30D945CBA1

Function 001CBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00231990,000000FF,00000000,00000030), ref: 001CBFAC
SetMenuItemInfoW.USER32(00231990,00000004,00000000,00000030), ref: 001CBFE1
Sleep.KERNEL32(000001F4), ref: 001CBFF3
GetMenuItemCount.USER32(?), ref: 001CC039
GetMenuItemID.USER32(?,00000000), ref: 001CC056
GetMenuItemID.USER32(?,-00000001), ref: 001CC082
GetMenuItemID.USER32(?,?), ref: 001CC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001CC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001CC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001CC145

Strings

0, xrefs: 001CBF3D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 9815c7e0f02085cc08c166cca626f9ac64856c8d9ceca1a275c215948bd29d78
Instruction ID: 0e21e0bfcc69e2ae94ddd03aac169d072b678e973704eb01e04f081136723b15
Opcode Fuzzy Hash: 9815c7e0f02085cc08c166cca626f9ac64856c8d9ceca1a275c215948bd29d78
Instruction Fuzzy Hash: 15617AB0A0024AEFDB15CF64DD88FEEBBA8EB25344F144059F815A3291C731ED55DBA0

Function 001CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001CDC46
_wcslen.LIBCMT ref: 001CDC50
_wcsstr.LIBVCRUNTIME ref: 001CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001CDCBC

Strings

StringFileInfo\, xrefs: 001CDC8F
%u.%u.%u.%u, xrefs: 001CDD9A
DefaultLangCodepage, xrefs: 001CDD1F
\VarFileInfo\Translation, xrefs: 001CDCB4
04090000, xrefs: 001CDCF2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 6dc5bdcce5df5bde60f4fa6952d2a6c81a2bfd377d7dad4db30d6593ef97de8e
Instruction ID: 6e1eb003a3670cc5db9396568acd22e47ebf9e65a3effdd5b16c860267f275bc
Opcode Fuzzy Hash: 6dc5bdcce5df5bde60f4fa6952d2a6c81a2bfd377d7dad4db30d6593ef97de8e
Instruction Fuzzy Hash: 024110729402187ADB14B6A4AC47FBF37ACEF62750F14406DF905A61C2EB70DA01ABA5

Function 001ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001ECD48

Part of subcall function 001ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001ECCAA
Part of subcall function 001ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001ECCBD
Part of subcall function 001ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001ECCCF
Part of subcall function 001ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001ECD05
Part of subcall function 001ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001ECCF3

Strings

RegDeleteKeyExW, xrefs: 001ECCC9
advapi32.dll, xrefs: 001ECCB8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 34c27aceae99ee6a79a047e6ed0796db64e9bbb637b46b7710984c66811becc8
Instruction ID: b1c03532e58dd56e01fad3f25bd12065d89a33a4f4a3ec368eeaf915f13b17b9
Opcode Fuzzy Hash: 34c27aceae99ee6a79a047e6ed0796db64e9bbb637b46b7710984c66811becc8
Instruction Fuzzy Hash: D5316D7590152DBBDB208B96DC88EFFBB7CEF55750F000165B906E3240DB349A86EAE0

Function 001D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001D3D40
_wcslen.LIBCMT ref: 001D3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001D3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001D3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001D3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001D3E55
CloseHandle.KERNEL32(00000000), ref: 001D3E60
CloseHandle.KERNEL32(00000000), ref: 001D3E6B

Strings

\??\%s, xrefs: 001D3D5B
:, xrefs: 001D3D82
\, xrefs: 001D3D77

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: e51ef223698406de21f30ef4abaa9a85e4386ba7c49b9fbbad626f573e8ef09e
Instruction ID: d5022c49edcc56d3a1c469baf440ed7813ba8cf4314287d1bd27202494d0af96
Opcode Fuzzy Hash: e51ef223698406de21f30ef4abaa9a85e4386ba7c49b9fbbad626f573e8ef09e
Instruction Fuzzy Hash: 5831CFB6900209ABDB209BA4DC48FEB37BEEF88700F5040B6F519D6160EB709784DF65

Function 001CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001CE6B4

Part of subcall function 0017E551: timeGetTime.WINMM(?,?,001CE6D4), ref: 0017E555

Sleep.KERNEL32(0000000A), ref: 001CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001CE727
SetActiveWindow.USER32 ref: 001CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001CE773
Sleep.KERNEL32(000000FA), ref: 001CE77E
IsWindow.USER32 ref: 001CE78A
EndDialog.USER32(00000000), ref: 001CE79B

Strings

BUTTON, xrefs: 001CE719

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: ee34e5a727c00ef79bee4538f40b44e42991b9a31fbe9f68a4edf782224fbc66
Instruction ID: de8fa0084a06eef509b2ac7823c701025f3254853dac9c5e52b8ffddd89de075
Opcode Fuzzy Hash: ee34e5a727c00ef79bee4538f40b44e42991b9a31fbe9f68a4edf782224fbc66
Instruction Fuzzy Hash: 24214CB1200618EFEB005B61FD8EF353AADAB64748F105428F815826A1DB61EC55DEA4

Function 001CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001CEAA7

Strings

play PlayMe wait, xrefs: 001CEA91
close PlayMe, xrefs: 001CEA6E, 001CEA9B
open , xrefs: 001CEA0C
alias PlayMe, xrefs: 001CEA36
play PlayMe, xrefs: 001CEAA2
status PlayMe mode, xrefs: 001CEA58

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b200c175a6b416a9ecc9970bc3f8bb1b61acef66c553ab70f8f3b64d6fc21bd0
Instruction ID: 3c49f1d3919e7983a5bf961b016b2422ae052dcc62c68b71f89a30218df9b28c
Opcode Fuzzy Hash: b200c175a6b416a9ecc9970bc3f8bb1b61acef66c553ab70f8f3b64d6fc21bd0
Instruction Fuzzy Hash: 001137326902697DD710A7A1ED4AEFF7ABCEBE2B00F4004297411A30D1DF709955C9B0

Function 001C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001C5CE2
GetWindowRect.USER32(00000000,?), ref: 001C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001C5D59
GetDlgItem.USER32(?,00000002), ref: 001C5D69
GetWindowRect.USER32(00000000,?), ref: 001C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001C5DCF
GetDlgItem.USER32(?,000003E9), ref: 001C5DDD
GetWindowRect.USER32(00000000,?), ref: 001C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001C5E31
GetDlgItem.USER32(?,000003EA), ref: 001C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001C5E67

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 90aa9f15ebf20919d358e778d8554c03d64d2c4cb9bedb9a38fde47af0df1951
Instruction ID: 668b81135ea33378980a1eaddcd542bd907f574888dd1cd4769080caf5201773
Opcode Fuzzy Hash: 90aa9f15ebf20919d358e778d8554c03d64d2c4cb9bedb9a38fde47af0df1951
Instruction Fuzzy Hash: 03510071A00609AFDF18DFA8DD89EBEBBB6EB58310F148129F516E6690D770ED40CB50

Function 00178BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00178F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00178BE8,?,00000000,?,?,?,?,00178BBA,00000000,?), ref: 00178FC5

DestroyWindow.USER32(?), ref: 00178C81
KillTimer.USER32(00000000,?,?,?,?,00178BBA,00000000,?), ref: 00178D1B
DestroyAcceleratorTable.USER32(00000000), ref: 001B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00178BBA,00000000,?), ref: 001B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00178BBA,00000000,?), ref: 001B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00178BBA,00000000), ref: 001B69D4
DeleteObject.GDI32(00000000), ref: 001B69E6

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 937c7a7156a57060081cf02c40baaeb5ec89d5891ea08608de8e28cc2717bcaf
Instruction ID: 05b7b2566c856c22453aea1135fcf1435dd55b64e4e7037b14bffbbdf5c226a1
Opcode Fuzzy Hash: 937c7a7156a57060081cf02c40baaeb5ec89d5891ea08608de8e28cc2717bcaf
Instruction Fuzzy Hash: F761AD30142604DFDB269F25DA4CBA5B7F1FB50316F248529E04A9B9A0CB35AD91DFA0

Function 00179838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00179944: GetWindowLongW.USER32(?,000000EB), ref: 00179952

GetSysColor.USER32(0000000F), ref: 00179862

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ac456792a28bef803035372f087fee33c40e79c08f2898457f005a0615c3f509
Instruction ID: 6a111e623d291cb20bcfb6366927983101c7d9e33bebd35692aec1f6c9aa092d
Opcode Fuzzy Hash: ac456792a28bef803035372f087fee33c40e79c08f2898457f005a0615c3f509
Instruction Fuzzy Hash: A241C331104648EFDB209F389C88BB93BB5EB47331F148655F9A68B2E1C7319C86DB51

Function 001C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,001AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001C9717
LoadStringW.USER32(00000000,?,001AF7F8,00000001), ref: 001C9720

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,001AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001C9742
LoadStringW.USER32(00000000,?,001AF7F8,00000001), ref: 001C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001C9866

Strings

^ ERROR, xrefs: 001C97FB
Error: , xrefs: 001C981D
Line %d (File "%s"):, xrefs: 001C978F
%s (%d) : ==> %s: %s %s, xrefs: 001C984A
Line %d:, xrefs: 001C97A0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 62749b48727b36fe68f70129667117b0e7ae3e74847a9ccfe58ff2fb15ca6e2b
Instruction ID: 0da2e89117b6164006ae4fafb24883a5c5af74175a557277a3a494c6d76beeb1
Opcode Fuzzy Hash: 62749b48727b36fe68f70129667117b0e7ae3e74847a9ccfe58ff2fb15ca6e2b
Instruction Fuzzy Hash: 8D412C7280021DABCB14EBE0DE46EEE777CAF65340F500069B50572192EB356F58DBA1

Function 001C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001C07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001C07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001C07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001C0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001C082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001C0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001C083C

Strings

SOFTWARE\Classes\, xrefs: 001C070E
\IPC$, xrefs: 001C0784
\CLSID, xrefs: 001C0724

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e5c536b7c581e8fa18a8bda163acda07836db02bc4e35e1efd0b0507ff317499
Instruction ID: 8edb8b8c6602b14bfdca7bf56e748e8cb4fde559187802463dacc34a876e03ce
Opcode Fuzzy Hash: e5c536b7c581e8fa18a8bda163acda07836db02bc4e35e1efd0b0507ff317499
Instruction Fuzzy Hash: E7410472C1022DEBDF15EBA4DC85DEDB778BF28750B548129E901A3160EB30AE54CBA0

Function 001E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001E3C5C
CoInitialize.OLE32(00000000), ref: 001E3C8A
CoUninitialize.OLE32 ref: 001E3C94
_wcslen.LIBCMT ref: 001E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001E3F0E
CoGetObject.OLE32(?,00000000,001FFB98,?), ref: 001E3F2D
SetErrorMode.KERNEL32(00000000), ref: 001E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001E3FC4
VariantClear.OLEAUT32(?), ref: 001E3FD8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 402f42af77114efcebdb11923376e77c35eeb93718b7b634c06914854f173a9f
Instruction ID: 5bb71e8a4d21b258a9a4ed9b9b58343f167efdd5fe4dfbc9578280cf2bc6c2d1
Opcode Fuzzy Hash: 402f42af77114efcebdb11923376e77c35eeb93718b7b634c06914854f173a9f
Instruction Fuzzy Hash: C5C154716087459FC700DF69C88892BBBE9FF89748F10491DF99A9B250D730EE46CB92

Function 001D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001D7BA3
CoCreateInstance.OLE32(001FFD08,00000000,00000001,00226E6C,?), ref: 001D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001D7C74
CoTaskMemFree.OLE32(?,?), ref: 001D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001D7D7A
CoTaskMemFree.OLE32(00000000), ref: 001D7D81
CoTaskMemFree.OLE32(00000000), ref: 001D7DD6
CoUninitialize.OLE32 ref: 001D7DDC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 78128883bb95c0e8dbc5886f3a3d9bd383ab4e1911080b4eb585c8382f890718
Instruction ID: 2268e35bd1e51ab7e707f33e8b9c9125f3b3b95ebec7044986d605186ded1af1
Opcode Fuzzy Hash: 78128883bb95c0e8dbc5886f3a3d9bd383ab4e1911080b4eb585c8382f890718
Instruction Fuzzy Hash: 0FC10A75A04119AFCB14DFA4C884DAEBBF9FF48314B148499E81ADB761D730EE85CB90

Function 001F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001F5515
CharNextW.USER32(00000158), ref: 001F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001F55AC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 89dded9c043c9b6c213363b4937ed14c222e8e501c2c0df51d3c3d34c6672b3f
Instruction ID: 0aa5c1f7e3b562246f6451624f5d0b6d482a7443b1397dad3907d0b13f34fd2a
Opcode Fuzzy Hash: 89dded9c043c9b6c213363b4937ed14c222e8e501c2c0df51d3c3d34c6672b3f
Instruction Fuzzy Hash: F2617D7490460CABDF149F54CC84AFE7BBAFB05725F108149FB26A62A0D7748A81DB60

Function 001BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 001BFB08
VariantInit.OLEAUT32(?), ref: 001BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 001BFB3A
VariantCopy.OLEAUT32(?,?), ref: 001BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 001BFBA1
VariantClear.OLEAUT32(?), ref: 001BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 001BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001BFBCC
VariantClear.OLEAUT32(?), ref: 001BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001BFBE9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f83ccca2fca7fda5a35d4dbefa5c173dd4497dc289c07e6c783d90cb2be9d894
Instruction ID: a739cc7354b71aad77a0f6f705147c75b3e266d56c81c70bf746b91e73a179f4
Opcode Fuzzy Hash: f83ccca2fca7fda5a35d4dbefa5c173dd4497dc289c07e6c783d90cb2be9d894
Instruction Fuzzy Hash: 32414035A00219EFCB04DF68CD549FEBBB9FF58344F008469E945A7661CB30A946DFA0

Function 001C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001C9D22
GetKeyState.USER32(000000A0), ref: 001C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001C9D57
GetKeyState.USER32(000000A1), ref: 001C9D6C
GetAsyncKeyState.USER32(00000011), ref: 001C9D84
GetKeyState.USER32(00000011), ref: 001C9D96
GetAsyncKeyState.USER32(00000012), ref: 001C9DAE
GetKeyState.USER32(00000012), ref: 001C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001C9DD8
GetKeyState.USER32(0000005B), ref: 001C9DEA

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 131647afa123e1a2eb29c6aeb34e28f9b414ec655992b79ffe8aff5de168fdd5
Instruction ID: d50fdc9011ae4eef53b5dffc0409394d2b05ac3875a6552e8ffd04284121c214
Opcode Fuzzy Hash: 131647afa123e1a2eb29c6aeb34e28f9b414ec655992b79ffe8aff5de168fdd5
Instruction Fuzzy Hash: 3E41FA746047CA6DFF3087A0980CBB5BEA06F31344F04805EDAC7665C2DBA4DAC8C7A6

Function 001E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001E05BC
inet_addr.WSOCK32(?), ref: 001E061C
gethostbyname.WSOCK32(?), ref: 001E0628
IcmpCreateFile.IPHLPAPI ref: 001E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001E07B9
WSACleanup.WSOCK32 ref: 001E07BF

Strings

Ping, xrefs: 001E0676

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 044c8f0ff22c894aa150828e7ab8728ca640426e5698eab6d333b9a83579b3a9
Instruction ID: d58985ffcc8ad8216c21c9a9968b33ab5735c1edfc176eabe75a7e83bfba3d1a
Opcode Fuzzy Hash: 044c8f0ff22c894aa150828e7ab8728ca640426e5698eab6d333b9a83579b3a9
Instruction Fuzzy Hash: 0591B1359086419FD321CF16D988F1ABBE0AF48318F158599F4AA8B7A2C770FD85CF91

Function 001E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001E8CF3

Part of subcall function 001C8E54: _wcslen.LIBCMT ref: 001C8E77

_wcslen.LIBCMT ref: 001E8D4E
_wcslen.LIBCMT ref: 001E8D9C
_wcslen.LIBCMT ref: 001E8DDC
_wcslen.LIBCMT ref: 001E8E6E

Strings

stdcall, xrefs: 001E8DD6, 001E8DDB
none, xrefs: 001E8E65, 001E8E6A
cdecl, xrefs: 001E8D48, 001E8D4D
winapi, xrefs: 001E8D96, 001E8D9B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 523bbbb910cc7a20a1bf53a20d8400784b4df5b6e7f5b3da8bcd61dd875efbd4
Instruction ID: 529f82125dc89f2dd9e2878c3ac1a61d42afbfec89ac8c7d70c6691f30ce3f80
Opcode Fuzzy Hash: 523bbbb910cc7a20a1bf53a20d8400784b4df5b6e7f5b3da8bcd61dd875efbd4
Instruction Fuzzy Hash: 6451B231A049569BCB24DFADCD409BEB7A5BF74724B254229E42AE72C4DF31DE40C790

Function 001E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001E3774
CoUninitialize.OLE32 ref: 001E377F
CoCreateInstance.OLE32(?,00000000,00000017,001FFB78,?), ref: 001E37D9
IIDFromString.OLE32(?,?), ref: 001E384C
VariantInit.OLEAUT32(?), ref: 001E38E4
VariantClear.OLEAUT32(?), ref: 001E3936

Strings

Failed to create object, xrefs: 001E37E4, 001E389A
Invalid parameter, xrefs: 001E3865
NULL Pointer assignment, xrefs: 001E381E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 30cbd42048910bc3a62117abb038d81b5daac1e87abc9e688c7714eefd5cb763
Instruction ID: f6fdd3ff64cc30e40edf80dfe70a765b770798375c3b29e2022a7944d671f3b6
Opcode Fuzzy Hash: 30cbd42048910bc3a62117abb038d81b5daac1e87abc9e688c7714eefd5cb763
Instruction Fuzzy Hash: C561BC70608741AFD310DF56D888F6EBBE8AF59714F00090DF9959B291C770EE48CB92

Function 001F8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

Part of subcall function 0017912D: GetCursorPos.USER32(?), ref: 00179141
Part of subcall function 0017912D: ScreenToClient.USER32(00000000,?), ref: 0017915E
Part of subcall function 0017912D: GetAsyncKeyState.USER32(00000001), ref: 00179183
Part of subcall function 0017912D: GetAsyncKeyState.USER32(00000002), ref: 0017919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001F8B6B
ImageList_EndDrag.COMCTL32 ref: 001F8B71
ReleaseCapture.USER32 ref: 001F8B77
SetWindowTextW.USER32(?,00000000), ref: 001F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001F8CFF

Strings

@GUI_DROPID, xrefs: 001F8C51
p##, xrefs: 001F8C71
@GUI_DRAGFILE, xrefs: 001F8C9A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p##
API String ID: 1924731296-3739245919
Opcode ID: c912969463bef9dfb32e182a9f6916e5ab07d4fd9e1ffe1c8f9187f96b0b0cb0
Instruction ID: 1730cecc83a892a3c35465bb4540c401ba4f169894edcb1a20b8bf77f1f116a2
Opcode Fuzzy Hash: c912969463bef9dfb32e182a9f6916e5ab07d4fd9e1ffe1c8f9187f96b0b0cb0
Instruction Fuzzy Hash: 59518C70204208AFD704DF24DD59BBA77E4FB98714F40062DFA56972E1CB709964CBA2

Function 001D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001D33CF

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001D33F0

Strings

^ ERROR , xrefs: 001D349E
Error: , xrefs: 001D34D1
Line %d (File "%s"):, xrefs: 001D3443, 001D345C
"%s" (%d) : ==> %s:%s%s, xrefs: 001D3504
"%s" (%d) : ==> %s:, xrefs: 001D3522
Incorrect parameters to object property !, xrefs: 001D34AB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: bfed9ad9459249f4c39147cd242017ab82acc148998f932523131d7c22ddf0e3
Instruction ID: 0fa960f2399cb304bafaff62add240b5475604f77ae83688e63ca106fdb2b0e5
Opcode Fuzzy Hash: bfed9ad9459249f4c39147cd242017ab82acc148998f932523131d7c22ddf0e3
Instruction Fuzzy Hash: D7519E32900219BBDF14EBE0EE46EEEB378AF25340F104065F515721A2EB316F68DB61

Function 001CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001CB5FC
_wcslen.LIBCMT ref: 001CB608
_wcslen.LIBCMT ref: 001CB64D
_wcslen.LIBCMT ref: 001CB68C
_wcslen.LIBCMT ref: 001CB6C7

Strings

KEYS, xrefs: 001CB647, 001CB64C
REMOVE, xrefs: 001CB602, 001CB607
APPEND, xrefs: 001CB6C1, 001CB6C6
EXISTS, xrefs: 001CB686, 001CB68B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: ab3884c3de3fb5fbca02dfd5c31663f5e97af8e7fa5c0309162a9db24b5436a4
Instruction ID: 38f0f77edbbec314e1f865c30b29ea05049ecaf2023ddf72d681013346e05b66
Opcode Fuzzy Hash: ab3884c3de3fb5fbca02dfd5c31663f5e97af8e7fa5c0309162a9db24b5436a4
Instruction Fuzzy Hash: BE41C532A081369BCB206E7DC8D2ABEB7A5AB70B54F25412DE425D7284E731CD81C790

Function 001D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001D5416
GetLastError.KERNEL32 ref: 001D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001D54A7

Strings

UNKNOWN, xrefs: 001D5444
READY, xrefs: 001D5460, 001D5468
READONLY, xrefs: 001D5452
INVALID, xrefs: 001D5459
NOTREADY, xrefs: 001D544B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 75f79688b1b562d65b932f7a6155c36c8c6182c564ff3a0dcc779831151224f3
Instruction ID: 3b45b0783507c4ed9baa6dad25dec9b0fbfea9379c9b8c5f16af21c39164a996
Opcode Fuzzy Hash: 75f79688b1b562d65b932f7a6155c36c8c6182c564ff3a0dcc779831151224f3
Instruction Fuzzy Hash: 7331C535A00508EFC714DF68D884EAA7BB5EF15305F14806AE405CB392E770ED92CB92

Function 001F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001F3C79
SetMenu.USER32(?,00000000), ref: 001F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001F3D10
IsMenu.USER32(?), ref: 001F3D24
CreatePopupMenu.USER32 ref: 001F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001F3D5B
DrawMenuBar.USER32 ref: 001F3D63

Strings

F, xrefs: 001F3D4E
0, xrefs: 001F3C54

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 193e8f1f74fb2bef37ab90f4484336d9a2dc089899a010b3a605d3f197452b2d
Instruction ID: 0e2d17aaf3de31f2dfbdadfc9b7c2b283495413e787c9578491892859d228c80
Opcode Fuzzy Hash: 193e8f1f74fb2bef37ab90f4484336d9a2dc089899a010b3a605d3f197452b2d
Instruction Fuzzy Hash: 04417779A0120DEFDB14DFA4E884BAA7BB5FF49350F140029FA56A7360D730AA14DF90

Function 001C1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001C3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001C1F64
GetDlgCtrlID.USER32 ref: 001C1F6F
GetParent.USER32 ref: 001C1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001C1F8E
GetDlgCtrlID.USER32(?), ref: 001C1F97
GetParent.USER32(?), ref: 001C1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001C1FAE

Strings

ListBox, xrefs: 001C1F21
ComboBox, xrefs: 001C1EEC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 59c4d5da4a1c75c820cb4d73128ce9b87deb3b81252f4fa195e9229441cbe6ea
Instruction ID: 70b4b6bebae63066e9e71f30251dfbeed66f5680286a6837a932fd1d13c6a3b8
Opcode Fuzzy Hash: 59c4d5da4a1c75c820cb4d73128ce9b87deb3b81252f4fa195e9229441cbe6ea
Instruction Fuzzy Hash: FF21D770940118BBCF04AFA0DC45EFEBBB8EF26310F004119F961A72D1CB749968EB60

Function 001F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001F3C13

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 56ae4c935a59c5a8b5e5fd40268bab1eb691480a01edd6d7bded39c0b3210b40
Instruction ID: c30a5868216996d44e2d5e4bb774b19eb92ead655aa9b926405854bedef4ea2e
Opcode Fuzzy Hash: 56ae4c935a59c5a8b5e5fd40268bab1eb691480a01edd6d7bded39c0b3210b40
Instruction Fuzzy Hash: 36616975A00248AFDB10DFA8CC85EFE77B8EB09710F10019AFA15E72A1C770AE56DB50

Function 001CB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001CB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB165
GetWindowThreadProcessId.USER32(00000000), ref: 001CB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001CB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001CA1E1,?,00000001), ref: 001CB21D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 018e80ac1ec64029772d3886dd7f31f4fbc79793c88197b2a7ef01a0c06acac8
Instruction ID: a1738fe0f359851d1a7227370716053357fca24068ec68a739d908bc21985b86
Opcode Fuzzy Hash: 018e80ac1ec64029772d3886dd7f31f4fbc79793c88197b2a7ef01a0c06acac8
Instruction Fuzzy Hash: 0A315E75508208AFDB24DF64ED8AF7D7BA9BB61321F144019FA05D6290D7B4EE80DF60

Function 00192C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00192C94

Part of subcall function 001929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000), ref: 001929DE
Part of subcall function 001929C8: GetLastError.KERNEL32(00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000,00000000), ref: 001929F0

_free.LIBCMT ref: 00192CA0
_free.LIBCMT ref: 00192CAB
_free.LIBCMT ref: 00192CB6
_free.LIBCMT ref: 00192CC1
_free.LIBCMT ref: 00192CCC
_free.LIBCMT ref: 00192CD7
_free.LIBCMT ref: 00192CE2
_free.LIBCMT ref: 00192CED
_free.LIBCMT ref: 00192CFB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 26c1e981ac317ff9f927867aa9ec1b4f9720f7c674ae6255203732fdbaf1f76b
Instruction ID: cc5638cbe67f114a9bba9483c27adcaac4300c60343cae48aabbdd8ee1bcaf23
Opcode Fuzzy Hash: 26c1e981ac317ff9f927867aa9ec1b4f9720f7c674ae6255203732fdbaf1f76b
Instruction Fuzzy Hash: DF119076900118BFCF02EF94D882CDD3BA9FF15354F8144A5FA489B222DB31EA509B90

Function 00161410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00161459
OleUninitialize.OLE32(?,00000000), ref: 001614F8
UnregisterHotKey.USER32(?), ref: 001616DD
DestroyWindow.USER32(?), ref: 001A24B9
FreeLibrary.KERNEL32(?), ref: 001A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 001A254B

Strings

close all, xrefs: 00161454

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: eb14d9d2b007dc2c3b75393ade21d34b721791b70d02d002239532e3725f3935
Instruction ID: 7658095f813072193c933849807624f8f706db6eb3bb86374ea70910255f4923
Opcode Fuzzy Hash: eb14d9d2b007dc2c3b75393ade21d34b721791b70d02d002239532e3725f3935
Instruction Fuzzy Hash: C8D1A135702212DFCB19EF19C999A69F7B4BF16700F19819DE84A6B251DB30EC22CF91

Function 001D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001D7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001D7FC1
GetFileAttributesW.KERNEL32(?), ref: 001D7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001D8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001D8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001D8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001D80B0

Strings

*.*, xrefs: 001D8066

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 81b169b77a9032448290052511278871733c30d778ad6c6b4fe43632756bdd56
Instruction ID: 6c9d48732f140e609ca6570e4df74f06350996cb5d3f16630f913e7e9cec5615
Opcode Fuzzy Hash: 81b169b77a9032448290052511278871733c30d778ad6c6b4fe43632756bdd56
Instruction Fuzzy Hash: A7818D725082459BCB24EF58C844AAAB3E8BB99314F144C6FF885D7391EB34DD49CB92

Function 00165BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00165C7A

Part of subcall function 00165D0A: GetClientRect.USER32(?,?), ref: 00165D30
Part of subcall function 00165D0A: GetWindowRect.USER32(?,?), ref: 00165D71
Part of subcall function 00165D0A: ScreenToClient.USER32(?,?), ref: 00165D99

GetDC.USER32 ref: 001A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001A4708
SelectObject.GDI32(00000000,00000000), ref: 001A4716
SelectObject.GDI32(00000000,00000000), ref: 001A472B
ReleaseDC.USER32(?,00000000), ref: 001A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001A47C4

Strings

U, xrefs: 001A4693

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0997ada775162fd6a73df8f4e0e381cd6c110c67662a2f0e0c0c1087c1a6a67a
Instruction ID: 5717519e4d7b4f6cf8c89e3712b8ebbc13d7c84fefb39e63390cddb22ef345dd
Opcode Fuzzy Hash: 0997ada775162fd6a73df8f4e0e381cd6c110c67662a2f0e0c0c1087c1a6a67a
Instruction Fuzzy Hash: C6710F38400249DFCF25CFA4CD84ABA7BB6FF8B360F144269ED555A2A6C7B08891DF50

Function 001D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001D35E4

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

LoadStringW.USER32(00232390,?,00000FFF,?), ref: 001D360A

Strings

^ ERROR, xrefs: 001D36C9
Error: , xrefs: 001D36EF
Line %d (File "%s"):, xrefs: 001D366B
"%s" (%d) : ==> %s:%s%s, xrefs: 001D3724
"%s" (%d) : ==> %s:, xrefs: 001D3742

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 635ce2d571018976edc74baf498cdfb0c2eab53407dd0f4d807e115c2f84e666
Instruction ID: 9e59704e626a99082436736236a3c35039274370f104d5f0257efd02a9b04eb5
Opcode Fuzzy Hash: 635ce2d571018976edc74baf498cdfb0c2eab53407dd0f4d807e115c2f84e666
Instruction Fuzzy Hash: 3C516F72800219BBDF14EBE0DD46EEEBB78AF24300F144165F115721A1EB316BA9DFA1

Function 001DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001DC2CA
GetLastError.KERNEL32 ref: 001DC322
SetEvent.KERNEL32(?), ref: 001DC336
InternetCloseHandle.WININET(00000000), ref: 001DC341

Strings

, xrefs: 001DC2BB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b4203a87c7e5c693c69236e36b54c712da4341ed96921f40c5983d95c8f1f758
Instruction ID: cd75ad091bfcca5e87a89d58e12b7e36e18846f9c1f7808712fce6fb606901b3
Opcode Fuzzy Hash: b4203a87c7e5c693c69236e36b54c712da4341ed96921f40c5983d95c8f1f758
Instruction Fuzzy Hash: 79316DB1500209BFD7219FA58988ABB7BFCFB59744B148A1EF44692700DB34DD44DBA0

Function 001C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,001A3AAF,?,?,Bad directive syntax error,001FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001C98BC
LoadStringW.USER32(00000000,?,001A3AAF,?), ref: 001C98C3

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001C9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001C98F1
Error: , xrefs: 001C9955
Line %d (File "%s"):, xrefs: 001C992D
Line %d:, xrefs: 001C9912
., xrefs: 001C996D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 328adceb8df8865d71ef86d3e25e7d14e57767ace5be5f634c8e8e43a6b592ff
Instruction ID: a65b53f6b3c324021eeb67d68c7cc0734d0e9caddce27adc0ef508b30dc427be
Opcode Fuzzy Hash: 328adceb8df8865d71ef86d3e25e7d14e57767ace5be5f634c8e8e43a6b592ff
Instruction Fuzzy Hash: 5221603280021EBBCF15AF90DC0AEFE7779BF29704F044459F519660A2EB719668DB51

Function 001C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001C214D

Strings

details, xrefs: 001C20FB
list, xrefs: 001C212F
largeicons, xrefs: 001C20E1
smallicons, xrefs: 001C2115
SHELLDLL_DefView, xrefs: 001C20CC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a9dd73dd2595f12a7df40c0b9162c1ec44fe176b06a546f458e4475c1abc14cb
Instruction ID: b1ab7542cddd9fa93ee285cf8202467c850ea51f8a4e351daa0a761ccf989a59
Opcode Fuzzy Hash: a9dd73dd2595f12a7df40c0b9162c1ec44fe176b06a546f458e4475c1abc14cb
Instruction Fuzzy Hash: 90113A76688327BBF6057220EC06EF6339CCF25324B20402AF705A90D1EF71D8515A14

Function 00198D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fac1b6d22a06fe2bb23c82f90ce1e27b0278a644dd0933874ec7ed36eb28c69
Instruction ID: c1309027279e3b5d231761a21205b7f87165e66db4079a041c7c399a7d873c21
Opcode Fuzzy Hash: 7fac1b6d22a06fe2bb23c82f90ce1e27b0278a644dd0933874ec7ed36eb28c69
Instruction Fuzzy Hash: E0C1E174D04249AFDF11EFACD845BADBBB5BF1A310F084199F429A7392DB309A41CB61

Function 0019CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0019CEB7
_free.LIBCMT ref: 0019CF22
_free.LIBCMT ref: 0019CF48
_free.LIBCMT ref: 0019CF71
_free.LIBCMT ref: 0019CFA9
_free.LIBCMT ref: 0019CFDA
_free.LIBCMT ref: 0019D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0019D09C
_free.LIBCMT ref: 0019D0B5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ed8cc042c8241e623643a78d3ac2b9597d4ad5cd25bdd9c9af9d0753e619c0b7
Instruction ID: a844092fad5ccd820392460100f26f7bfe372f51cd732bae72ccfde24a13bef0
Opcode Fuzzy Hash: ed8cc042c8241e623643a78d3ac2b9597d4ad5cd25bdd9c9af9d0753e619c0b7
Instruction Fuzzy Hash: 5C618571E04314AFDF21AFB4A895A7E7BE6EF16760F04016DF885A7282E7319D0187E0

Function 00178B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 001B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00178874,00000000,00000000,00000000,000000FF,00000000), ref: 001B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 001B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00178874,00000000,00000000,00000000,000000FF,00000000), ref: 001B692D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: ec93147f38a2ea00470c1a79ce9965931d5a93aba7d29f8896e10437bfc72ca6
Instruction ID: 98568388947c75abb601c60562a365303212879668c1d5db0294e8729fd7aff9
Opcode Fuzzy Hash: ec93147f38a2ea00470c1a79ce9965931d5a93aba7d29f8896e10437bfc72ca6
Instruction Fuzzy Hash: AE519A70640309EFDB24CF25CC59FAA7BB5FB68760F108528F90A972A0DB74E990DB50

Function 001DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001DC182
GetLastError.KERNEL32 ref: 001DC195
SetEvent.KERNEL32(?), ref: 001DC1A9

Part of subcall function 001DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001DC272
Part of subcall function 001DC253: GetLastError.KERNEL32 ref: 001DC322
Part of subcall function 001DC253: SetEvent.KERNEL32(?), ref: 001DC336
Part of subcall function 001DC253: InternetCloseHandle.WININET(00000000), ref: 001DC341

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: d340a73b768118d2e1a2c7f4d6583a3c3036f3738ed0769988d7f1d3b71bd177
Instruction ID: 74aeba8ad69bf1f4c17df0d4db6ce3dabfa80eb5176210756b1a72b2347a79a6
Opcode Fuzzy Hash: d340a73b768118d2e1a2c7f4d6583a3c3036f3738ed0769988d7f1d3b71bd177
Instruction Fuzzy Hash: 2F316B71600606EFDB219FA5DD44A76BBF9FF68300B14492EF95682B10D731E854EBE0

Function 001C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001C3A57
Part of subcall function 001C3A3D: GetCurrentThreadId.KERNEL32 ref: 001C3A5E
Part of subcall function 001C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001C25B3), ref: 001C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001C2627

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 8bea4dc469ee140e2d76b178a82e3f5c40cfce348c3def33c9e077afa32cafd6
Instruction ID: 85737de8a65da8d3a8fbc9a872ec82da529b3ea3d2c30ee618cbc5875f4d2f8e
Opcode Fuzzy Hash: 8bea4dc469ee140e2d76b178a82e3f5c40cfce348c3def33c9e077afa32cafd6
Instruction Fuzzy Hash: 0C01D830394214BBFB1067689C8AFA93F59DF5EB11F100005F314EF1D1C9F19494DAA9

Function 001C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001C1449,?,?,00000000), ref: 001C180C
HeapAlloc.KERNEL32(00000000,?,001C1449,?,?,00000000), ref: 001C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001C1449,?,?,00000000), ref: 001C1828
GetCurrentProcess.KERNEL32(?,00000000,?,001C1449,?,?,00000000), ref: 001C1830
DuplicateHandle.KERNEL32(00000000,?,001C1449,?,?,00000000), ref: 001C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001C1449,?,?,00000000), ref: 001C1843
GetCurrentProcess.KERNEL32(001C1449,00000000,?,001C1449,?,?,00000000), ref: 001C184B
DuplicateHandle.KERNEL32(00000000,?,001C1449,?,?,00000000), ref: 001C184E
CreateThread.KERNEL32(00000000,00000000,001C1874,00000000,00000000,00000000), ref: 001C1868

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8282756e1bae04ce745e6a92ba14b19d03bb07ae48808df15a8989d931fed4f3
Instruction ID: ac1a28fa0c9788dadbabb24fac850bd8366c51f5b6f66fc3f11ed7f9149dd440
Opcode Fuzzy Hash: 8282756e1bae04ce745e6a92ba14b19d03bb07ae48808df15a8989d931fed4f3
Instruction Fuzzy Hash: 2801BBB5244308FFE710ABA5DD4DF6B3BACEB89B11F004411FA05DB5A2CA709860EB60

Function 001EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001CD501
Part of subcall function 001CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001CD50F
Part of subcall function 001CD4DC: CloseHandle.KERNEL32(00000000), ref: 001CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001EA16D
GetLastError.KERNEL32 ref: 001EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001EA268
GetLastError.KERNEL32(00000000), ref: 001EA273
CloseHandle.KERNEL32(00000000), ref: 001EA2C4

Strings

SeDebugPrivilege, xrefs: 001EA18F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f422c00abb927d90a3277cfcd1c4b5c53f044601c4d0186f29d25998a2807fcc
Instruction ID: 2ddcd20fe8b6abd206e739574c20b84fd993ddb967b4fdd1ff8d41958f061762
Opcode Fuzzy Hash: f422c00abb927d90a3277cfcd1c4b5c53f044601c4d0186f29d25998a2807fcc
Instruction Fuzzy Hash: 05619F302086829FD714DF19C894F29BBE1AF54318F59849CE5568BBA3C772FC45CB92

Function 001F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001F3954
_wcslen.LIBCMT ref: 001F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001F39F4

Strings

SysListView32, xrefs: 001F38F7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 03bbc752c82d77809e1fbba16a874b0df6310e5b95ce3157b23fee40670bf365
Instruction ID: 3ab51cf65aa54dfddc66b9ff5776f19e97987e43fe8d75f112a2292425f0772a
Opcode Fuzzy Hash: 03bbc752c82d77809e1fbba16a874b0df6310e5b95ce3157b23fee40670bf365
Instruction Fuzzy Hash: EF41C471A0021DABEF219F64CC49BFA77A9FF08354F100526FA58E7281D7B19E90CB90

Function 001CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001CBCFD
IsMenu.USER32(00000000), ref: 001CBD1D
CreatePopupMenu.USER32 ref: 001CBD53
GetMenuItemCount.USER32(00E584A0), ref: 001CBDA4
InsertMenuItemW.USER32(00E584A0,?,00000001,00000030), ref: 001CBDCC

Strings

0, xrefs: 001CBCA8
2, xrefs: 001CBD37

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e8b7fd8e3aec8923e6392b26b03cd5265c74e3166b63d59f162c010f0648811f
Instruction ID: 6927a4bbeab35dbaa69e5a6d4acaef40163ee2e1b95601eba8f67e62618e9bd1
Opcode Fuzzy Hash: e8b7fd8e3aec8923e6392b26b03cd5265c74e3166b63d59f162c010f0648811f
Instruction Fuzzy Hash: 6E517970A082099BDB10DFA8D9C6FBEBBE8AF65318F14425DE406E7290D770D945CBA1

Function 001CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001CC913

Strings

stop, xrefs: 001CC8E4
warning, xrefs: 001CC8FC
info, xrefs: 001CC8B4
blank, xrefs: 001CC895
question, xrefs: 001CC8CC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4da64c9381b6ec9e2bd076498710dab4d5476e3a4af2a79627439bc5a1e14f66
Instruction ID: c85b60ace30cf9b4c2271eace1b0cd44cc101688337fcfe75d1e71f99a452a18
Opcode Fuzzy Hash: 4da64c9381b6ec9e2bd076498710dab4d5476e3a4af2a79627439bc5a1e14f66
Instruction Fuzzy Hash: 77112E32689317BAA704AB54AC83EAB679CDF35758B10002EF504A6181D770DE0057E4

Function 001CDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001CDE42
gethostname.WSOCK32(?,00000100), ref: 001CDE5C
gethostbyname.WSOCK32(?), ref: 001CDE69
inet_ntoa.WSOCK32(?), ref: 001CDEAB
_strcat.LIBCMT ref: 001CDEB9
WSACleanup.WSOCK32 ref: 001CDEDE

Strings

0.0.0.0, xrefs: 001CDE87

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 4fc88962fe10e519ffed41500fa21e83947dd2e2c9f4836c52c1db57bf097f99
Instruction ID: 2f73c035b2165cf38bad751ce76abc0dd70d4a1c48bf6d180486eaea24de40e7
Opcode Fuzzy Hash: 4fc88962fe10e519ffed41500fa21e83947dd2e2c9f4836c52c1db57bf097f99
Instruction Fuzzy Hash: F411E432904119ABDB24BB64EC0AEEE77ACDB25710F0101BEF50996091EF71CA85DB91

Function 001CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001CED2A
_wcslen.LIBCMT ref: 001CED3B
_wcslen.LIBCMT ref: 001CED79
_wcslen.LIBCMT ref: 001CEDAF
_wcslen.LIBCMT ref: 001CEDDF
_wcslen.LIBCMT ref: 001CEDEF
_wcslen.LIBCMT ref: 001CEE2B
_wcslen.LIBCMT ref: 001CEE5A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4dcf120abe4c7c1a03818afdb7b05d96cb31b29e7ad107837e15f4ebea479192
Instruction ID: 4233b823df1fdadb443b904b931e5b30d5fd1f248b6a39a43cd1613dd23d9046
Opcode Fuzzy Hash: 4dcf120abe4c7c1a03818afdb7b05d96cb31b29e7ad107837e15f4ebea479192
Instruction Fuzzy Hash: BD41B265C1021876CB21FBF4888AEDFB7A9AF65310F508466E518E3162FB34E345C7A5

Function 0017F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001B682C,00000004,00000000,00000000), ref: 0017F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,001B682C,00000004,00000000,00000000), ref: 001BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,001B682C,00000004,00000000,00000000), ref: 001BF454

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1e6087b7789d3c22ded02969ee6ccfc25060e8cfef6843ad37f11ce12a8e3b39
Instruction ID: 25eb1e461583115722a12ae762a3bebe427e016158ca37005add4de07bb93321
Opcode Fuzzy Hash: 1e6087b7789d3c22ded02969ee6ccfc25060e8cfef6843ad37f11ce12a8e3b39
Instruction Fuzzy Hash: 4F410731608680BAC7399B2D8D887BB7BB2AB56318F15C53CF28F56560D731A883DB51

Function 001F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001F2D1B
GetDC.USER32(00000000), ref: 001F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001F2DE1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1b5c8d6689e7e3a35eb8a2ffe33e0e77c6fd1a444950ae6e73fc0bfd3f1b5b5a
Instruction ID: 86efd425c2ba61eb1b067cf20f183a751ebb604fcf13fe38f4cb862dc341809c
Opcode Fuzzy Hash: 1b5c8d6689e7e3a35eb8a2ffe33e0e77c6fd1a444950ae6e73fc0bfd3f1b5b5a
Instruction Fuzzy Hash: BC316976201618BBEB218F50CD8AFFB3BA9EF09725F044055FE08DA291C6759C91CBA4

Function 001C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001C5637
_memcmp.LIBVCRUNTIME ref: 001C5659
_memcmp.LIBVCRUNTIME ref: 001C5671
_memcmp.LIBVCRUNTIME ref: 001C5684
_memcmp.LIBVCRUNTIME ref: 001C569E
_memcmp.LIBVCRUNTIME ref: 001C56B1
_memcmp.LIBVCRUNTIME ref: 001C56C9
_memcmp.LIBVCRUNTIME ref: 001C56E4

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f132be3a150a0666a7a3ca9a3b1a81d547a0636d97c543166c40c43ca5e29f00
Instruction ID: a10a56cee9209b11472b14ad2fd669681fc3313f8c177dc4cf0ab4e7443ae16d
Opcode Fuzzy Hash: f132be3a150a0666a7a3ca9a3b1a81d547a0636d97c543166c40c43ca5e29f00
Instruction Fuzzy Hash: EB21A762640A2977D718A5208D82FFA335FBF71394F44002CFE059A581F761FE9286A9

Function 001E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 001E502E, 001E5383
Not an Object type, xrefs: 001E5007

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bad8d8957098187af872c685802ded660aeeced28807250e336bff45462476fb
Instruction ID: c66de928661e8723825f1050bcaabdb37232c5b9d339b7612d54db409eb04299
Opcode Fuzzy Hash: bad8d8957098187af872c685802ded660aeeced28807250e336bff45462476fb
Instruction Fuzzy Hash: 53D1D475A00A4A9FDF14CF99C880FAEB7B6BF48348F148069F915AB281D770DD41CBA0

Function 001A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001A17FB,?,001A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001A16FB

Part of subcall function 00193820: RtlAllocateHeap.NTDLL(00000000,?,00231444,?,0017FDF5,?,?,0016A976,00000010,00231440,001613FC,?,001613C6,?,00161129), ref: 00193852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001A1777
__freea.LIBCMT ref: 001A17A2
__freea.LIBCMT ref: 001A17AE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2d67fbbae2f2b16e485c1fadef67d15ec7cdba7230dcf4ec20ad82e7196d435f
Instruction ID: 3b0aabe59249da1b1bd40740dfcbe459ca519450fca7ffb70bccbebf385de16e
Opcode Fuzzy Hash: 2d67fbbae2f2b16e485c1fadef67d15ec7cdba7230dcf4ec20ad82e7196d435f
Instruction Fuzzy Hash: B691D47AE00216BADF248EB4C981EFE7BB5AF4B310F194659E906E7181D735DD40CBA0

Function 001E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001E4648
VariantInit.OLEAUT32(?), ref: 001E4749
VariantClear.OLEAUT32(?), ref: 001E4753
VariantClear.OLEAUT32(?), ref: 001E47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001E472C
Null Object assignment in FOR..IN loop, xrefs: 001E45D8, 001E4706, 001E47BE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 9e4e93673e213320ab44c9d7a907527944b80c0d7e2e0ff93de3c2e5e22ebb58
Instruction ID: 093c51cdb4236a57fca181466cba99b51c1e8518c414c44bbbac5126063d7663
Opcode Fuzzy Hash: 9e4e93673e213320ab44c9d7a907527944b80c0d7e2e0ff93de3c2e5e22ebb58
Instruction Fuzzy Hash: B8919171E00659ABDF24CFA6DC44FAEBBB8EF4A710F108559F505AB280D7709941CFA0

Function 001D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001D1430

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 08699d5173035b1b8eb5ce49115c999ee7fb923736ea07cb75e0faea4706cd02
Instruction ID: 92bb0268de2331980908613ecae8c291453b9787fc1dce7b178b8a3e28d71c6f
Opcode Fuzzy Hash: 08699d5173035b1b8eb5ce49115c999ee7fb923736ea07cb75e0faea4706cd02
Instruction Fuzzy Hash: 7391C072A00219BFDB01DFA8C884BBEB7B5FF55325F21442AE900EB391D775A941CB90

Function 0017948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2e4a0c86ec286ee2483145f237aa3141903d814941d97bd54185d5ada817ab42
Instruction ID: d980a7b7b39250e24ac32a2a12f02b385c9fbb4aa2c1cb156438d206419aa162
Opcode Fuzzy Hash: 2e4a0c86ec286ee2483145f237aa3141903d814941d97bd54185d5ada817ab42
Instruction Fuzzy Hash: 6B913971D00219EFCB14CFA9CD84AEEBBB8FF49320F148156E515B7291D774A946CBA0

Function 001E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001E396B
CharUpperBuffW.USER32(?,?), ref: 001E3A7A
_wcslen.LIBCMT ref: 001E3A8A
VariantClear.OLEAUT32(?), ref: 001E3C1F

Part of subcall function 001D0CDF: VariantInit.OLEAUT32(00000000), ref: 001D0D1F
Part of subcall function 001D0CDF: VariantCopy.OLEAUT32(?,?), ref: 001D0D28
Part of subcall function 001D0CDF: VariantClear.OLEAUT32(?), ref: 001D0D34

Strings

Incorrect Parameter format, xrefs: 001E39A6, 001E3BA1
AUTOIT.ERROR, xrefs: 001E3A80, 001E3A85

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 801d6c7a21aa7a95dc4646fecef801058dc2d4481635ce3559a2a7599678b1b8
Instruction ID: 8b4f693d4a1aa32e9472fa2912c0222a6ad67fd4c0a9da80d6e64523d0c48f2b
Opcode Fuzzy Hash: 801d6c7a21aa7a95dc4646fecef801058dc2d4481635ce3559a2a7599678b1b8
Instruction Fuzzy Hash: 5D9164746087459FC704EF29C48496EB7E4BF98314F14886EF89A9B351DB30EE46CB92

Function 001E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?,?,001C035E), ref: 001C002B
Part of subcall function 001C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?), ref: 001C0046
Part of subcall function 001C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?), ref: 001C0054
Part of subcall function 001C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?), ref: 001C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001E4C51
_wcslen.LIBCMT ref: 001E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001E4DCF
CoTaskMemFree.OLE32(?), ref: 001E4DDA

Strings

NULL Pointer assignment, xrefs: 001E4E23, 001E4E52

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d91b280ed4c0a8f06aa893c0d168b5f2ae15828ef01eadbf23e17daac82f3728
Instruction ID: 9d575f7416cac9ebd595c45d55e463d1a5d45d89a3e0193a38bf222969a0306d
Opcode Fuzzy Hash: d91b280ed4c0a8f06aa893c0d168b5f2ae15828ef01eadbf23e17daac82f3728
Instruction Fuzzy Hash: C4911371D0021DABDF14DFA5DC81AEEB7B8BF18304F10816AE915AB241EB349A54CFA0

Function 0016BBE0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0016BEB3

Strings

HZ, xrefs: 0016BE9A
D%#, xrefs: 0016BDED, 0016BD91, 0016BD1B
D%#, xrefs: 0016BCA2
?, xrefs: 0016BBE6
D%#D%#, xrefs: 0016BCA5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%#$D%#$D%#D%#$HZ$?
API String ID: 1385522511-1108709824
Opcode ID: 2866dce9e383f72a5b1de3c8becac6a4069da20f847c0b18a5d54b38e9bab73d
Instruction ID: 97336df507ad131991ac6221da2319790bc1c0a5b0f468d58ff6ac940e514057
Opcode Fuzzy Hash: 2866dce9e383f72a5b1de3c8becac6a4069da20f847c0b18a5d54b38e9bab73d
Instruction Fuzzy Hash: 97913A75A0420ACFCB18CF98C8D06A9B7F1FF58314F658169D945EB351E731EAA1CB90

Function 001F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001F2183
GetMenuItemCount.USER32(00000000), ref: 001F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001F21DD
_wcslen.LIBCMT ref: 001F2213
GetMenuItemID.USER32(?,?), ref: 001F224D
GetSubMenu.USER32(?,?), ref: 001F225B

Part of subcall function 001C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001C3A57
Part of subcall function 001C3A3D: GetCurrentThreadId.KERNEL32 ref: 001C3A5E
Part of subcall function 001C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001C25B3), ref: 001C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001F22E3

Part of subcall function 001CE97B: Sleep.KERNELBASE ref: 001CE9F3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 2e6239f04f0a5f13ba19e831c8130ddd1665fc34849de97cbb6ec46639088a03
Instruction ID: c5248f3b8a6a8483d9614af1e26a81ce9d1c958e8372041b4298fab008961963
Opcode Fuzzy Hash: 2e6239f04f0a5f13ba19e831c8130ddd1665fc34849de97cbb6ec46639088a03
Instruction Fuzzy Hash: D6718F75A00209AFCB14DFA8C845ABEB7F1EF58310F158499E916EB351DB34EE41CB90

Function 001F7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E585E0), ref: 001F7F37
IsWindowEnabled.USER32(00E585E0), ref: 001F7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001F801E
SendMessageW.USER32(00E585E0,000000B0,?,?), ref: 001F8051
IsDlgButtonChecked.USER32(?,?), ref: 001F8089
GetWindowLongW.USER32(00E585E0,000000EC), ref: 001F80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001F80C3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 8e1773a3c953fdbe2e6d89408ee22ff968087198508f172c22270162d88de160
Instruction ID: cd405e0dd07ff785e679059393aad8b6238f68e84f73832a24ee13dd5f1caacf
Opcode Fuzzy Hash: 8e1773a3c953fdbe2e6d89408ee22ff968087198508f172c22270162d88de160
Instruction Fuzzy Hash: 2D71AD3460820CAFEB259F64DC84FFABBB9EF19300F144459FA65972A1CB31AC55DB60

Function 001CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001CAEF9
GetKeyboardState.USER32(?), ref: 001CAF0E
SetKeyboardState.USER32(?), ref: 001CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001CB020

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3ba66b778746aa25b32c929a11df47e2f9bcab2a57c9668ea2f8caa0157c83f4
Instruction ID: ecce879fbc86cf28cf4cc53d1e7062fdf00839f65affed3ed01a45ea581fb71a
Opcode Fuzzy Hash: 3ba66b778746aa25b32c929a11df47e2f9bcab2a57c9668ea2f8caa0157c83f4
Instruction Fuzzy Hash: DC51A1A06086D93DFB3752348846FBE7EA95F16308F08858DF1D9958C2C3A9ECD4D792

Function 001CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001CAD19
GetKeyboardState.USER32(?), ref: 001CAD2E
SetKeyboardState.USER32(?), ref: 001CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001CAE38

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 00d4ee2e516f5c707158440794a3c0f58d8f5d44e60bfd0261ad03cfb1fc2622
Instruction ID: f47aa1aa918abb98f600b271bdfd439405e928f731f34293785c30ac4adb2051
Opcode Fuzzy Hash: 00d4ee2e516f5c707158440794a3c0f58d8f5d44e60bfd0261ad03cfb1fc2622
Instruction Fuzzy Hash: FE51C4A15487D93DFB3782648C95FBA7FA85F55308F48848CE1D6868C3D394EC84E792

Function 0019542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(001A3CD6,?,?,?,?,?,?,?,?,00195BA3,?,?,001A3CD6,?,?), ref: 00195470
__fassign.LIBCMT ref: 001954EB
__fassign.LIBCMT ref: 00195506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,001A3CD6,00000005,00000000,00000000), ref: 0019552C
WriteFile.KERNEL32(?,001A3CD6,00000000,00195BA3,00000000,?,?,?,?,?,?,?,?,?,00195BA3,?), ref: 0019554B
WriteFile.KERNEL32(?,?,00000001,00195BA3,00000000,?,?,?,?,?,?,?,?,?,00195BA3,?), ref: 00195584

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d155647f22950776343435f608edaaa1f71f01b47e93bfbe19dfbb8750e6dd20
Instruction ID: 2aa0697fe8578e2dabeef7779ab9a06d3f978c8af327a1ea201641292eb2a9cf
Opcode Fuzzy Hash: d155647f22950776343435f608edaaa1f71f01b47e93bfbe19dfbb8750e6dd20
Instruction Fuzzy Hash: C551A171E006499FDF11CFA8D895AEEBBFAEF09300F15411AE555F7292E7309A41CBA0

Function 00182D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00182D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00182D53
_ValidateLocalCookies.LIBCMT ref: 00182DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00182E0C
_ValidateLocalCookies.LIBCMT ref: 00182E61

Strings

csm, xrefs: 00182DF6

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4009408b6b5ccd6d858cdf90ff7368c1df27892fd71c898936edf98fcaf26533
Instruction ID: 46d0954bc2dc48143e6d085d3e7b138652e6069c10711af30df4184b366d3025
Opcode Fuzzy Hash: 4009408b6b5ccd6d858cdf90ff7368c1df27892fd71c898936edf98fcaf26533
Instruction Fuzzy Hash: 4C41B434E00209ABCF15EFA8C885A9EBFB5BF45324F148255E8156B3A2D771AB15CFD0

Function 001E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001E304E: inet_addr.WSOCK32(?), ref: 001E307A
Part of subcall function 001E304E: _wcslen.LIBCMT ref: 001E309B

socket.WSOCK32(00000002,00000001,00000006), ref: 001E1112
WSAGetLastError.WSOCK32 ref: 001E1121
WSAGetLastError.WSOCK32 ref: 001E11C9
closesocket.WSOCK32(00000000), ref: 001E11F9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 462310027b5b0ec76068ebdbd985259831702fe8b7442163031ae2633f286133
Instruction ID: 9c64a70d784a6f4f566d1a15d8820980de094e9a62fa2e7e16e87bd862f9478f
Opcode Fuzzy Hash: 462310027b5b0ec76068ebdbd985259831702fe8b7442163031ae2633f286133
Instruction Fuzzy Hash: E641F031600A48AFDB149F65CC84BAEBBEAFF45364F148159FD169B291C770AD81CBE0

Function 001CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001CCF22,?), ref: 001CDDFD

Part of subcall function 001CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001CCF22,?), ref: 001CDE16

lstrcmpiW.KERNEL32(?,?), ref: 001CCF45
MoveFileW.KERNEL32(?,?), ref: 001CCF7F
_wcslen.LIBCMT ref: 001CD005
_wcslen.LIBCMT ref: 001CD01B
SHFileOperationW.SHELL32(?), ref: 001CD061

Strings

\*.*, xrefs: 001CCFF3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 51ec61091c64376a364c96ff97d49556a2c3d50370043c8df1bf49d5f71303b5
Instruction ID: bcd56e51b915cffa1af8116f905740af28cbd3f906bfbe1a62128d8931941264
Opcode Fuzzy Hash: 51ec61091c64376a364c96ff97d49556a2c3d50370043c8df1bf49d5f71303b5
Instruction Fuzzy Hash: 2B4136719452195FDF12EBA4D981FEE77B9AF28340F1000EAE509EB141EB34EB89CB50

Function 001F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001F2E1C
GetWindowLongW.USER32(?,000000F0), ref: 001F2E4F
GetWindowLongW.USER32(?,000000F0), ref: 001F2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001F2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001F2EE0
GetWindowLongW.USER32(?,000000F0), ref: 001F2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001F2F0B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 504a9f5a27bac3982a86d944a7d28b1b91e3466e5eec9c6aee913d23844b32ba
Instruction ID: 1a59ed289ba5e6da369893833071aa64270f233288c72f99e15afd9eb5494040
Opcode Fuzzy Hash: 504a9f5a27bac3982a86d944a7d28b1b91e3466e5eec9c6aee913d23844b32ba
Instruction Fuzzy Hash: FC31F4306541589FDB218F58DD88FA537E1EB5A720F250164FA05CF2B2CB71A890EB41

Function 001C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001C778F
SysAllocString.OLEAUT32(00000000), ref: 001C7792
SysAllocString.OLEAUT32(?), ref: 001C77B0
SysFreeString.OLEAUT32(?), ref: 001C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001C77DE
SysAllocString.OLEAUT32(?), ref: 001C77EC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b2181dd92aa75d674b302b58aa2e005ac1667c28d28c08bbf1644bddca224790
Instruction ID: 0db638ea1bdd00958616d7acb5b8f8c381eca725fec51256fa94c0fb019fe67a
Opcode Fuzzy Hash: b2181dd92aa75d674b302b58aa2e005ac1667c28d28c08bbf1644bddca224790
Instruction Fuzzy Hash: A221B27660821DAFDB10DFA8CC88DBB73ACEB193647008029F914DB190D7B0DC85DBA4

Function 001C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001C7868
SysAllocString.OLEAUT32(00000000), ref: 001C786B
SysAllocString.OLEAUT32 ref: 001C788C
SysFreeString.OLEAUT32 ref: 001C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001C78AF
SysAllocString.OLEAUT32(?), ref: 001C78BD

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2fa87482f6444899b02ac10541bdb16214b6506b08060728e6d2d00132e3d093
Instruction ID: cdfb42a0bcb9e0cd8e8f3316702b3f587772f5140e93a955b5ffe30d2439caf7
Opcode Fuzzy Hash: 2fa87482f6444899b02ac10541bdb16214b6506b08060728e6d2d00132e3d093
Instruction Fuzzy Hash: 0C217771608108AFDB109FA8DC89EBA77ECEB197607108129FA15CB1E1D7B0DC41DB64

Function 001D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001D052E

Strings

nul, xrefs: 001D0567

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ede60121a7c07aae861d59c56d14591473de8f3911d967319483448762f4e480
Instruction ID: 8504cbd27e9e2b3a75ce5b630905bda994e53bc5e5064497d5ca572dae0fbeee
Opcode Fuzzy Hash: ede60121a7c07aae861d59c56d14591473de8f3911d967319483448762f4e480
Instruction Fuzzy Hash: BE217C75900309EFDF219F29E804BAA77A4BF49724F204A1AECA1D72E0D7709990DF60

Function 001D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001D0601

Strings

nul, xrefs: 001D0639

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f53c78add79b3d86f36f1b8bb2700748befb9f57c7ed53846c49c2e031e59502
Instruction ID: a897e7be35afc623d46a8f18b32004dcb8fccfd09891961ddec123ae611b10a7
Opcode Fuzzy Hash: f53c78add79b3d86f36f1b8bb2700748befb9f57c7ed53846c49c2e031e59502
Instruction Fuzzy Hash: F6214175500305ABDF219F799C44BAA77A4BF99720F200A1AE8A1E73E0D770D960DB50

Function 001F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0016600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0016604C
Part of subcall function 0016600E: GetStockObject.GDI32(00000011), ref: 00166060
Part of subcall function 0016600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0016606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001F4145

Strings

Msctls_Progress32, xrefs: 001F40E3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3562adaf2ec3c6c377923bb6b9b5d25ef73ec43ccac5bcd7b7063bd038348ee9
Instruction ID: 11d60188466fec567464c6ef754ce20ed3c55db7b09daf4901b4ab938d80e9cc
Opcode Fuzzy Hash: 3562adaf2ec3c6c377923bb6b9b5d25ef73ec43ccac5bcd7b7063bd038348ee9
Instruction Fuzzy Hash: 291190B215021DBEEF118E64CC85EF77F5DEF187A8F014110BB18A2150CB729C61DBA4

Function 0019D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019D7A3: _free.LIBCMT ref: 0019D7CC

_free.LIBCMT ref: 0019D82D

Part of subcall function 001929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000), ref: 001929DE
Part of subcall function 001929C8: GetLastError.KERNEL32(00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000,00000000), ref: 001929F0

_free.LIBCMT ref: 0019D838
_free.LIBCMT ref: 0019D843
_free.LIBCMT ref: 0019D897
_free.LIBCMT ref: 0019D8A2
_free.LIBCMT ref: 0019D8AD
_free.LIBCMT ref: 0019D8B8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1cc6f46ee159cf7ffb6362a8c8a8fae77f3890995adbacb3887ba280774083f1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 65112671940B14BADE21BFF0DC46FCB7B9CAF20704F400825F29DA6092DB75A50586A2

Function 001CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001CDA74
LoadStringW.USER32(00000000), ref: 001CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001CDA91
LoadStringW.USER32(00000000), ref: 001CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001CDAB9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 0923a7d3b63271dea7519235f6ce8abb645ba709c5ef835410d1c52db3cfe40e
Instruction ID: 99a8f008e7fad92b4cf097d161fc470244db3f21c3117d15a785849fc169d65a
Opcode Fuzzy Hash: 0923a7d3b63271dea7519235f6ce8abb645ba709c5ef835410d1c52db3cfe40e
Instruction Fuzzy Hash: 670162F650420CBFE710ABA0DE89EF7726CE708701F4005A5B746E2041E6749E849FB5

Function 001D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E4D1A0,00E4D1A0), ref: 001D097B
EnterCriticalSection.KERNEL32(00E4D180,00000000), ref: 001D098D
TerminateThread.KERNEL32(?,000001F6), ref: 001D099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001D09A9
CloseHandle.KERNEL32(?), ref: 001D09B8
InterlockedExchange.KERNEL32(00E4D1A0,000001F6), ref: 001D09C8
LeaveCriticalSection.KERNEL32(00E4D180), ref: 001D09CF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1b82576f6fd69a4af8f89dfa693634fd800842af20772f2b373beb844a130c5e
Instruction ID: 4ae93c764b466e6de71da0cff67dc57e3d9e5576fd01729864989156282e5711
Opcode Fuzzy Hash: 1b82576f6fd69a4af8f89dfa693634fd800842af20772f2b373beb844a130c5e
Instruction Fuzzy Hash: 07F01D71442506ABD7465B94EF88BE67A25FF05702F401016F10190CA0C77494A5EFD0

Function 001E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 001E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001E1DE1
WSAGetLastError.WSOCK32 ref: 001E1DF2
htons.WSOCK32(?), ref: 001E1EDB
inet_ntoa.WSOCK32(?), ref: 001E1E8C

Part of subcall function 001C39E8: _strlen.LIBCMT ref: 001C39F2

Part of subcall function 001E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001DEC0C), ref: 001E3240

_strlen.LIBCMT ref: 001E1F35

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 03952b082b113a4d12239dfe8c0d69c39b9dc8bf3717b7d66483354a93882d63
Instruction ID: dd5e946f81b2b79fae2b959330b693629b1471806806209e718ec34d6269d08a
Opcode Fuzzy Hash: 03952b082b113a4d12239dfe8c0d69c39b9dc8bf3717b7d66483354a93882d63
Instruction Fuzzy Hash: 6FB1D031204780AFC324DF65C895E2E7BE5AF94318F54894CF45A9B2E2DB31ED86CB91

Function 00165D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00165D30
GetWindowRect.USER32(?,?), ref: 00165D71
ScreenToClient.USER32(?,?), ref: 00165D99
GetClientRect.USER32(?,?), ref: 00165ED7
GetWindowRect.USER32(?,?), ref: 00165EF8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: a794ba1bf8039b42faad1d0ed443cac560dde16425aed042e9240666460402a7
Instruction ID: 16b6d13063578b7885b967b475be774bf4844400627842a5da8989f25088202d
Opcode Fuzzy Hash: a794ba1bf8039b42faad1d0ed443cac560dde16425aed042e9240666460402a7
Instruction Fuzzy Hash: 58B17C39A0074ADBDB14CFA9C8407EEB7F2FF58310F14851AE8A9D7250D734AA61DB50

Function 001901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001900D6
__allrem.LIBCMT ref: 001900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0019010B
__allrem.LIBCMT ref: 00190122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00190140

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 52410e089f0aa277db6975275693da687c49b30cbbae22aeb4dceb2e6102f3fe
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 81812876A00706AFEB25AF78CC81B6B73E9AF55764F24413EF511D7281E770DA018B90

Function 001961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001882D9,001882D9,?,?,?,0019644F,00000001,00000001,8BE85006), ref: 00196258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0019644F,00000001,00000001,8BE85006,?,?,?), ref: 001962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001963D8
__freea.LIBCMT ref: 001963E5

Part of subcall function 00193820: RtlAllocateHeap.NTDLL(00000000,?,00231444,?,0017FDF5,?,?,0016A976,00000010,00231440,001613FC,?,001613C6,?,00161129), ref: 00193852

__freea.LIBCMT ref: 001963EE
__freea.LIBCMT ref: 00196413

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3debf886c4f4dd2404ce80c1f31636ee8e326d43d03d5bf6b61c72126751a46c
Instruction ID: 8094201bd00a0ffa847bcec04465c8b5d723ae333862ba07d512573d90c69c59
Opcode Fuzzy Hash: 3debf886c4f4dd2404ce80c1f31636ee8e326d43d03d5bf6b61c72126751a46c
Instruction Fuzzy Hash: AC51E172A00216ABEF2A8F64CC81EBF77A9EB54750F154629FC09D7140EB34ED50D6B0

Function 001EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001EB6AE,?,?), ref: 001EC9B5
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001EC9F1
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA68
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001EBD25
RegCloseKey.ADVAPI32(00000000), ref: 001EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001EBDF3
RegCloseKey.ADVAPI32(?), ref: 001EBDFF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d2e416375a80ebfab65de8e8c2605e767fa6933f4b0a5c8a999876b3944a5077
Instruction ID: ddf3f5e3e4a9e65f333784655b1ea7fc189cabb3b8524893a6617765e60606bb
Opcode Fuzzy Hash: d2e416375a80ebfab65de8e8c2605e767fa6933f4b0a5c8a999876b3944a5077
Instruction Fuzzy Hash: 75816B30208681AFD714DF64C895E6BBBE5FF84308F14895CF5598B2A2DB31ED45CB92

Function 001BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 001BF7B9
SysAllocString.OLEAUT32(00000001), ref: 001BF860
VariantCopy.OLEAUT32(001BFA64,00000000), ref: 001BF889
VariantClear.OLEAUT32(001BFA64), ref: 001BF8AD
VariantCopy.OLEAUT32(001BFA64,00000000), ref: 001BF8B1
VariantClear.OLEAUT32(?), ref: 001BF8BB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ebce0593a25c19ad67cde1025b5aa359c5dfe6f188565e4659a5ced101104b8e
Instruction ID: 9de2e47e9a5cd33dd79e0ce5e952548f0db6d609e0c5a28e4f3393f64020ab89
Opcode Fuzzy Hash: ebce0593a25c19ad67cde1025b5aa359c5dfe6f188565e4659a5ced101104b8e
Instruction Fuzzy Hash: 6D51E331600310BACF24AB65DC95BA9B3A8EF55714F20947FF906DF291DB708C86CB96

Function 001D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00167620: _wcslen.LIBCMT ref: 00167625

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001D94E5
_wcslen.LIBCMT ref: 001D9506
_wcslen.LIBCMT ref: 001D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001D9585

Strings

X, xrefs: 001D9412

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 30f118309f9ede3ad556f519449723c64896b288af565d72c5d82f978f5b7982
Instruction ID: bcf60157c9d01f9d46f78235ecea9ed9b1084d103b39f0bf8d901d59705ecf26
Opcode Fuzzy Hash: 30f118309f9ede3ad556f519449723c64896b288af565d72c5d82f978f5b7982
Instruction Fuzzy Hash: B0E1C331508350DFC724EF24D881A6AB7E4BF95314F14896EF8899B3A2DB30ED05CB92

Function 0017920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

BeginPaint.USER32(?,?,?), ref: 00179241
GetWindowRect.USER32(?,?), ref: 001792A5
ScreenToClient.USER32(?,?), ref: 001792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001792D3
EndPaint.USER32(?,?,?,?,?), ref: 00179321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001B71EA

Part of subcall function 00179339: BeginPath.GDI32(00000000), ref: 00179357

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: ed9668e69cb75bc86a96feb2747f1a837b87dc3050103d111a04a86d06250db6
Instruction ID: b58f1744c03cbbb511f01da60035efe583743ef798f0b481a4457d5e4024dab5
Opcode Fuzzy Hash: ed9668e69cb75bc86a96feb2747f1a837b87dc3050103d111a04a86d06250db6
Instruction Fuzzy Hash: 15419070108201AFD711DF28DC88FBA7BB8EF95320F144669F9A9872E2C7319859DB61

Function 001D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001D0847
EnterCriticalSection.KERNEL32(?), ref: 001D0863
LeaveCriticalSection.KERNEL32(?), ref: 001D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001D0921

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: dae9d20f7a35d91ff75eec6b8aa9885391b31edca142f9fae9370e8f3b11b56e
Instruction ID: c787c1bba89a68bda8b15c7c88cf390b28af73f8822c6dc555ffd7391a2dbdd0
Opcode Fuzzy Hash: dae9d20f7a35d91ff75eec6b8aa9885391b31edca142f9fae9370e8f3b11b56e
Instruction Fuzzy Hash: 5B414C71900209EFDF15EF54DC85AAA7779FF08310F1480A9ED049A297DB30EE65EBA4

Function 001F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,001BF3AB,00000000,?,?,00000000,?,001B682C,00000004,00000000,00000000), ref: 001F824C
EnableWindow.USER32(?,00000000), ref: 001F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001F82D1
ShowWindow.USER32(?,00000004), ref: 001F82E5
EnableWindow.USER32(?,00000001), ref: 001F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001F832F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6dab796fb7016b486af8dc05dc83dc35e6065c4ebbb31273f54c2bdd64ee7fd5
Instruction ID: e1f25e705721037dcd2373f62cfcf24edf5709566d22efffe715925e21e83086
Opcode Fuzzy Hash: 6dab796fb7016b486af8dc05dc83dc35e6065c4ebbb31273f54c2bdd64ee7fd5
Instruction Fuzzy Hash: AF418134601648EFDB25DF15D999BF87BF1BB0A714F1842A9E6088F2B2CB31A855CF50

Function 001C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001C4CEA
_wcslen.LIBCMT ref: 001C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001C4D10
_wcsstr.LIBVCRUNTIME ref: 001C4D1A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: d84249c51b45e3463467784099b9ddf28de225bff7fe1d5bd04f777f3e8d04b8
Instruction ID: 73e87dfb82b4489ec7837574613b651fddcb4eae21854515fc9c874712221ed2
Opcode Fuzzy Hash: d84249c51b45e3463467784099b9ddf28de225bff7fe1d5bd04f777f3e8d04b8
Instruction Fuzzy Hash: E6212C316081047BEB156B759C15F7B7BACDF65760F10802DF80ACA191EF61CC41D7A0

Function 001D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00163AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00163A97,?,?,00162E7F,?,?,?,00000000), ref: 00163AC2

_wcslen.LIBCMT ref: 001D587B
CoInitialize.OLE32(00000000), ref: 001D5995
CoCreateInstance.OLE32(001FFCF8,00000000,00000001,001FFB68,?), ref: 001D59AE
CoUninitialize.OLE32 ref: 001D59CC

Strings

.lnk, xrefs: 001D5876, 001D58C1, 001D5985

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c337af4aff4a9f10e4b6b8d60e9dc24e4b2f4eec3bbe22679b99aaf13a7d3c50
Instruction ID: 71277138e20fd0d0859371563f7662db30522450879739c1bd8afe3565a9044b
Opcode Fuzzy Hash: c337af4aff4a9f10e4b6b8d60e9dc24e4b2f4eec3bbe22679b99aaf13a7d3c50
Instruction Fuzzy Hash: 7DD16371608701DFC714DF24C890A2ABBE6EF99714F14885EF88A9B361DB31EC45CB92

Function 001C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001C0FCA
Part of subcall function 001C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001C0FD6
Part of subcall function 001C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001C0FE5
Part of subcall function 001C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001C0FEC
Part of subcall function 001C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001C1002

GetLengthSid.ADVAPI32(?,00000000,001C1335), ref: 001C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001C17BA
HeapAlloc.KERNEL32(00000000), ref: 001C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001C17DA
GetProcessHeap.KERNEL32(00000000,00000000,001C1335), ref: 001C17EE
HeapFree.KERNEL32(00000000), ref: 001C17F5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 386612cbf6ec63f8ac4092df6d03b2f035e7bd7578622243f1dc8868f19c7275
Instruction ID: f4718d7b9b7e03f5799ebb823ecc32151edb707096c3b2d7391d0a03d8c85ea4
Opcode Fuzzy Hash: 386612cbf6ec63f8ac4092df6d03b2f035e7bd7578622243f1dc8868f19c7275
Instruction Fuzzy Hash: 10118632640209FFDB109BA4CD49FBE7BA9EF56355F10401CF481A7212C736E995DBA0

Function 001C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001C1515
CloseHandle.KERNEL32(00000004), ref: 001C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001C1563

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a16e8a1ffa6adf3f4ce060e5534d1730638182e87a9439f61522516e3938f862
Instruction ID: 92e5388ff50ad7d41c40734e96cf3c59ad39b79ecffbe19697e1e535dd58470d
Opcode Fuzzy Hash: a16e8a1ffa6adf3f4ce060e5534d1730638182e87a9439f61522516e3938f862
Instruction Fuzzy Hash: 5A1159B250020DBBDF118F98DE49FEE7BA9EF49744F044018FA05A2160C371CEA5EBA0

Function 00183382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00183379,00182FE5), ref: 00183390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0018339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001833B7
SetLastError.KERNEL32(00000000,?,00183379,00182FE5), ref: 00183409

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 285c9c20fcdc396add603939dee835a1de8eeee70fa2a81c8b01754f8ecf500b
Instruction ID: e73206b3618f7934f3da245b6a6721cad7f5302bead48f2d9af5ab4e5984fb9a
Opcode Fuzzy Hash: 285c9c20fcdc396add603939dee835a1de8eeee70fa2a81c8b01754f8ecf500b
Instruction Fuzzy Hash: 7601D832609311BEA62937B97C8997A2A94FB15F797380229F830811F5FF514F025F94

Function 00192D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00195686,001A3CD6,?,00000000,?,00195B6A,?,?,?,?,?,0018E6D1,?,00228A48), ref: 00192D78
_free.LIBCMT ref: 00192DAB
_free.LIBCMT ref: 00192DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0018E6D1,?,00228A48,00000010,00164F4A,?,?,00000000,001A3CD6), ref: 00192DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0018E6D1,?,00228A48,00000010,00164F4A,?,?,00000000,001A3CD6), ref: 00192DEC
_abort.LIBCMT ref: 00192DF2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a800ff97276e437721e0389de67fdca6dbe92464cb88c7e947aea793e44984db
Instruction ID: b6236554e10c21625ab79c40847ae7e4d3a201415a12940820447aa78cf5a9f1
Opcode Fuzzy Hash: a800ff97276e437721e0389de67fdca6dbe92464cb88c7e947aea793e44984db
Instruction Fuzzy Hash: B6F0C83590560037CF2267B4BC0AE2F25D9BFD27A5F250419F828D36E2EF34984251A0

Function 001F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00179639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00179693
Part of subcall function 00179639: SelectObject.GDI32(?,00000000), ref: 001796A2
Part of subcall function 00179639: BeginPath.GDI32(?), ref: 001796B9
Part of subcall function 00179639: SelectObject.GDI32(?,00000000), ref: 001796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001F8A70
LineTo.GDI32(?,00000000,00000003), ref: 001F8A80
EndPath.GDI32(?), ref: 001F8A90
StrokePath.GDI32(?), ref: 001F8AA0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f0cc35465819d26f179ad24e658152ce77b01b1a51023ee5eb23fb79747c438b
Instruction ID: 3f50efe4554f4bdbe7bf4de3539c6b27162b390eacd15d7076e7d018627f0014
Opcode Fuzzy Hash: f0cc35465819d26f179ad24e658152ce77b01b1a51023ee5eb23fb79747c438b
Instruction Fuzzy Hash: 0F111B7600014DFFDF129F90DC88FAA7F6CEB08354F008012BA199A1A1CB719D95EFA0

Function 001C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C5230
ReleaseDC.USER32(00000000,00000000), ref: 001C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001C5261

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f4955c7b729df4c464e262c332831b45a606bada32fbafb77cd86bed482f29e0
Instruction ID: c9a210e4048c509d967d9d143f8f899e8de76f6447d7a875faa0362e6f3592fa
Opcode Fuzzy Hash: f4955c7b729df4c464e262c332831b45a606bada32fbafb77cd86bed482f29e0
Instruction Fuzzy Hash: C1018F75A04708BBEB109BA59D49F5EBFB8EB48751F044069FA04E7380DB709840DBA0

Function 00161BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00161BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00161BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00161C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00161C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00161C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00161C22

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: cdce4fde6e88b5c9d0e3fb8624ef6dee6839479806905231333f496afef0947d
Instruction ID: e025dd815a8faac828669609a3c6b3153f4d5d0cbcde458c8a28a867f0c70c77
Opcode Fuzzy Hash: cdce4fde6e88b5c9d0e3fb8624ef6dee6839479806905231333f496afef0947d
Instruction Fuzzy Hash: 70016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 001CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001CEB75

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fd316a1f72337c95b70ec3039c04782668ffc03dcfe94c42f69e1429bf10e4df
Instruction ID: 09ee76a5ddecefe323a5f4e5c5ff588a25d0b4cf252641d2d6031aa11ffc328f
Opcode Fuzzy Hash: fd316a1f72337c95b70ec3039c04782668ffc03dcfe94c42f69e1429bf10e4df
Instruction Fuzzy Hash: 1FF03AB224455CBBE7215B629D0EEFF3A7CEFCAB21F000158F601D1591EBA05A41EAF5

Function 001B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 001B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 001B7469
GetWindowDC.USER32(?), ref: 001B7475
GetPixel.GDI32(00000000,?,?), ref: 001B7484
ReleaseDC.USER32(?,00000000), ref: 001B7496
GetSysColor.USER32(00000005), ref: 001B74B0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3f52da80e0d38565fb88bd8d69f70895f2f545ca0746e7f994279c7fb83d2b9a
Instruction ID: f1547c58f0477fc9c8e333c104d51041a03ab7f0aaed3d8152ab9e6b98bab188
Opcode Fuzzy Hash: 3f52da80e0d38565fb88bd8d69f70895f2f545ca0746e7f994279c7fb83d2b9a
Instruction Fuzzy Hash: 91018B31504209EFDB105F64DD08BFABBB5FB04322F210060F916E26A0CB311E91EB90

Function 001C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001C187F
UnloadUserProfile.USERENV(?,?), ref: 001C188B
CloseHandle.KERNEL32(?), ref: 001C1894
CloseHandle.KERNEL32(?), ref: 001C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001C18A5
HeapFree.KERNEL32(00000000), ref: 001C18AC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 26b9ad96c50470c481566c1d25b68fd8b4975653fab2ac5cf12cdb0f87ddf84e
Instruction ID: b3e8d8ac3fa0d7e4701424197def51016569dc74c7bdaefc12efa473b65d5e3d
Opcode Fuzzy Hash: 26b9ad96c50470c481566c1d25b68fd8b4975653fab2ac5cf12cdb0f87ddf84e
Instruction Fuzzy Hash: 58E0C976004109FBD6015BA1EE0CD15BF29FF497217108220F22581870CB3254B0FB90

Function 001CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00167620: _wcslen.LIBCMT ref: 00167625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001CC6EE
_wcslen.LIBCMT ref: 001CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001CC7CA

Strings

0, xrefs: 001CC6AF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4961113c306a3be2e0be1dd9418e920e6dcf1918019193f02b62a921d1f4ed5c
Instruction ID: 65db3e690ee3ca147986ef1e2dde0c51ee86390ab641e14f202fd52b60419206
Opcode Fuzzy Hash: 4961113c306a3be2e0be1dd9418e920e6dcf1918019193f02b62a921d1f4ed5c
Instruction Fuzzy Hash: 8C51BC726143019BD7149F28C985F6BB7E8EFA9314F040A2DF999E32A0DB70DD54CB92

Function 001EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001EAEA3

Part of subcall function 00167620: _wcslen.LIBCMT ref: 00167625

GetProcessId.KERNEL32(00000000), ref: 001EAF38
CloseHandle.KERNEL32(00000000), ref: 001EAF67

Strings

<, xrefs: 001EAE6B
@, xrefs: 001EAE72

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 48f5497a45adccfdbeda7c321d6267ea2152e29d35a3ded5b3bcaacd9038b35f
Instruction ID: 6a05ca4d184da473e5de7e697e20c629e8c5b6e072cf6cb9028e257bfe5ce470
Opcode Fuzzy Hash: 48f5497a45adccfdbeda7c321d6267ea2152e29d35a3ded5b3bcaacd9038b35f
Instruction Fuzzy Hash: EF719B70A00658DFCB14DFA5C894A9EBBF0FF08304F448499E816AB3A2CB70ED55CB91

Function 001C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001C72CF

Strings

DllGetClassObject, xrefs: 001C7242

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: eeff7121e4406b721ee7d73f1415235ef278c7255ba7017ad94f401b461b6c33
Instruction ID: ce45b1ce3ef53a33b1f7a06070ef7acf5844645da0f04fc2edf90aedb4399348
Opcode Fuzzy Hash: eeff7121e4406b721ee7d73f1415235ef278c7255ba7017ad94f401b461b6c33
Instruction Fuzzy Hash: 62412971A04204AFDB15CF94C884FAA7BA9EF64310B2580ADBD059F28AD7F1D945DFA0

Function 001F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001F3E35
IsMenu.USER32(?), ref: 001F3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001F3E92
DrawMenuBar.USER32 ref: 001F3EA5

Strings

0, xrefs: 001F3D89

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 5dd048234383e06be4a7e5577efecdbc9cc96a1192e008c807cc46539cb96c90
Instruction ID: dc473c7cac6700902c2766bb2de29e526916ac4b9e0fcd2d892c5ab3acfd9669
Opcode Fuzzy Hash: 5dd048234383e06be4a7e5577efecdbc9cc96a1192e008c807cc46539cb96c90
Instruction Fuzzy Hash: 51414675A0020DEFDF10DF60D884AEABBB9FF48354F044129EA25A7261D730AE55DFA0

Function 001C1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001C3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001C1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001C1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001C1EA9

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

Strings

ListBox, xrefs: 001C1E25
ComboBox, xrefs: 001C1DF0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3af4b219810eef40feee366710dd0b4228020666ebcc72a5d89299f8eb88cb68
Instruction ID: f60fded34be2859b35cb1221fd6e1640181788f9de7a393dbcacb856d91241d5
Opcode Fuzzy Hash: 3af4b219810eef40feee366710dd0b4228020666ebcc72a5d89299f8eb88cb68
Instruction Fuzzy Hash: 19212671A40108BBDB15ABA4DD46DFFB7B8DF62360B10811DF825E71E1DB34891AD620

Function 001F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001F2F8D
LoadLibraryW.KERNEL32(?), ref: 001F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001F2FA9
DestroyWindow.USER32(?), ref: 001F2FB1

Strings

SysAnimate32, xrefs: 001F2F68

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 312a3a5c9933d26c5b78cb6f26c033367ebf6dcaa8894534b767481c8021df9d
Instruction ID: cc15fd00560deb4ceca455a862c27d748e9ba0903895cc34e6836e14fe0f2100
Opcode Fuzzy Hash: 312a3a5c9933d26c5b78cb6f26c033367ebf6dcaa8894534b767481c8021df9d
Instruction Fuzzy Hash: B5219D7122420DABEB114FA4DC84EBB77BDEB59364F104628FA50D71A0D771DC91A760

Function 00184D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00184D1E,001928E9,?,00184CBE,001928E9,002288B8,0000000C,00184E15,001928E9,00000002), ref: 00184D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00184DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00184D1E,001928E9,?,00184CBE,001928E9,002288B8,0000000C,00184E15,001928E9,00000002,00000000), ref: 00184DC3

Strings

CorExitProcess, xrefs: 00184D98
mscoree.dll, xrefs: 00184D86

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e35cb8b3c5c27fc89ab8a15333c51b3da73680e34dadd6b05807cd5f92a589a4
Instruction ID: bd09a9533a29b2f2daf3652fd72f29fa3063d27d910d0657799f6592a1a9fdc0
Opcode Fuzzy Hash: e35cb8b3c5c27fc89ab8a15333c51b3da73680e34dadd6b05807cd5f92a589a4
Instruction Fuzzy Hash: CBF08C30A0020DBBDB11AB90DC49BEDBBB5EB04751F0001A4A806A26A0CF305A90DFD0

Function 00164E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00164EDD,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00164EAE
FreeLibrary.KERNEL32(00000000,?,?,00164EDD,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00164EA8
kernel32.dll, xrefs: 00164E94

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5357eb798464cd229e6c396d8bc281bba177301363472bcfe3853cf15e0b7b92
Instruction ID: c3b96f5934e5479653af3d92722eeb1e520cea4c1fd8e384d44df83976473f17
Opcode Fuzzy Hash: 5357eb798464cd229e6c396d8bc281bba177301363472bcfe3853cf15e0b7b92
Instruction Fuzzy Hash: DFE0CD35E055369BD2311B257D18BBF6554AF81F627050115FD05D2500DB68CD61D4F4

Function 00164E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,001A3CDE,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00164E74
FreeLibrary.KERNEL32(00000000,?,?,001A3CDE,?,?,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00164E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00164E6E
kernel32.dll, xrefs: 00164E5B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 10fd46fc2a5b180071e59ff7c8280720043f1a27bf23ddb04fcb04565a9ca463
Instruction ID: 870d4736fe96b094351419d938e691ce7bd661f21902449ae0ec4d74cd5bdbfc
Opcode Fuzzy Hash: 10fd46fc2a5b180071e59ff7c8280720043f1a27bf23ddb04fcb04565a9ca463
Instruction Fuzzy Hash: CCD02B39506636ABA6321B247C0CDEF2A18AF85F513060111F905E2510CF29CD71D5D0

Function 001D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001D2C05
DeleteFileW.KERNEL32(?), ref: 001D2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001D2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001D2CC0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: f3996f3c9b05ef1336acbe8bc23cf579ddca9e2433c266f4449b053b920692ee
Instruction ID: 23f58dd8677b00bf43dab1004710fc78052444ab1827e72b3d70526e8639e8d0
Opcode Fuzzy Hash: f3996f3c9b05ef1336acbe8bc23cf579ddca9e2433c266f4449b053b920692ee
Instruction Fuzzy Hash: 88B14E72900119ABDF25EBA4CC85EDEB7BDEF69350F1040A6F519E7241EB309A44CF61

Function 001EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001EA468
CloseHandle.KERNEL32(?), ref: 001EA63D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 2453ba1249944d7a65662a0f629cf1b27f97b67d4a4f9267dbfff5bc4e32eeb7
Instruction ID: f85be6b3e65d4bb39fc4d261c968a3696bcb1ec65bba9f3904a78f31ca45f1c0
Opcode Fuzzy Hash: 2453ba1249944d7a65662a0f629cf1b27f97b67d4a4f9267dbfff5bc4e32eeb7
Instruction Fuzzy Hash: 4FA1BF716047009FD720DF29C886F2AB7E1AF98714F54885DF99A9B2D2D7B0EC41CB92

Function 0019BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00203700), ref: 0019BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0023121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0019BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00231270,000000FF,?,0000003F,00000000,?), ref: 0019BC36
_free.LIBCMT ref: 0019BB7F

Part of subcall function 001929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000), ref: 001929DE
Part of subcall function 001929C8: GetLastError.KERNEL32(00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000,00000000), ref: 001929F0

_free.LIBCMT ref: 0019BD4B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: de8cdbe22002d94143bd4a82c23c7aec1150eb6935ab858940ab406943c914f4
Instruction ID: c3609e0946ab82c39a86f7df6b52e3741e9575901a167d972c469887af715796
Opcode Fuzzy Hash: de8cdbe22002d94143bd4a82c23c7aec1150eb6935ab858940ab406943c914f4
Instruction Fuzzy Hash: D7510971908219EFCF14EF65BEC59AEB7BCFF50710B10026AE815D7191EB709E518B90

Function 001CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001CCF22,?), ref: 001CDDFD

Part of subcall function 001CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001CCF22,?), ref: 001CDE16

Part of subcall function 001CE199: GetFileAttributesW.KERNEL32(?,001CCF95), ref: 001CE19A

lstrcmpiW.KERNEL32(?,?), ref: 001CE473
MoveFileW.KERNEL32(?,?), ref: 001CE4AC
_wcslen.LIBCMT ref: 001CE5EB
_wcslen.LIBCMT ref: 001CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001CE650

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2ded9f2c436b3ac0b68b447ce7102da3c809950b11019abcf45b39286ff7e8d4
Instruction ID: b2a2b6bcd3f50b0e39490ed1609921e211bd7931a79745da9230163c27097fdd
Opcode Fuzzy Hash: 2ded9f2c436b3ac0b68b447ce7102da3c809950b11019abcf45b39286ff7e8d4
Instruction Fuzzy Hash: 735120B24087859BC724EB94DC81EDB73ECAFA5340F00491EF589D3191EF75E6888B66

Function 001EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001EB6AE,?,?), ref: 001EC9B5
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001EC9F1
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA68
Part of subcall function 001EC998: _wcslen.LIBCMT ref: 001ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001EBB63
RegCloseKey.ADVAPI32(?,?), ref: 001EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001EBBB3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 95f25af904caa0f9c46d254919bb7a7d00f77558eb839b689be826e30d9bf35e
Instruction ID: bf4d4c840792178d059178aedf321ead518119784796462ee9362419c05545aa
Opcode Fuzzy Hash: 95f25af904caa0f9c46d254919bb7a7d00f77558eb839b689be826e30d9bf35e
Instruction Fuzzy Hash: BB615A31208645AFD714DF15C8D0E2ABBE9BF84308F54856CF49A8B2A2DB31ED45CB92

Function 001C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C8BCD
VariantClear.OLEAUT32 ref: 001C8C3E
VariantClear.OLEAUT32 ref: 001C8C9D
VariantClear.OLEAUT32(?), ref: 001C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001C8D3B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 18b59671e7fa15dff5e905d850dda86172a9f33ec0cc706e18c80998c4899b1a
Instruction ID: 589871d947e7c57bb73efb994742b7a7e9c172cde9243864883f6749e5e4dbe9
Opcode Fuzzy Hash: 18b59671e7fa15dff5e905d850dda86172a9f33ec0cc706e18c80998c4899b1a
Instruction Fuzzy Hash: 525158B5A00219EFCB14CF68D894EAAB7F8FF99310B158559E90ADB350E730E911CF90

Function 001D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001D8C5F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f99d2b5ae8793045b977ab3f070e83f3eab986ee732e1f8c2ef2152e8e0ad457
Instruction ID: cc6dc56795997f973536b6e7cb9d70f1971b5ca0799b9eb345937a9b6c19c4a8
Opcode Fuzzy Hash: f99d2b5ae8793045b977ab3f070e83f3eab986ee732e1f8c2ef2152e8e0ad457
Instruction Fuzzy Hash: 80514F35A00215DFCB05DF64C881AADBBF5FF58314F088499E84AAB362DB35ED51DB90

Function 001E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001E9032
FreeLibrary.KERNEL32(00000000), ref: 001E9052

Part of subcall function 0017F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001D1043,?,7529E610), ref: 0017F6E6
Part of subcall function 0017F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,001BFA64,00000000,00000000,?,?,001D1043,?,7529E610,?,001BFA64), ref: 0017F70D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 33c18eee09933588dc3ca5ecb38ea807c3226c5496dc99eebe25c45535a4ac1f
Instruction ID: 92995889678d26f9babb58faf08ed172152560461e613590ce789a3ab73692fe
Opcode Fuzzy Hash: 33c18eee09933588dc3ca5ecb38ea807c3226c5496dc99eebe25c45535a4ac1f
Instruction Fuzzy Hash: 5F516A35604645DFCB14DF59C4848ADBBF5FF59324B0980A8F80AAB762DB31ED86CB90

Function 001F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001DAB79,00000000,00000000), ref: 001F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001F6CC7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8a8ade61651074d596ae1d570f810205afec0180447b823802be42ee2a1a44b1
Instruction ID: eff7429a71317b0963d088b4aaf8632d41e2b6d105f277322e5f56f90c84a3ae
Opcode Fuzzy Hash: 8a8ade61651074d596ae1d570f810205afec0180447b823802be42ee2a1a44b1
Instruction Fuzzy Hash: 9841D43560410CAFD724CF28CD58FB97BA5EB0A360F150228FAD9E72E1C371AD51DA80

Function 00192051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001920C3
_free.LIBCMT ref: 001920E3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e756ca6621ad2cf60b6c6b6ad6c21d11b47fa2a119581dd3e883eeb1f3022c1c
Instruction ID: 11b2cb627a1833d092ccd80112a379d76373c251d9007a722fe6e3b0e5e97948
Opcode Fuzzy Hash: e756ca6621ad2cf60b6c6b6ad6c21d11b47fa2a119581dd3e883eeb1f3022c1c
Instruction Fuzzy Hash: 4F41C332A00200AFCF24DF78C881A6EB7F5EF99714F254569E515EB351DB31AD01CB81

Function 0017912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00179141
ScreenToClient.USER32(00000000,?), ref: 0017915E
GetAsyncKeyState.USER32(00000001), ref: 00179183
GetAsyncKeyState.USER32(00000002), ref: 0017919D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 10b6734c1bb62cb41c68bbd59fd97e047e5a34d69bb97c403aa4776b50ccf63e
Instruction ID: 2e7035984233a450d6f4991a7f53c62403b1fbbefe23d8a232e1ba9401e81fc9
Opcode Fuzzy Hash: 10b6734c1bb62cb41c68bbd59fd97e047e5a34d69bb97c403aa4776b50ccf63e
Instruction Fuzzy Hash: DC414F71A0861ABBDF199F68C848BFEB775FB45330F208215E429A72D0C7346994DBA1

Function 001D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001D3922
TranslateMessage.USER32(?), ref: 001D394B
DispatchMessageW.USER32(?), ref: 001D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001D3966

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 4be7e6a926d62d0b967ebcf8f53d6e72796d3d65a927dc32f54d3dea4dc2ab76
Instruction ID: f6a0260d3ab08e974d755957d35ef954b226e9f5da1bd1cc885b1cc9e22ecb91
Opcode Fuzzy Hash: 4be7e6a926d62d0b967ebcf8f53d6e72796d3d65a927dc32f54d3dea4dc2ab76
Instruction Fuzzy Hash: 23319770504345DEEB3DCB75E85CBB637A8AB15308F04056BE472826A0E7F4A685DB52

Function 001DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 001DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001DC21E,00000000), ref: 001DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001DC21E,00000000), ref: 001DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001DC21E,00000000), ref: 001DCFF2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ad8fcbfd26e65866ee1baacb028a1dc5b50e9f9040ed06794015b5ce013ce8c5
Instruction ID: cb7698da7e5df3e31a9fd15871fdf9c4dc621c45721c4ea04be826c40c80cc41
Opcode Fuzzy Hash: ad8fcbfd26e65866ee1baacb028a1dc5b50e9f9040ed06794015b5ce013ce8c5
Instruction Fuzzy Hash: 91315E7150420AEFDB24DFA5C984AABBBF9EB14350B10482FF516D2240DB30AE41DBA0

Function 001C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001C19E2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 259def5b7f3fd09f3818ebf153569542acfa790d0ce27940e9b8acb14b40a92d
Instruction ID: e33e48071ccd8a7435f8b87ed7409c89580f246a74697308ecb9a78ab17bf5bb
Opcode Fuzzy Hash: 259def5b7f3fd09f3818ebf153569542acfa790d0ce27940e9b8acb14b40a92d
Instruction Fuzzy Hash: 8E31AF71900219EFCB14CFA8C999BEE7BB5EB15319F104229F921A72D1C770D954DB90

Function 001F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001F579D
_wcslen.LIBCMT ref: 001F57AF
_wcslen.LIBCMT ref: 001F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001F5816

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 86b1046d41f16a45ed41a0e026cffd154a000a1f350b30e121e39293bc1cdb26
Instruction ID: c4cfae0bfb85485d9b4250b499d898b23a782eda71d8ab52be43e9f95f539a85
Opcode Fuzzy Hash: 86b1046d41f16a45ed41a0e026cffd154a000a1f350b30e121e39293bc1cdb26
Instruction Fuzzy Hash: 2F21657590461C9ADB209FA4CC85AFD7BB9FF54724F108216EB1AEA180E7709A85CF50

Function 001E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001E0951
GetForegroundWindow.USER32 ref: 001E0968
GetDC.USER32(00000000), ref: 001E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001E09B0
ReleaseDC.USER32(00000000,00000003), ref: 001E09E8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c36de8891c2cb513930f0bad069974f6ce8076e8388a8356c241838d1d13e4ab
Instruction ID: 4269925bc4445553aa4707e84c23a150b725684b707a30214e6f10de05f86add
Opcode Fuzzy Hash: c36de8891c2cb513930f0bad069974f6ce8076e8388a8356c241838d1d13e4ab
Instruction Fuzzy Hash: 3A21AE35600214AFD704EF69DD84AAEBBE9EF58700F008069E84AD7762DB70AC84DB90

Function 0019CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0019CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0019CDE9

Part of subcall function 00193820: RtlAllocateHeap.NTDLL(00000000,?,00231444,?,0017FDF5,?,?,0016A976,00000010,00231440,001613FC,?,001613C6,?,00161129), ref: 00193852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0019CE0F
_free.LIBCMT ref: 0019CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0019CE31

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0c8311ccec418780f27bac4c88008eb0b423379775dafc7c715f32309ca70782
Instruction ID: af8369f38a14133aafb3d3003cb091df75b8ec67bbcc419785e3bf589a0c25dd
Opcode Fuzzy Hash: 0c8311ccec418780f27bac4c88008eb0b423379775dafc7c715f32309ca70782
Instruction Fuzzy Hash: 3501A7726012157F2B2156BA6C8CD7B7D6DEFC6BA13150129FD46C7201EB618D01D2F0

Function 00179639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00179693
SelectObject.GDI32(?,00000000), ref: 001796A2
BeginPath.GDI32(?), ref: 001796B9
SelectObject.GDI32(?,00000000), ref: 001796E2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a9020d4c6c8ee33298dfbd86f5e3b77d1029702c8381475fa6e3d56f25ddcc23
Instruction ID: 74e63d1f4da46ac92e4eaee40f8d5ad83e69e6c286fac32236ba3345382ecc83
Opcode Fuzzy Hash: a9020d4c6c8ee33298dfbd86f5e3b77d1029702c8381475fa6e3d56f25ddcc23
Instruction Fuzzy Hash: 20219A70802349EFDB119F28ED18BB93BB9BF50725F108316F818A61B0D37098A9DF94

Function 001C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001C5726
_memcmp.LIBVCRUNTIME ref: 001C5744
_memcmp.LIBVCRUNTIME ref: 001C5757
_memcmp.LIBVCRUNTIME ref: 001C576F
_memcmp.LIBVCRUNTIME ref: 001C5787

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: dfd9fdbc2f108d2afed05190836b04046146524da11cdc21a7a3a3f9224dd8f4
Instruction ID: b2bacf71cdd1df294b4bf3d2a611873d54ad008fa9641eeff4e0ea1e35301033
Opcode Fuzzy Hash: dfd9fdbc2f108d2afed05190836b04046146524da11cdc21a7a3a3f9224dd8f4
Instruction Fuzzy Hash: 4401B972641719BBD31866109D42FBB735FAF317A4F804028FE059A241F760FED287A4

Function 00192DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0018F2DE,00193863,00231444,?,0017FDF5,?,?,0016A976,00000010,00231440,001613FC,?,001613C6), ref: 00192DFD
_free.LIBCMT ref: 00192E32
_free.LIBCMT ref: 00192E59
SetLastError.KERNEL32(00000000,00161129), ref: 00192E66
SetLastError.KERNEL32(00000000,00161129), ref: 00192E6F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0a96bf3af975ebcc6c43840197f75eefb308c7c3e13d6be90ab435d3b6de10b4
Instruction ID: a8924c38554354d5ac228c81f1c20e10b1ef2433f2cd5805e77be72247403d8e
Opcode Fuzzy Hash: 0a96bf3af975ebcc6c43840197f75eefb308c7c3e13d6be90ab435d3b6de10b4
Instruction Fuzzy Hash: 1801A4326456047BCF2267747CCAD2B269DAFE17A5B254029F425A2292EB748C0151A0

Function 001C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?,?,001C035E), ref: 001C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?), ref: 001C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?), ref: 001C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?), ref: 001C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,001BFF41,80070057,?,?), ref: 001C0070

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 15d82330a9345e350f9008179594beb59bf03403b0b7f4735d5f7393855de599
Instruction ID: 3c9d3d18820a5b345a5ec1d18fc2650081d1120cc54f6e56f4ad4069e5b0ab2a
Opcode Fuzzy Hash: 15d82330a9345e350f9008179594beb59bf03403b0b7f4735d5f7393855de599
Instruction Fuzzy Hash: E1018B72600208FFDB124F68DD04FAABAADEB587D2F254128F905D2210E771DD90EBA0

Function 001C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001C0B9B,?,?,?), ref: 001C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001C114D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6276c0a0685c17c9e2929695399abbc217f922433135fd5581fe4bf2c4d79fbb
Instruction ID: 1cc5c74f20868c799d76d66627505944e882927fd27294c6f55db0aef7e8eca4
Opcode Fuzzy Hash: 6276c0a0685c17c9e2929695399abbc217f922433135fd5581fe4bf2c4d79fbb
Instruction Fuzzy Hash: 9D018C79240209FFDB115FA4DD49E6A3F6EEF8A3A0B240418FA45C3360DB31DC50EAA0

Function 001C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001C1002

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ac572919154de89cf4bc5cf5294c86135e85423e75251cfa28779c3f0933a901
Instruction ID: 44cdaa59a13f91cad756001693f439c6ba1fe19efcfdba0f99b218695d22a180
Opcode Fuzzy Hash: ac572919154de89cf4bc5cf5294c86135e85423e75251cfa28779c3f0933a901
Instruction Fuzzy Hash: 79F04F79140305FBD7214FA49D49F663B6DEF8A761F114415F945C6251CA70DC90DAA0

Function 001C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001C1062

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 02a6db47e2020c2cd1f71c4eab6cee4aff3b1f85ea8570cec86c8d862503e03a
Instruction ID: fb7e5d935166f56654c19af0b639c3ea0a6e69be530c426ee886df05205577d1
Opcode Fuzzy Hash: 02a6db47e2020c2cd1f71c4eab6cee4aff3b1f85ea8570cec86c8d862503e03a
Instruction Fuzzy Hash: FEF04F79140305FBD7215FA4ED49F663B6DEF8A761F210414F945C6251CA70D890DAA0

Function 001D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001D017D,?,001D32FC,?,00000001,001A2592,?), ref: 001D0324
CloseHandle.KERNEL32(?,?,?,?,001D017D,?,001D32FC,?,00000001,001A2592,?), ref: 001D0331
CloseHandle.KERNEL32(?,?,?,?,001D017D,?,001D32FC,?,00000001,001A2592,?), ref: 001D033E
CloseHandle.KERNEL32(?,?,?,?,001D017D,?,001D32FC,?,00000001,001A2592,?), ref: 001D034B
CloseHandle.KERNEL32(?,?,?,?,001D017D,?,001D32FC,?,00000001,001A2592,?), ref: 001D0358
CloseHandle.KERNEL32(?,?,?,?,001D017D,?,001D32FC,?,00000001,001A2592,?), ref: 001D0365

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 936ad957466c6341c79420a3bbb33d017c1ee6fdaae7faa13851fce21964b9f5
Instruction ID: 96d2a5fab2a6d96c8f585e9f8fb465a27275e57432a199742bf349eddd0f3f09
Opcode Fuzzy Hash: 936ad957466c6341c79420a3bbb33d017c1ee6fdaae7faa13851fce21964b9f5
Instruction Fuzzy Hash: 1001AE72800B55AFCB31AF66D880916FBF9BF643153158A3FD19652A31C3B1A998DF80

Function 0019D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0019D752

Part of subcall function 001929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000), ref: 001929DE
Part of subcall function 001929C8: GetLastError.KERNEL32(00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000,00000000), ref: 001929F0

_free.LIBCMT ref: 0019D764
_free.LIBCMT ref: 0019D776
_free.LIBCMT ref: 0019D788
_free.LIBCMT ref: 0019D79A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5ea9f864dc67385a1af9f93d59bcf4e2f6083098cfd17596d0ac62b9c9a2a625
Instruction ID: ae74e7e46283706787e036db86b46cc54edd8fc70bcdfde065525481d5479121
Opcode Fuzzy Hash: 5ea9f864dc67385a1af9f93d59bcf4e2f6083098cfd17596d0ac62b9c9a2a625
Instruction Fuzzy Hash: 11F01232944214BB8E25EBE4F9C6C1A77DDBB547187E51805F04CE7505CB30FC8086A5

Function 001C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001C5C6F
MessageBeep.USER32(00000000), ref: 001C5C87
KillTimer.USER32(?,0000040A), ref: 001C5CA3
EndDialog.USER32(?,00000001), ref: 001C5CBD

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5729aeeb1e8cf639a91cecc669b629d33b17bb5154972eaaa9aa896b11e9c724
Instruction ID: f7f97ba3ed67957a5d33490b8e360e1c0b6e8d6f1fa8690b3b6aec5805e74be6
Opcode Fuzzy Hash: 5729aeeb1e8cf639a91cecc669b629d33b17bb5154972eaaa9aa896b11e9c724
Instruction Fuzzy Hash: 8F018130500B08ABEB245B10DE4EFA67BBDBF10B15F00065DA593A15E1DBF0B9C8DA94

Function 001922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001922BE

Part of subcall function 001929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000), ref: 001929DE
Part of subcall function 001929C8: GetLastError.KERNEL32(00000000,?,0019D7D1,00000000,00000000,00000000,00000000,?,0019D7F8,00000000,00000007,00000000,?,0019DBF5,00000000,00000000), ref: 001929F0

_free.LIBCMT ref: 001922D0
_free.LIBCMT ref: 001922E3
_free.LIBCMT ref: 001922F4
_free.LIBCMT ref: 00192305

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2d989dbf307e1f95204ac0da536dad8e0b9bb03519414a68a40188d7a611887f
Instruction ID: 3934e9ac2e59f6004fa717bb207172a495a645e711bb6485eaece88bd2f850e4
Opcode Fuzzy Hash: 2d989dbf307e1f95204ac0da536dad8e0b9bb03519414a68a40188d7a611887f
Instruction Fuzzy Hash: C8F03AB0C00630ABCA22EF94BC4980D3B64B728B60710050AF818D32B1CB300922EBF5

Function 001795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001795D4
StrokeAndFillPath.GDI32(?,?,001B71F7,00000000,?,?,?), ref: 001795F0
SelectObject.GDI32(?,00000000), ref: 00179603
DeleteObject.GDI32 ref: 00179616
StrokePath.GDI32(?), ref: 00179631

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 84038541f8856211eba953004177be0657f0d3db595b4b5831beae57393ae19d
Instruction ID: 012f3fee0fe88829b180b16c21350642a1f56edd078f696db19ec11a5bcf7694
Opcode Fuzzy Hash: 84038541f8856211eba953004177be0657f0d3db595b4b5831beae57393ae19d
Instruction Fuzzy Hash: 47F0C935009648EBDB169F65EE1CB643B75AB01332F048354F469554F0CB3089A9EF60

Function 00190F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001910F9
__freea.LIBCMT ref: 00191117

Part of subcall function 00191537: _free.LIBCMT ref: 0019154F

Strings

am/pm, xrefs: 0019117A
a/p, xrefs: 001911DE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: d0c1b87048ea9c3f84ea18ab16cc021ff0c2da1e881280d4e3a79c5262d7436e
Instruction ID: b2a217a80be0a93ca2133447f1f9c3e836dc83970ebb9d16c52b46cee08bd953
Opcode Fuzzy Hash: d0c1b87048ea9c3f84ea18ab16cc021ff0c2da1e881280d4e3a79c5262d7436e
Instruction Fuzzy Hash: 73D1CE31A00207FADF299F68C845ABEB7B1FF06720F294169E915AB650D3759EC0CB91

Function 001E61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00180242: EnterCriticalSection.KERNEL32(0023070C,00231884,?,?,0017198B,00232518,?,?,?,001612F9,00000000), ref: 0018024D
Part of subcall function 00180242: LeaveCriticalSection.KERNEL32(0023070C,?,0017198B,00232518,?,?,?,001612F9,00000000), ref: 0018028A

Part of subcall function 001800A3: __onexit.LIBCMT ref: 001800A9

__Init_thread_footer.LIBCMT ref: 001E6238

Part of subcall function 001801F8: EnterCriticalSection.KERNEL32(0023070C,?,?,00178747,00232514), ref: 00180202
Part of subcall function 001801F8: LeaveCriticalSection.KERNEL32(0023070C,?,00178747,00232514), ref: 00180235

Part of subcall function 001D359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001D35E4
Part of subcall function 001D359C: LoadStringW.USER32(00232390,?,00000FFF,?), ref: 001D360A

Strings

x##, xrefs: 001E6353
x##, xrefs: 001E636F
x##, xrefs: 001E633A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x##$x##$x##
API String ID: 1072379062-4243510225
Opcode ID: c78dae075b58284d285c170b1442af433ea590877868de6880d3dbbfa233918c
Instruction ID: 9174b96da0214bede452d20fbd7d6c8b8fc0900db6784a0c1bd23d698cf0f623
Opcode Fuzzy Hash: c78dae075b58284d285c170b1442af433ea590877868de6880d3dbbfa233918c
Instruction Fuzzy Hash: 24C1BF71A00549AFCB14DF59C894EBEB7B9FF68380F508069FA059B291DB70ED44CB90

Function 001E7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00180242: EnterCriticalSection.KERNEL32(0023070C,00231884,?,?,0017198B,00232518,?,?,?,001612F9,00000000), ref: 0018024D
Part of subcall function 00180242: LeaveCriticalSection.KERNEL32(0023070C,?,0017198B,00232518,?,?,?,001612F9,00000000), ref: 0018028A

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001800A3: __onexit.LIBCMT ref: 001800A9

__Init_thread_footer.LIBCMT ref: 001E7BFB

Part of subcall function 001801F8: EnterCriticalSection.KERNEL32(0023070C,?,?,00178747,00232514), ref: 00180202
Part of subcall function 001801F8: LeaveCriticalSection.KERNEL32(0023070C,?,00178747,00232514), ref: 00180235

Strings

5, xrefs: 001E7C78
Variable must be of type 'Object'., xrefs: 001E7C3A
G, xrefs: 001E7C7F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 5a4116cb729e4553fb9bdb736f9cff64fbc3ed6669e682af9ff99a4dd71e0fdb
Instruction ID: 04f73cd321cf64bd24cbaf329a8065019eefc0b010537a12e28f0432d77011e3
Opcode Fuzzy Hash: 5a4116cb729e4553fb9bdb736f9cff64fbc3ed6669e682af9ff99a4dd71e0fdb
Instruction Fuzzy Hash: 3A91DF70A04649EFDB08EF95D980DBDB7B6FF59300F148049F806AB292DB71AE85CB51

Function 001C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001C21D0,?,?,00000034,00000800,?,00000034), ref: 001CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001C2760

Part of subcall function 001CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001CB3F8

Part of subcall function 001CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001CB355
Part of subcall function 001CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001C2194,00000034,?,?,00001004,00000000,00000000), ref: 001CB365
Part of subcall function 001CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001C2194,00000034,?,?,00001004,00000000,00000000), ref: 001CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001C281A

Strings

@, xrefs: 001C2832

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4bb0c9ab4bcebff9c1d374c2405c327c52c58ecaa6445703a1c5f4620c358ff9
Instruction ID: 2424af28265d4a73bf77fbbd3f6b5e1740174c52186b6f2958976bd1e1d5718c
Opcode Fuzzy Hash: 4bb0c9ab4bcebff9c1d374c2405c327c52c58ecaa6445703a1c5f4620c358ff9
Instruction Fuzzy Hash: 5D411D72900218AFDB10DBA4CD86FEEBBB8EF25700F105059FA55B7181DB70AE45CBA1

Function 0019172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00191769
_free.LIBCMT ref: 00191834
_free.LIBCMT ref: 0019183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00191760, 00191767, 00191796, 001917CE

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 5db5690ca96b9dc067974c4a6761b62eeed5f05ee336ec9ed6a9c4f0afbb4780
Instruction ID: 5b9b94981d646159a90aabf0d4884b3358aac3fae2ccff82562d1f2bf2cec38d
Opcode Fuzzy Hash: 5db5690ca96b9dc067974c4a6761b62eeed5f05ee336ec9ed6a9c4f0afbb4780
Instruction Fuzzy Hash: 9B318B71A4021ABBDF25DB999885DAEBBFCEB95710B1041AAF80497211D7708E81DBA0

Function 001CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00231990,00E584A0), ref: 001CC395

Strings

0, xrefs: 001CC2DF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: cb4697c071c62481a5cace099e104f464ba98d04005effea85d12d8872a24789
Instruction ID: a10fb0dfd335ba0312acb334d2eb90ff4858f1735090fe7443722f1aa5cfe332
Opcode Fuzzy Hash: cb4697c071c62481a5cace099e104f464ba98d04005effea85d12d8872a24789
Instruction Fuzzy Hash: AF419F712043419FD724DF25E885F6ABBE8BBA5310F00861DF8A9D7291D730ED04CB92

Function 001F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001FCC08,00000000,?,?,?,?), ref: 001F44AA
GetWindowLongW.USER32 ref: 001F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001F44D7

Strings

SysTreeView32, xrefs: 001F447C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 977aac01cab0091c90c1dc1c310d78d148eb9865557c6b4cc5cc930fae6b8b18
Instruction ID: b0dd9635ee5a8ee127028b67694b0e2a890c435f933c9d8c433e7d4edfab56f2
Opcode Fuzzy Hash: 977aac01cab0091c90c1dc1c310d78d148eb9865557c6b4cc5cc930fae6b8b18
Instruction Fuzzy Hash: 9F319E71214209AFDB209E38DC45BEB77A9EB08334F204725FA79E21E0D770EC949B50

Function 001E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001E3077,?,?), ref: 001E3378

inet_addr.WSOCK32(?), ref: 001E307A
_wcslen.LIBCMT ref: 001E309B
htons.WSOCK32(00000000), ref: 001E3106

Strings

255.255.255.255, xrefs: 001E3095, 001E309A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 002a5c3b4a05ff3d0774a26fb1acc61919d38f8a794d155e05f88711fea96611
Instruction ID: a856f6f0c2266baf4eedab42e721c9bedbd6bd0b9a51307fa941e8196fafae25
Opcode Fuzzy Hash: 002a5c3b4a05ff3d0774a26fb1acc61919d38f8a794d155e05f88711fea96611
Instruction Fuzzy Hash: 853107352006859FCB24CF6AC589E6D77E0EF54318F258059F8258B792CB32DF41C760

Function 001F3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001F3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001F3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 001F3F78

Strings

SysMonthCal32, xrefs: 001F3F0B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8c5e9704d4bd6acc875fdff13df332b8bc3b59ffb47f4534d79b8cd4147cbb3c
Instruction ID: 1b1b9c35165740dec8dbc9837247d217614b4d8648c36d36536ec252b76bd034
Opcode Fuzzy Hash: 8c5e9704d4bd6acc875fdff13df332b8bc3b59ffb47f4534d79b8cd4147cbb3c
Instruction Fuzzy Hash: 22218B32610219BBDF258E90DC46FEA3B79EF48724F110214FA15AB1D0D7B1A9A0DBA0

Function 001F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001F471A

Strings

msctls_updown32, xrefs: 001F4684

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 78ca1cbbb206fb40eda3f17bb456277e1c96936abff780235a985c20770d8495
Instruction ID: 61b6c414b68ce0b369383088d80e5e2347c0132b76f24ea7d09ed2866f97012c
Opcode Fuzzy Hash: 78ca1cbbb206fb40eda3f17bb456277e1c96936abff780235a985c20770d8495
Instruction Fuzzy Hash: 3E213EB5604209AFDB10DF64DC85DB737ADEF9A3A8B040159FA009B251CB71EC61DA60

Function 001C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C961D

Strings

#OnAutoItStartRegister, xrefs: 001C95F3
#requireadmin, xrefs: 001C95D9
#notrayicon, xrefs: 001C95B7

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 376ea7170a5a91cb01bd9ac2bb12b6bdaedce7e07d528cd652ffcbd413a031a2
Instruction ID: d2ef2897d04802c86b0a30b3ed53aca483eff0600de472222be9223ad17ad9a2
Opcode Fuzzy Hash: 376ea7170a5a91cb01bd9ac2bb12b6bdaedce7e07d528cd652ffcbd413a031a2
Instruction Fuzzy Hash: 3F21353220422166D331BB24DC0AFBB7398AFB5314F54402EFA4A970C1EBA1EE52C7D5

Function 001F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001F3876

Strings

Listbox, xrefs: 001F380F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b4b862d4b6b6be39721980bb4682048660890044ef1e145c342d3c66943be7bc
Instruction ID: 7c7dbc12df8bcccbabf0750911b7c2849c7e0392c853beb11d967be443be7ae9
Opcode Fuzzy Hash: b4b862d4b6b6be39721980bb4682048660890044ef1e145c342d3c66943be7bc
Instruction Fuzzy Hash: 36218E72610218BBEB219F64DC85EBB376AEF897A0F118224FA159B190C775DC52C7A0

Function 001D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001D4A5C
SetErrorMode.KERNEL32(00000000,?,?,001FCC08), ref: 001D4AD0

Strings

%lu, xrefs: 001D4A6F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 1dc71f98c21b2b441c8e930cde5bac8502a741a99c571521599ac74f446c8768
Instruction ID: 7b6cbb15b2d4276125aeca1f6a583523cd1827acc0e9907653d1ef56066c1736
Opcode Fuzzy Hash: 1dc71f98c21b2b441c8e930cde5bac8502a741a99c571521599ac74f446c8768
Instruction Fuzzy Hash: 27318275A00108AFDB10DF64C985EAA7BF8EF09308F1480A9F909DB352D771ED55CBA1

Function 001F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001F4271

Strings

msctls_trackbar32, xrefs: 001F4226

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b165820aebc98cdb1fb19cef45bd56cf6a93e871e3db0e1361e4bbeafe84699f
Instruction ID: 40f19325db533ed8d496bf2181f6224b1ee9d82e671d49ef7cebeea502a8307e
Opcode Fuzzy Hash: b165820aebc98cdb1fb19cef45bd56cf6a93e871e3db0e1361e4bbeafe84699f
Instruction Fuzzy Hash: D411E031240248BFEF209E68DC06FBB3BACEF95B64F010524FA55E21A0D371D861DB20

Function 001C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

Part of subcall function 001C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001C2DC5
Part of subcall function 001C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001C2DD6
Part of subcall function 001C2DA7: GetCurrentThreadId.KERNEL32 ref: 001C2DDD
Part of subcall function 001C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001C2DE4

GetFocus.USER32 ref: 001C2F78

Part of subcall function 001C2DEE: GetParent.USER32(00000000), ref: 001C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001C2FC3
EnumChildWindows.USER32(?,001C303B), ref: 001C2FEB

Strings

%s%d, xrefs: 001C2FFF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: ca71a82894e66a20952de095180b656761aa0d6c029949cbb0334ce378ff2351
Instruction ID: f2b226622f8e53d47b43ff25dd3f54b5409b8a20d3a553bf45b584bdef1c803b
Opcode Fuzzy Hash: ca71a82894e66a20952de095180b656761aa0d6c029949cbb0334ce378ff2351
Instruction Fuzzy Hash: 68119371600209ABCF546FA09C86FFE376AAFB4314F048079F9199B292DF709959DB60

Function 001F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001F58EE
DrawMenuBar.USER32(?), ref: 001F58FD

Strings

0, xrefs: 001F588F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 1a15da6c88e939c7b5f47e190ff668c09776d5fdf91bfde9f677b5afec75d3e8
Instruction ID: e34fe0a1dc3a3113c0af54f89158dd24bc15b1763a81bd880d71ffdbc734303f
Opcode Fuzzy Hash: 1a15da6c88e939c7b5f47e190ff668c09776d5fdf91bfde9f677b5afec75d3e8
Instruction Fuzzy Hash: 4401573160021CEEDB259F21DC44BBFBBB5FF45364F1080A9EA49D6161EB708A85EF61

Function 001BD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 001BD3BF
FreeLibrary.KERNEL32 ref: 001BD3E5

Strings

X64, xrefs: 001BD2A8
GetSystemWow64DirectoryW, xrefs: 001BD3B9

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 072b6859e5395363c47bef995375b2271d63b699da991a6a39f1d16ba17c7022
Instruction ID: b6a9d5a1b1e880a72a75ed74d9f41aebd8e36fddc293f5e9203932bbc7b4554d
Opcode Fuzzy Hash: 072b6859e5395363c47bef995375b2271d63b699da991a6a39f1d16ba17c7022
Instruction Fuzzy Hash: 6CF0ABB1809629DBC73D0210BD249FA3374BF00741F5A81A9F406F2115FB24CD9492C2

Function 001C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52636411c24def720cfeb49522d34f871850c6bb5a9ddef14db4d855b6ebb541
Instruction ID: aa5621822fcbe0df53fbb946bdd4bdcd7b94f7e830258854627786e94ea0fbcd
Opcode Fuzzy Hash: 52636411c24def720cfeb49522d34f871850c6bb5a9ddef14db4d855b6ebb541
Instruction Fuzzy Hash: 7EC14775A0020AEFCB05CFA8C894FAAB7B5FF58304F258598E505EB251C731EE81CB90

Function 00193E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00193F0B
__alldvrm.LIBCMT ref: 0019410C
__alldvrm.LIBCMT ref: 0019412E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 647717e2fe57bc44c4adbd46370c3d2be24aac842515d54a9ed0c502aed710f3
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: B9A15776E003869FEF25CF28C891BAEBBE5EF61350F18426DE5959B281C3349982C751

Function 001E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001E3459
CoUninitialize.OLE32 ref: 001E3463
VariantInit.OLEAUT32(?), ref: 001E346E
VariantClear.OLEAUT32(?), ref: 001E371B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3ac3e2b9a4a4cd7ef2664a8ed2bf20c5aa779138f8eb15b281df94a909ebc608
Instruction ID: 9bfc65e847239eb717a8a3b37803d89030303e9f46dd1e585f6cf8563528597e
Opcode Fuzzy Hash: 3ac3e2b9a4a4cd7ef2664a8ed2bf20c5aa779138f8eb15b281df94a909ebc608
Instruction Fuzzy Hash: FBA148756046009FC700DF29C885A2EB7E5FF9C714F058899F99A9B3A2DB30EE51CB91

Function 001C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001FFC08,?), ref: 001C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001FFC08,?), ref: 001C0608
CLSIDFromProgID.OLE32(?,?,00000000,001FCC40,000000FF,?,00000000,00000800,00000000,?,001FFC08,?), ref: 001C062D
_memcmp.LIBVCRUNTIME ref: 001C064E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 82022b95b18f5271a33d7b6db249e7e41ad4ed2df684c2f0e79a223570eafa7f
Instruction ID: 91375c459aae31a62c81ba1577300f5f560f7703ba8663577f17daddabe74837
Opcode Fuzzy Hash: 82022b95b18f5271a33d7b6db249e7e41ad4ed2df684c2f0e79a223570eafa7f
Instruction Fuzzy Hash: B5811971A00209EFCB05DFA4C984EEEB7B9FF99315F204558E506AB250DB71AE46CF60

Function 001A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001A14C0

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bbe58044e88c6e6295893b004beb79d0a3c4f219d77ec6678a748d9d0e5fd904
Instruction ID: 4cc93ac58b79202d1b51494205cf926228a2ada19bd7240595b8cb13a6a28a40
Opcode Fuzzy Hash: bbe58044e88c6e6295893b004beb79d0a3c4f219d77ec6678a748d9d0e5fd904
Instruction Fuzzy Hash: B4413C39900214BBDF257BBD9C456BE3AA5FF6B370F140229F418D7192E734894197A1

Function 001F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001F62E2
ScreenToClient.USER32(?,?), ref: 001F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001F6382

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 64b859f5c16450418cd128fbf1e8854cd43cdee86385ef5881abac0fbe5f3a51
Instruction ID: 706c1638634f705e420d8c9349a3707ba3bce826f68bf529e0f06580acea9b52
Opcode Fuzzy Hash: 64b859f5c16450418cd128fbf1e8854cd43cdee86385ef5881abac0fbe5f3a51
Instruction Fuzzy Hash: 9D513A74A00209EFCB14DF68D980ABE7BB5FF55360F108269F9199B291D730ED91CB90

Function 001E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001E1AFD
WSAGetLastError.WSOCK32 ref: 001E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001E1B8A
WSAGetLastError.WSOCK32 ref: 001E1B94

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 38c90cb87bd77c6372fb0e001725da391b71d9122b0b6fd53a222c2cc4aa2b80
Instruction ID: 8d7534be8578d6c3fc3a0eea4f296bd59cc5c2ba0e1212cff59edf227e7c555e
Opcode Fuzzy Hash: 38c90cb87bd77c6372fb0e001725da391b71d9122b0b6fd53a222c2cc4aa2b80
Instruction Fuzzy Hash: 3C41BF34600600AFE720AF24C88AF2A77E5AB58718F54C48CF95A9F7D2D772ED41CB90

Function 0019B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c730f5d82561cdf4da8359c9105687f419f42159b436a07db2a301d075e783fa
Instruction ID: 4af11ee132e95f405e82ec367ae9801d351a490b7f25871bfb36462b6aca5623
Opcode Fuzzy Hash: c730f5d82561cdf4da8359c9105687f419f42159b436a07db2a301d075e783fa
Instruction Fuzzy Hash: 53412C76A04304BFDB24AF78DD81B6ABBE9EF94710F10452EF152DB2D2D771A9018780

Function 001D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001D5783
GetLastError.KERNEL32(?,00000000), ref: 001D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001D57FA

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 16bec71805d57c42576a3abc44b89e72dae96782d4e357762525fa87139dad93
Instruction ID: 32798dbb7e1972451235efe4bdebb58494c0f4810b704f58f89a758f4c06561b
Opcode Fuzzy Hash: 16bec71805d57c42576a3abc44b89e72dae96782d4e357762525fa87139dad93
Instruction Fuzzy Hash: 8B414E39600A10DFCB11DF55C544A5EBBF2EF99325B198489EC4AAB362CB30FD50DB91

Function 0019D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00186D71,00000000,00000000,001882D9,?,001882D9,?,00000001,00186D71,8BE85006,00000001,001882D9,001882D9), ref: 0019D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0019D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0019D9AB
__freea.LIBCMT ref: 0019D9B4

Part of subcall function 00193820: RtlAllocateHeap.NTDLL(00000000,?,00231444,?,0017FDF5,?,?,0016A976,00000010,00231440,001613FC,?,001613C6,?,00161129), ref: 00193852

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 49e8e57b9ed3f56ce2eec633a470790cfd38c58aacc347df5f25cee92e790562
Instruction ID: 1f37769057132a3f77ce70ebaf1bc9757638b64d518625f9046283cbd29b29fc
Opcode Fuzzy Hash: 49e8e57b9ed3f56ce2eec633a470790cfd38c58aacc347df5f25cee92e790562
Instruction Fuzzy Hash: D431CF72A0020AABDF25EFA4EC45EAF7BA5EB41314F154169FC04D7291EB35CD54CB90

Function 001F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001F5352
GetWindowLongW.USER32(?,000000F0), ref: 001F5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001F5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001F53A8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: b8ea92ac4df7b07717e46c917acec605d5eeb8042379cf7898209c4f7d93c1b5
Instruction ID: 350d9897c60d9b6e62e4c50b4c7b96d7240cd2fb981cf28a9e33ed859f8f867e
Opcode Fuzzy Hash: b8ea92ac4df7b07717e46c917acec605d5eeb8042379cf7898209c4f7d93c1b5
Instruction Fuzzy Hash: 92318235A55A0CEFEB349A1CCC59BF977A7BB053D0F584101FB11962E1C7B09990EB82

Function 001CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 001CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001CAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 001CACC6

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: eae983ce014316590941be8d4ebe00e16ff70fd10dbcb3158d7b9fde35db8fdb
Instruction ID: 0ec943ffa703477c811440ec0cc0e0aeafb229480658ed402bdc680d8f85a6c4
Opcode Fuzzy Hash: eae983ce014316590941be8d4ebe00e16ff70fd10dbcb3158d7b9fde35db8fdb
Instruction Fuzzy Hash: 8E315930A0431C6FEF36CB648C08FFA7BA5AF64328F84431EE485961D0C334C981979A

Function 001F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001F769A
GetWindowRect.USER32(?,?), ref: 001F7710
PtInRect.USER32(?,?,001F8B89), ref: 001F7720
MessageBeep.USER32(00000000), ref: 001F778C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 634043dbf380ea6efa4d4a5b7f24ef13d7982f5098273dc38f8056d37f993569
Instruction ID: 1b9e138bddf4a448284b583e79f171818b2899cd8df6e5b31e7f565e86fdce29
Opcode Fuzzy Hash: 634043dbf380ea6efa4d4a5b7f24ef13d7982f5098273dc38f8056d37f993569
Instruction Fuzzy Hash: C2418D34A19258DFCB01EF59D898EB977F5FB89314F1542A8E614DB2A1C730E942CF90

Function 001F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001F16EB

Part of subcall function 001C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001C3A57
Part of subcall function 001C3A3D: GetCurrentThreadId.KERNEL32 ref: 001C3A5E
Part of subcall function 001C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001C25B3), ref: 001C3A65

GetCaretPos.USER32(?), ref: 001F16FF
ClientToScreen.USER32(00000000,?), ref: 001F174C
GetForegroundWindow.USER32 ref: 001F1752

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d9768d9921b709de6483d7b6bd546515a8d7d3882ebcde31484b775431286eb2
Instruction ID: 4d03c3995991f679cd1fd010bd11ff3b3def2741b6ce27f48012d98c7a8682f1
Opcode Fuzzy Hash: d9768d9921b709de6483d7b6bd546515a8d7d3882ebcde31484b775431286eb2
Instruction Fuzzy Hash: 35313C75D00249AFCB04EFA9C981DBEBBF9EF58304B5080AAE415E7211E771DE45CBA0

Function 001CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001CD501
Process32FirstW.KERNEL32(00000000,?), ref: 001CD50F
Process32NextW.KERNEL32(00000000,?), ref: 001CD52F
CloseHandle.KERNEL32(00000000), ref: 001CD5DC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5dc835a7858044fee256297f9d5456fdeb695501e801f0d33b839614ff75b149
Instruction ID: 26510ba8b89f6d4017b4a2c80af1678f7f88dcc70731d632ee321cb0b968faa6
Opcode Fuzzy Hash: 5dc835a7858044fee256297f9d5456fdeb695501e801f0d33b839614ff75b149
Instruction Fuzzy Hash: E3319C710082049FD300EF54DC81EAFBBF8AFA9344F10092DF585861A1EB71D999DBA2

Function 001F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

GetCursorPos.USER32(?), ref: 001F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,001B7711,?,?,?,?,?), ref: 001F9016
GetCursorPos.USER32(?), ref: 001F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,001B7711,?,?,?), ref: 001F9094

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 273cff6d6f603f281440bb03885558dd585675cc5db605b1948a3e85d4345e6f
Instruction ID: e0bbc6b0e098e1af5cd8ad24302f4122a9bf9c2b7913b2713c8aeff45c195146
Opcode Fuzzy Hash: 273cff6d6f603f281440bb03885558dd585675cc5db605b1948a3e85d4345e6f
Instruction Fuzzy Hash: B321603560001CEFDB15DF94D858FFA7BB9EB49350F144165F6054B2A1C7319991EF60

Function 001CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001FCB68), ref: 001CD2FB
GetLastError.KERNEL32 ref: 001CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001FCB68), ref: 001CD376

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 00943e5f4d1a764ddb1151e3964a18fa382c172bfc9f25a7138795bab4c2e08a
Instruction ID: 849afa14c8153b0af07e59257e7ed1cd8a9fa26da1933c0c2cb5afc78317af72
Opcode Fuzzy Hash: 00943e5f4d1a764ddb1151e3964a18fa382c172bfc9f25a7138795bab4c2e08a
Instruction Fuzzy Hash: 6D21A3B05042459F8300DF24D98196AB7E8FF65364F105A2EF499C72A1D730D946DB93

Function 001C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001C102A
Part of subcall function 001C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001C1036
Part of subcall function 001C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001C1045
Part of subcall function 001C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001C104C
Part of subcall function 001C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001C15BE
_memcmp.LIBVCRUNTIME ref: 001C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001C1617
HeapFree.KERNEL32(00000000), ref: 001C161E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 60122e85d6ce8a6bb55fabcc136fb05125f2b76f817f42be74824f10e3eed3a0
Instruction ID: 50e5c200b7ad7cd010b32fd570091aff0c7cb0ea988d0e28b50fc36b2db98c43
Opcode Fuzzy Hash: 60122e85d6ce8a6bb55fabcc136fb05125f2b76f817f42be74824f10e3eed3a0
Instruction Fuzzy Hash: BF216971E80118FFDB00DFA4C945BEEB7B8EF66354F184459E441AB242E770EA45DBA0

Function 001F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001F2840

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 7d0506a5eaf7bcedef33eab22af28fe0c8f771b9d60290e327fa3c74200d66fe
Instruction ID: 18b946beac10507c7907fb99fc8bcb60921ba68c323af214a3575a37af27c7fe
Opcode Fuzzy Hash: 7d0506a5eaf7bcedef33eab22af28fe0c8f771b9d60290e327fa3c74200d66fe
Instruction Fuzzy Hash: 6821CF31209519AFD714AB24CC54FBA7B95AF95324F148258F52ACB6E2CB71FC82CBD0

Function 001C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001C790A,?,000000FF,?,001C8754,00000000,?,0000001C,?,?), ref: 001C8D8C
Part of subcall function 001C8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 001C8DB2
Part of subcall function 001C8D7D: lstrcmpiW.KERNEL32(00000000,?,001C790A,?,000000FF,?,001C8754,00000000,?,0000001C,?,?), ref: 001C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001C8754,00000000,?,0000001C,?,?,00000000), ref: 001C7923
lstrcpyW.KERNEL32(00000000,?), ref: 001C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001C8754,00000000,?,0000001C,?,?,00000000), ref: 001C7984

Strings

cdecl, xrefs: 001C797B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 854231cad55d92634e235f276b034056cf78170f913c10add5927b3af6f189c2
Instruction ID: 6cd6e17816a8cf9ff7006e16addb94f7cf7d1de8c11cbd7697d32b112d43dd49
Opcode Fuzzy Hash: 854231cad55d92634e235f276b034056cf78170f913c10add5927b3af6f189c2
Instruction Fuzzy Hash: 1411063A204242ABCB156F34D845E7B77A5FF65364B10402EF846C72A4EF71D811DBA1

Function 001F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001DB7AD,00000000), ref: 001F7D6B

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6af3418512769065a7735437a06ce0ddb094f05bbf0c565ad7593b16b86a2443
Instruction ID: b8a634fe79b1ceb017ccb404b9c5861acdfd09cf76d1c18eadd33b5e7b4c3235
Opcode Fuzzy Hash: 6af3418512769065a7735437a06ce0ddb094f05bbf0c565ad7593b16b86a2443
Instruction Fuzzy Hash: D611AF31608659AFCB109F68DC08AB63BA5AF45360B558724F939CB2F0D7309962DB90

Function 001F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001F56BB
_wcslen.LIBCMT ref: 001F56CD
_wcslen.LIBCMT ref: 001F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001F5816

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: aec11febce50ff3325a7636138a0e716b13003d5070206ee15f1e45ac77c230b
Instruction ID: 9a37bcb0de0bf8b3fdc4d6a2ec5c63864344d14bdb03d64c3c1eceb2dfcdce21
Opcode Fuzzy Hash: aec11febce50ff3325a7636138a0e716b13003d5070206ee15f1e45ac77c230b
Instruction Fuzzy Hash: 8611B175A0060C96DB209F618C85AFE77BCBF11764B10412AFB16D6081EBB08A80CB60

Function 00191D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80a1251ca37d52ad86e054cad93bc1eab32df0e1b9a805ab897e00443d6a9bc
Instruction ID: 2d84c05ec976e4f5cdcf59aecd862c8a30268ba565dbae1d6f49ade3729fdcc7
Opcode Fuzzy Hash: d80a1251ca37d52ad86e054cad93bc1eab32df0e1b9a805ab897e00443d6a9bc
Instruction Fuzzy Hash: 97018BB260961B7EFE2126B86CC8F67669CEF513B8B310325F521A11D2DB608C8091A0

Function 001C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001C1A8A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b3efcf6b6f8aa1fdf12d6c353c2159219dabe763ab5e271dfab0b4cbc5849c9b
Instruction ID: 90f0cfa49e275cdbb0830dc76c408ed096799530e371d9ffd4dfe66d479d3908
Opcode Fuzzy Hash: b3efcf6b6f8aa1fdf12d6c353c2159219dabe763ab5e271dfab0b4cbc5849c9b
Instruction Fuzzy Hash: 6811393AD41219FFEB10DBA4CD85FADBB79EB18750F200095EA01B7290D771AE50DB94

Function 001CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001CE24D

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 5b69f60780cc97066b65885c503f2bde30c0db39c676140d2796f714e5e7aefc
Instruction ID: 3a22bf35a6aaee96a588b242f56c3b3509e163680f052509a5113dbabc292b6c
Opcode Fuzzy Hash: 5b69f60780cc97066b65885c503f2bde30c0db39c676140d2796f714e5e7aefc
Instruction Fuzzy Hash: DA11C476904258BBC7019BA8AC09FAE7FBDAB55320F044259F925E3291D7B0C9149BA0

Function 0018D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0018CFF9,00000000,00000004,00000000), ref: 0018D218
GetLastError.KERNEL32 ref: 0018D224
__dosmaperr.LIBCMT ref: 0018D22B
ResumeThread.KERNEL32(00000000), ref: 0018D249

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d75240df4c7331b0ae18d925ce8b9cb40c1e332a3e470abe726acc41938bd3f4
Instruction ID: d9a27ccaef46f7f1c6acc8a358528e57e27ac72b0b22b7b3740091d33eb3a9cc
Opcode Fuzzy Hash: d75240df4c7331b0ae18d925ce8b9cb40c1e332a3e470abe726acc41938bd3f4
Instruction Fuzzy Hash: 8C01D236805308BBDB157BA5EC09BAE7B6AEF91330F100219F925921E0CF70CA41DBE0

Function 001F9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00179BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00179BB2

GetClientRect.USER32(?,?), ref: 001F9F31
GetCursorPos.USER32(?), ref: 001F9F3B
ScreenToClient.USER32(?,?), ref: 001F9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001F9F7A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bcc50236e8283677169f91fa8560e943163d497bda742226e5b1bf2e7636e8bd
Instruction ID: 337e31d8b1010e409157a604bb33c80182b8eb07de4e426027b759daeb3d33cd
Opcode Fuzzy Hash: bcc50236e8283677169f91fa8560e943163d497bda742226e5b1bf2e7636e8bd
Instruction Fuzzy Hash: 01113372A0011EABDB00EFA8D889AFEBBB9EB45311F000451FA01E7150D730BA95CBA1

Function 0016600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0016604C
GetStockObject.GDI32(00000011), ref: 00166060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0016606A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7f24af3f912629e45196db94d6dd4237c24623292943a7d6915ad8aa8ed28bb0
Instruction ID: 1ce08c46f72262f511ee3e5658ae573e870f1e47ff0be6d43611f00cd2a8dd2a
Opcode Fuzzy Hash: 7f24af3f912629e45196db94d6dd4237c24623292943a7d6915ad8aa8ed28bb0
Instruction Fuzzy Hash: E0116D72501508BFEF165FA49C44EFABF6DEF193A4F050225FA1552110D7369CB0EBA0

Function 00183B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00183B56

Part of subcall function 00183AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00183AD2
Part of subcall function 00183AA3: ___AdjustPointer.LIBCMT ref: 00183AED

_UnwindNestedFrames.LIBCMT ref: 00183B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00183B7C
CallCatchBlock.LIBVCRUNTIME ref: 00183BA4

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2e292ee0400028b41cf1d1f4f500e8a14c5f9d4c151b222538fc1ae072876cdd
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2C012972100149BBDF126E95CC42EEB3F6AEF58B54F084014FE5896121D732EA61EFA0

Function 00193073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001613C6,00000000,00000000,?,0019301A,001613C6,00000000,00000000,00000000,?,0019328B,00000006,FlsSetValue), ref: 001930A5
GetLastError.KERNEL32(?,0019301A,001613C6,00000000,00000000,00000000,?,0019328B,00000006,FlsSetValue,00202290,FlsSetValue,00000000,00000364,?,00192E46), ref: 001930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0019301A,001613C6,00000000,00000000,00000000,?,0019328B,00000006,FlsSetValue,00202290,FlsSetValue,00000000), ref: 001930BF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: eb813c4e7b1fecafac674dc7df8b7a7a49950480f0411e74bbeaa642a693df25
Instruction ID: 2caf27048b2578fa460785fb61face2bec9dee6f7c376202113c24b71aebf8ca
Opcode Fuzzy Hash: eb813c4e7b1fecafac674dc7df8b7a7a49950480f0411e74bbeaa642a693df25
Instruction Fuzzy Hash: C2012B32701326ABCF314B78AC4896B7B98EF05BA1B190620F926E3140C721DD45C6E0

Function 001C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001C74CA

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 09058c5689e1d48ce24a11316750448bf06b0e2228cd0106e71264d8a05de395
Instruction ID: 40019fa1cae787c17d967ae8b35ecc81a350c115e021305ae69088f8176d9764
Opcode Fuzzy Hash: 09058c5689e1d48ce24a11316750448bf06b0e2228cd0106e71264d8a05de395
Instruction Fuzzy Hash: 2F11ADB1209314ABE7248F14DD09FA6BFFCEB00B00F10856DA626D6591D7B0E944EFA0

Function 001CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001CACD3,?,00008000), ref: 001CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001CACD3,?,00008000), ref: 001CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001CACD3,?,00008000), ref: 001CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001CACD3,?,00008000), ref: 001CB126

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: fb4c0465ae0e793fdf50a87a438674b38a064d809870f3aee64f2894cffa1e73
Instruction ID: a13133d36162907b64cc296e77c4845db41d60257adba7b035df959306fbddc4
Opcode Fuzzy Hash: fb4c0465ae0e793fdf50a87a438674b38a064d809870f3aee64f2894cffa1e73
Instruction Fuzzy Hash: 66112A71C0951CE7CF049FE4E99ABFEBB78BF19711F154089D941B2181CB309560DB92

Function 001F7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001F7E33
ScreenToClient.USER32(?,?), ref: 001F7E4B
ScreenToClient.USER32(?,?), ref: 001F7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001F7E8A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 639cf82fe313ea9915e7643f5baa90030a0448da77488e2dcc2d57a42b673f0b
Instruction ID: 416b449b7027b5f686cea238ab93d9bbce54f1280178a8c8c353e45547eeb8de
Opcode Fuzzy Hash: 639cf82fe313ea9915e7643f5baa90030a0448da77488e2dcc2d57a42b673f0b
Instruction Fuzzy Hash: D81163B9D0024EAFDB41DF98C9849EEBBF5FB08310F104056E911E2610D734AA94DF90

Function 001C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001C2DD6
GetCurrentThreadId.KERNEL32 ref: 001C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001C2DE4

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 609291ae84a856da2650892bea41f60b37848a95ce8b8e84fe83ffc46f6f6e09
Instruction ID: 4086ab7f68f83b738b323897d0c2c023264b54f8fd8b47080155f4ffe20f3130
Opcode Fuzzy Hash: 609291ae84a856da2650892bea41f60b37848a95ce8b8e84fe83ffc46f6f6e09
Instruction Fuzzy Hash: 6EE06D71105228BBD7201BA29D0DFFB3E6CEF62BB1F000019F106D15809AA0C880E6F1

Function 001F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00179639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00179693
Part of subcall function 00179639: SelectObject.GDI32(?,00000000), ref: 001796A2
Part of subcall function 00179639: BeginPath.GDI32(?), ref: 001796B9
Part of subcall function 00179639: SelectObject.GDI32(?,00000000), ref: 001796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001F8887
LineTo.GDI32(?,?,?), ref: 001F8894
EndPath.GDI32(?), ref: 001F88A4
StrokePath.GDI32(?), ref: 001F88B2

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0d722422659a2d42fdc1fbed2dc9f16114a729945dd54b91e0956b8c7edddc86
Instruction ID: aa504adc6787691746b2a34726dae1b2fad72b47414b5ca88629936992cab43a
Opcode Fuzzy Hash: 0d722422659a2d42fdc1fbed2dc9f16114a729945dd54b91e0956b8c7edddc86
Instruction Fuzzy Hash: D7F03A3A045259FADB125F94AD0DFEA3E69AF06310F048100FA11650E1CB755561DFE5

Function 001798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001798CC
SetTextColor.GDI32(?,?), ref: 001798D6
SetBkMode.GDI32(?,00000001), ref: 001798E9
GetStockObject.GDI32(00000005), ref: 001798F1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: ae8163390b8d5d6be8c773455228334c7c831daf3dde09f8f22de9cdc754f0c5
Instruction ID: 53988e7e3222b745769a64c6c532b83c45badf6028572273120a8f1bbc89cd56
Opcode Fuzzy Hash: ae8163390b8d5d6be8c773455228334c7c831daf3dde09f8f22de9cdc754f0c5
Instruction Fuzzy Hash: 5FE06531244244EADB215B74AD09BF83F21EB51336F148219F6F9584E1C3714694EB10

Function 001C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001C11D9), ref: 001C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001C11D9), ref: 001C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001C11D9), ref: 001C164F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 23e2f2d915cd67637c6acf816da46de42a4adb74a1856d488caaca683af134ec
Instruction ID: 486ba15865904cd9b32fb5f9ea17762c523e769782781011d3d4621f06bf8db6
Opcode Fuzzy Hash: 23e2f2d915cd67637c6acf816da46de42a4adb74a1856d488caaca683af134ec
Instruction Fuzzy Hash: C0E08676641225EBD7201FB09F0DF673B7CEF55791F144808F245C9080DB748485D790

Function 001BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001BD858
GetDC.USER32(00000000), ref: 001BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001BD882
ReleaseDC.USER32(?), ref: 001BD8A3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9d2277b4d70259b4b9b8078b415ce99b7cd5f872eff6a05cefc300ed57cee74f
Instruction ID: 060a17f8bbe8063ac71f4dc60eefed14a52720800d611373a603ee871cff2bd5
Opcode Fuzzy Hash: 9d2277b4d70259b4b9b8078b415ce99b7cd5f872eff6a05cefc300ed57cee74f
Instruction Fuzzy Hash: EFE01AB4804208DFCB459FA4DA08A7DBBB1FB08321F118449F846E7750CB384991EF80

Function 001BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 001BD86C
GetDC.USER32(00000000), ref: 001BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 001BD882
ReleaseDC.USER32(?), ref: 001BD8A3

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 340e97cf0e8e884f1b876f4daa3d783f5071175a051d6903bb56f0dbc5bb4d09
Instruction ID: c5bf2f2a41b498a7609fbe9f652cee1ee9e7e6a571b40786e4677f7fc5b18df2
Opcode Fuzzy Hash: 340e97cf0e8e884f1b876f4daa3d783f5071175a051d6903bb56f0dbc5bb4d09
Instruction Fuzzy Hash: 50E01A74804208DFCB409FA4D90867DBBB1BB08320B108448F84AE7750CB385941EF80

Function 001D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00167620: _wcslen.LIBCMT ref: 00167625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001D4ED4

Strings

*, xrefs: 001D4E10
LPT, xrefs: 001D4DFB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8c9adebe0fd2d3dedb3e64d4857d8d1b04f659ddf83bd1218427f1c44fd4d509
Instruction ID: 32bd91dbc078ab3919998273e7a3d6d46a65162ecd26cca4732fa4f0c41ced91
Opcode Fuzzy Hash: 8c9adebe0fd2d3dedb3e64d4857d8d1b04f659ddf83bd1218427f1c44fd4d509
Instruction Fuzzy Hash: F2917475A00244DFCB14DF58C484EAABBF1BF44308F19809AE84A9F3A2D735ED85CB91

Function 0018E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0018E30D

Strings

pow, xrefs: 0018E2E5, 0018E302

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f6630f45999a1a58ea51558db208560204aa3aecaa27af19b166a8ed31328d41
Instruction ID: d89c94e7c993967a6445742a143c179d40bc80672a370038dc802053b0df1655
Opcode Fuzzy Hash: f6630f45999a1a58ea51558db208560204aa3aecaa27af19b166a8ed31328d41
Instruction Fuzzy Hash: A4518A61A2C20296CF157714D9093BA3BE4BF50B80F304999F4D6822E9EB308D959F86

Function 001E7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(001B569E,00000000,?,001FCC08,?,00000000,00000000), ref: 001E78DD

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

CharUpperBuffW.USER32(001B569E,00000000,?,001FCC08,00000000,?,00000000,00000000), ref: 001E783B

Strings

<s", xrefs: 001E77C8

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s"
API String ID: 3544283678-54701623
Opcode ID: f87fead25ee854da7d63c253af2605c09de4c7005cfd3fc20f47969d1d958f6c
Instruction ID: 3ff4ba03ea80e5de7334aafeb77929905852717615e0f54b2af3f5926f1c5555
Opcode Fuzzy Hash: f87fead25ee854da7d63c253af2605c09de4c7005cfd3fc20f47969d1d958f6c
Instruction Fuzzy Hash: 1B616B72914168EBDF04EBE5DC91DFEB378BF28704B444129E542B7192EF306A19DBA0

Function 0017E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0017E1B1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: af71394673721c9c0305799ab6d51fff0331caab3078afa0bd86f141c41f8e43
Instruction ID: f989575d55bb8cd6dc819f6fd6310946c6d2707b6e62e192e6d6216dd38ce229
Opcode Fuzzy Hash: af71394673721c9c0305799ab6d51fff0331caab3078afa0bd86f141c41f8e43
Instruction Fuzzy Hash: 4E512135504246EFDB19DF68C481AFA7BF8EF29310F248099F8959B2D1DB309D52DBA0

Function 0017F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0017F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0017F2BB

Strings

@, xrefs: 0017F2AF

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2147a39c9a360ba438d7638413dde646c9536d259df50bb2db34f318901a5a45
Instruction ID: 7739a4c37f6b26ea763820e324a819989e0ae3c408458edbb961da4eb67678fe
Opcode Fuzzy Hash: 2147a39c9a360ba438d7638413dde646c9536d259df50bb2db34f318901a5a45
Instruction Fuzzy Hash: DA5175714187459BD320AF50EC86BABBBF8FB94304F81884CF6D9410A5EB718539CBA6

Function 001E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001E57E0
_wcslen.LIBCMT ref: 001E57EC

Strings

CALLARGARRAY, xrefs: 001E57E6, 001E57EB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 70c9d85dc82482022826a859eb3b61cd185a2799e78aa09c8e2232884dec0f8a
Instruction ID: c0120aff88fc7afeb39d751d755819ff0d5fd2b058ce245cdff344e33d151804
Opcode Fuzzy Hash: 70c9d85dc82482022826a859eb3b61cd185a2799e78aa09c8e2232884dec0f8a
Instruction Fuzzy Hash: A441A031E006099FCB14DFAAC985DBEBBF6EF69328F14416DE505A7291E7309D81CB90

Function 001DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001DD13A

Strings

|, xrefs: 001DD10B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6a2c6ff3bf48fee0bcb3afc1555c901ad6fde3472319440e3da6c9694b176a63
Instruction ID: fd3d89193b4f36342f0a874e6930083d453b8bde23c1ce2ed845f557d2ad41c5
Opcode Fuzzy Hash: 6a2c6ff3bf48fee0bcb3afc1555c901ad6fde3472319440e3da6c9694b176a63
Instruction Fuzzy Hash: 36312F71D00219ABCF15EFA4DC85EEEBFB9FF14300F100159F815A6265D731AA56DB90

Function 001F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001F365C

Strings

static, xrefs: 001F35BC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a646ada8151c7bc85fd950b6935111a05866ebec72d8a40123839e7bc967704f
Instruction ID: a21b5217643e666d901d84224915e07747b955fb8dd3ec60f8ffb6d3e13b60c2
Opcode Fuzzy Hash: a646ada8151c7bc85fd950b6935111a05866ebec72d8a40123839e7bc967704f
Instruction Fuzzy Hash: 0E319C71100208AEDB109F68DC80EFB73A9FF98764F008619FAA5D7290DB31ED91D760

Function 001F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001F4634

Strings

', xrefs: 001F458E

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 40a05818069f4fd29d1476f33b809b5bc5c9eede8c63366545283b342df4b599
Instruction ID: cc480eb3014a6add96a4635fafe61349d2d6488c236acdec9e7cc515f2fff75c
Opcode Fuzzy Hash: 40a05818069f4fd29d1476f33b809b5bc5c9eede8c63366545283b342df4b599
Instruction Fuzzy Hash: D0311674A002099FDB14DFA9C990BEA7BB5FF09310F10406AEA05EB351D770A941CF90

Function 001F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001F3287

Strings

Combobox, xrefs: 001F3249

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9815dcdacb7d5b92b16692c7553637f63adaffb8c5bd77719b16d2b97bfc5e75
Instruction ID: b80c18f1f47c0f3258e21f22f6429bdc5e916a90509c76682ac4ede8e1e9d0d4
Opcode Fuzzy Hash: 9815dcdacb7d5b92b16692c7553637f63adaffb8c5bd77719b16d2b97bfc5e75
Instruction Fuzzy Hash: 3111B27130420C7FFF259E94DC84EBB376AEB943A4F104125FA2997290D7319D619760

Function 001F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0016600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0016604C
Part of subcall function 0016600E: GetStockObject.GDI32(00000011), ref: 00166060
Part of subcall function 0016600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0016606A

GetWindowRect.USER32(00000000,?), ref: 001F377A
GetSysColor.USER32(00000012), ref: 001F3794

Strings

static, xrefs: 001F3757

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 48f24fa033953fd5d59a5a13155470d55f9bea8f0681bba04dea532168c2a320
Instruction ID: c1d682ecd1b48f397bf859b6b6d04f459d2863b4966012da34b661f7b6350afd
Opcode Fuzzy Hash: 48f24fa033953fd5d59a5a13155470d55f9bea8f0681bba04dea532168c2a320
Instruction Fuzzy Hash: A31129B261020EAFDB01EFA8CC45AFA7BB8EB08354F004A14FA65E2250D735E861DB50

Function 001DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001DCDA6

Strings

<local>, xrefs: 001DCD66

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 22cc2e67b258b504f9caa112d8cc27690a3d0e112f7e4b4877a4958d44b6acb4
Instruction ID: 83b3a7b89a8a7c255cff2a7f732899df63303672280d4aaa8a9049fc5eba18d8
Opcode Fuzzy Hash: 22cc2e67b258b504f9caa112d8cc27690a3d0e112f7e4b4877a4958d44b6acb4
Instruction Fuzzy Hash: 8611CA71115A3679DB384BA68C45FF7BE5EEF127A4F004627B10A83280D7749840D6F0

Function 001F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001F34BA

Strings

edit, xrefs: 001F348F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6a60359ea93e98a4dc534e3632da80e945f58577ed87082a715245c969e85e8a
Instruction ID: 926a99bb63fde3fc8c68db0ba75041ce714d5d55f22c582489b5aeb01760b9d6
Opcode Fuzzy Hash: 6a60359ea93e98a4dc534e3632da80e945f58577ed87082a715245c969e85e8a
Instruction Fuzzy Hash: E0113AB110020CAAEB128E64DC44AFA376AEB15778F504724FA75971E0C771DD91AB64

Function 001C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

CharUpperBuffW.USER32(?,?,?), ref: 001C6CB6
_wcslen.LIBCMT ref: 001C6CC2

Strings

STOP, xrefs: 001C6CBC, 001C6CC1

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: cde3a01fe73af48f5ecbf6963f1e020ae0d409df30612c6d092868418f19e277
Instruction ID: 14ff035a603afef67c87f2e6ac015c4bb73df5069bbab1c8f88e28304b85127d
Opcode Fuzzy Hash: cde3a01fe73af48f5ecbf6963f1e020ae0d409df30612c6d092868418f19e277
Instruction Fuzzy Hash: 1C01C032A1052A8BCB20AFFDDC80EBF77A9EF71764B51052CE8A297194EB31D950C650

Function 001C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001C1D4C

Strings

ListBox, xrefs: 001C1D16
ComboBox, xrefs: 001C1CEB

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d660cd2088962accac98779c2cf6ed5ebc19cf07409269b06cdb3e631ba6b4a7
Instruction ID: 3933b249e99939fa93eec110e7be412395daf118e98edff075828c0748535169
Opcode Fuzzy Hash: d660cd2088962accac98779c2cf6ed5ebc19cf07409269b06cdb3e631ba6b4a7
Instruction Fuzzy Hash: 1101B571641228BBCB08EBE4DD55EFE7368EB77350B14091EB833572C2EB30D9199660

Function 00161CD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00162B12,?,?,?,?,?,?,?,?,00161CAD,?), ref: 00161D11

Part of subcall function 00166B57: _wcslen.LIBCMT ref: 00166B6A

Strings

X], xrefs: 00161D1D
}, xrefs: 00161D2B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID: X]$}
API String ID: 4019309064-3930791086
Opcode ID: 5da984682ea549dc09d3b99c09107c310d33360ffe4cc0dd41f4ebdfe5f14e69
Instruction ID: bc509417e62e5d2fb8efb9007c529174e02540445fb4907dafbcc78a51150d90
Opcode Fuzzy Hash: 5da984682ea549dc09d3b99c09107c310d33360ffe4cc0dd41f4ebdfe5f14e69
Instruction Fuzzy Hash: B0119675A00219AACB10FBE4DD05EDE73BCEF18750F0044A1BA99D7191DB70E7A89B60

Function 001C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001C1C46

Strings

ListBox, xrefs: 001C1C10
ComboBox, xrefs: 001C1BE5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: bfd642093b39f39622f35ff5a35ead101d6e30f30abd2b978e1331b5816cd97c
Instruction ID: 4997ed3a4ef4e91681603c08849346e72d64bcb102e45320810807625f010769
Opcode Fuzzy Hash: bfd642093b39f39622f35ff5a35ead101d6e30f30abd2b978e1331b5816cd97c
Instruction Fuzzy Hash: 6B01847568111877CB08EB90DE52EFF77AC9B32340F14001DB41667282EB34DA28E6B5

Function 001C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001C1CC8

Strings

ListBox, xrefs: 001C1C94
ComboBox, xrefs: 001C1C69

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 390463ea685a3de07661a403b2f8c97c4993b767f3460970a9e83f970e39d372
Instruction ID: f8480ca9f0aa1f438729eb345375e8586290fbe10ea308a4c814458769a17437
Opcode Fuzzy Hash: 390463ea685a3de07661a403b2f8c97c4993b767f3460970a9e83f970e39d372
Instruction Fuzzy Hash: 81018F7168011877CB04EBA0DE12FFE73AC9B32340B540019B802A7282EB70DE29D676

Function 001C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00169CB3: _wcslen.LIBCMT ref: 00169CBD

Part of subcall function 001C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001C3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001C1DD3

Strings

ListBox, xrefs: 001C1DA0
ComboBox, xrefs: 001C1D75

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1cd6a468485e28bc2f4542556183fdbaca5d5f4072558abfc50551e6239ea445
Instruction ID: 0a9bdb438a9cf850562a8c9a68c28134a85675f48708e437d3db3c9d5dcbbb0f
Opcode Fuzzy Hash: 1cd6a468485e28bc2f4542556183fdbaca5d5f4072558abfc50551e6239ea445
Instruction Fuzzy Hash: 0FF0F471A8022877CB08F7E4DD56FFE736CAB32350F040919B823A72C6DB7099189260

Function 001F8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00233018,0023305C), ref: 001F81BF
CloseHandle.KERNEL32 ref: 001F81D1

Strings

\0#, xrefs: 001F818A

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0#
API String ID: 3712363035-3888531783
Opcode ID: 7a757975bafa74a518049731628a58104013728248d57c99f82983be6cd0b5a0
Instruction ID: 9642eef21032f3dd871b20aa5548d7eef80837f4da911402fd32c5d57fa22492
Opcode Fuzzy Hash: 7a757975bafa74a518049731628a58104013728248d57c99f82983be6cd0b5a0
Instruction Fuzzy Hash: 1CF05EF6A40304BEF224AB61AC99FB73A9CEB18751F000420FB08D51A2D6798B5497F8

Function 001E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001E7493
_wcslen.LIBCMT ref: 001E74B9

Strings

3, 3, 16, 1, xrefs: 001E7483

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: be9a7a547f25e53a7766e4767b9dad3f85e577be788eb629d8c5108cc00299f2
Instruction ID: 201f39282aee3a9aa58b7e47ba2d92f87e5c576292c124da4de31a1d3fbc2814
Opcode Fuzzy Hash: be9a7a547f25e53a7766e4767b9dad3f85e577be788eb629d8c5108cc00299f2
Instruction Fuzzy Hash: 52E02B0261566121B231227BACC197F5689CFDD750714182BF985C22E6EF94CE9193A0

Function 001C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001C0B23

Strings

AutoIt, xrefs: 001C0B17
Error allocating memory., xrefs: 001C0B1C

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 519b5344998fc14464bdc41e455c9382f555e9432f6d8453d7d3964bef3b01a1
Instruction ID: 50d6c0d34241c027ec5913ff8de38208f9bb6903b314abf2602f863c9468cd5a
Opcode Fuzzy Hash: 519b5344998fc14464bdc41e455c9382f555e9432f6d8453d7d3964bef3b01a1
Instruction Fuzzy Hash: 27E0D83128431C3AD21037947D03FD97A848F15B10F10442AF74C954C38FE265A056E9

Function 00180D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0017F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00180D71,?,?,?,0016100A), ref: 0017F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0016100A), ref: 00180D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0016100A), ref: 00180D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00180D7F

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c219ef9931df4cac446a15871f8b063b394c879a670c2eb4ad2c7f921cfa25c5
Instruction ID: 883570f4eb78afc42fb4cc10e5efbe63353fac00009ed2e3b14d2923a3cb3170
Opcode Fuzzy Hash: c219ef9931df4cac446a15871f8b063b394c879a670c2eb4ad2c7f921cfa25c5
Instruction Fuzzy Hash: 7CE06D742003058BD361AFB8E9083527BE4EF18740F008A2DE486C6652EBB0E589CF91

Function 0017E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0017E3D5

Strings

8%#, xrefs: 0017E3CA
0%#, xrefs: 0017E3B5

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%#$8%#
API String ID: 1385522511-2880673449
Opcode ID: 5b787655085175ade2fee4ce7528c173d56151ac634a84733de5cde369555030
Instruction ID: 1ad2e31f5f6d146b7118669025cbc9d369dd5330b144c95ab06d0bdd2bb980ed
Opcode Fuzzy Hash: 5b787655085175ade2fee4ce7528c173d56151ac634a84733de5cde369555030
Instruction Fuzzy Hash: 6EE02632410914CBCA0DE718BA9CB8833F1BB1C320B9041E8E246871D19B30AB898B44

Function 001D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001D302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001D3044

Strings

aut, xrefs: 001D3038

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 88420823eab70de85b56f4eadd8a4d7f7c29aa0feb2ad8769936a910bde68727
Instruction ID: 8d4116d3ebca3cd0ac996874b20320cdae4b4ef0db278880bde1224672b9d921
Opcode Fuzzy Hash: 88420823eab70de85b56f4eadd8a4d7f7c29aa0feb2ad8769936a910bde68727
Instruction Fuzzy Hash: 9AD05E72500328B7DB20A7A4AD0EFDB7A7CDB05750F4002A1B655E2092DAB09984CAD0

Function 001BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001BD220

Strings

X64, xrefs: 001BD2A8
%.3d, xrefs: 001BD22B

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 66cfe935a3685d45a7443cb7ecff5ab7558001a829d100647196c25973f4b2a4
Instruction ID: 23344005ebc81f112885388551a05c45b811682e3083e5770521956d6ebd8801
Opcode Fuzzy Hash: 66cfe935a3685d45a7443cb7ecff5ab7558001a829d100647196c25973f4b2a4
Instruction Fuzzy Hash: 9AD01265C09158E9CB5C96D0EC458FAB37CEB58341F5284A6F90A92040F724C548AB61

Function 001F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001F233F

Part of subcall function 001CE97B: Sleep.KERNELBASE ref: 001CE9F3

Strings

Shell_TrayWnd, xrefs: 001F2325

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a3ed50484ddefcf2e8c2667040d3c5ab7acf3e1d4efdd636acbff565171c6687
Instruction ID: af20326f73ee5dff614259d578b8fccbf0c2ce54367cf89697aee4e89a7b8c6f
Opcode Fuzzy Hash: a3ed50484ddefcf2e8c2667040d3c5ab7acf3e1d4efdd636acbff565171c6687
Instruction Fuzzy Hash: AED022323D4310B7E264B370EC0FFD6BA149B10B10F0049167306EA1E0C9F0A840CA80

Function 001F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001F236C
PostMessageW.USER32(00000000), ref: 001F2373

Part of subcall function 001CE97B: Sleep.KERNELBASE ref: 001CE9F3

Strings

Shell_TrayWnd, xrefs: 001F2365

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 99e177c4b696623d25cbca101ebbf1d1e1d6cea169c080fcd32e1e8e1caf59d6
Instruction ID: 898b2dff6039fde50ba638cc2b5e3fea94e98e0932230bf59dd5ddb131f254c1
Opcode Fuzzy Hash: 99e177c4b696623d25cbca101ebbf1d1e1d6cea169c080fcd32e1e8e1caf59d6
Instruction Fuzzy Hash: D5D022323C03107BE264B370EC0FFC6B6149B11B10F0049167302EA1E0C9F0B840CA84

Function 0019BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0019BE93
GetLastError.KERNEL32 ref: 0019BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0019BEFC

Memory Dump Source

Source File: 00000000.00000002.3243416766.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.3243361479.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243546654.0000000000222000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243699975.000000000022C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3243754229.0000000000234000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 078f42ec045465eac50f33a5b9d663cbb335cb8636fb05c2b22e4b5b7b64ba0b
Instruction ID: c26f5b1d754e67dc418fc4cc92962f5f6d58e62df120562098503c458639b355
Opcode Fuzzy Hash: 078f42ec045465eac50f33a5b9d663cbb335cb8636fb05c2b22e4b5b7b64ba0b
Instruction Fuzzy Hash: 8A41083460820AEFCF259F64EEC4ABA7BA9EF41310F154169F959971E1DB309D01DF60

Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=c991HGxKpb62D1M&MD=D+ptRclH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=c991HGxKpb62D1M&MD=D+ptRclH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.164
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.164
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.164
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.35.174

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1359d443-6995-4e51-9686-ea283e24255a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\14dc7186-8a83-41fe-b9c7-094621b299d0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\1d8836e0-b953-41c6-8646-53bc158ab445.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3b51c47e-d2c0-4978-ac12-3cc69f0571de.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4b971975-d7a6-4b66-b44a-3d156934b699.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5e7137b2-59f4-4645-960b-17e514434c18.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9ff41076-7033-4126-9f3c-2f16836f6a84.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\fbe7cd92-3a00-4e9d-9525-7517026ba783.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0DFA2-14DC.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D0DFA2-210.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\09b8a60d-b8b9-4acc-b005-31bf626a5356.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\160e96f0-45fc-4880-bba1-e14e25104234.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\56f7355c-aed5-4fd4-b8dd-25a6ae075448.tmp

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre