Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1501915
MD5:	b6561154e0d9d0aa82b41feaacc09fc6
SHA1:	b9bbc9cefde409c16aeb4d3d2f958ae87cbd0972
SHA256:	245a43088a2febf9d3b3b0e9f0825518f0df6ee5330627b73dbc5a3c8a371bbb
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

file.exe (PID: 3500 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B6561154E0D9D0AA82B41FEAACC09FC6)

msedge.exe (PID: 6548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1856 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=2052,i,14543500253682485423,14285576021756251855,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7124 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7476 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8508 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5540 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8520 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5876 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8756 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8972 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8296 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4292 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9000 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7808 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8832 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3632 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: file.exe, 00000000.00000002.3269489912.0000000001198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL0.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63129
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63127
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63127 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.242.39.171:443 -> 192.168.2.5:63126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:63127 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:63128 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:63129 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FEEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FEED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00FEEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00FDAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01009576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01009576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d09117a6-8
Source: file.exe, 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5bab219c-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2cc8457f-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_54078cd3-d

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00FDD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FD1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FDE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FDE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F78060	0_2_00F78060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE2046	0_2_00FE2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD8298	0_2_00FD8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAE4FF	0_2_00FAE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA676B	0_2_00FA676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01004873	0_2_01004873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7CAF0	0_2_00F7CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9CAA0	0_2_00F9CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8CC39	0_2_00F8CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA6DD9	0_2_00FA6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F791C0	0_2_00F791C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8B119	0_2_00F8B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91394	0_2_00F91394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91706	0_2_00F91706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9781B	0_2_00F9781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F919B0	0_2_00F919B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8997D	0_2_00F8997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F77920	0_2_00F77920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F97A4A	0_2_00F97A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F97CA7	0_2_00F97CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91C77	0_2_00F91C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA9EEE	0_2_00FA9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFBE44	0_2_00FFBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F91F32	0_2_00F91F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F8F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F90A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F79CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.evad.winEXE@71/309@15/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE37B5 GetLastError,FormatMessageW,

0_2_00FE37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD10BF AdjustTokenPrivileges,CloseHandle,		0_2_00FD10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FD16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FE51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FFA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00FE648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F742A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\472426fb-4be5-4c09-84d8-225a6a0137b9.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=2052,i,14543500253682485423,14285576021756251855,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5540 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5876 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4292 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3632 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=2052,i,14543500253682485423,14285576021756251855,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5540 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5876 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4292 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3632 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F90A76 push ecx; ret

0_2_00F90A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F8F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01001C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01001C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96903

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6544

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.9 %

Source: C:\Users\user\Desktop\file.exe TID: 5996

Thread sleep time: -65440s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6544 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FDDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAC2A2 FindFirstFileExW,	0_2_00FAC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE68EE FindFirstFileW,FindClose,	0_2_00FE68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00FE698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FDD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FE979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00FE9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00FE5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: Web Data.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.11.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.11.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.11.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-97113

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FEEAA2 BlockInput,

0_2_00FEEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FA2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F94CE8 mov eax, dword ptr fs:[00000030h]

0_2_00F94CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00FD0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F9083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F909D5 SetUnhandledExceptionFilter,	0_2_00F909D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F90C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F90C21

Source: C:\Users\user\Desktop\file.exe

0_2_00FD1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FB2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00FB2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F8F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F8F98E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00FF22DA

Source: C:\Users\user\Desktop\file.exe

0_2_00FD0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FD1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FD1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F90698 cpuid

0_2_00F90698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00FE8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FCD27A GetUserNameW,

0_2_00FCD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FAB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FAB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F742DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00FF1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FF1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
chrome.cloudflare-dns.com	162.159.61.3	true	false	unknown
play.google.com	142.250.185.78	true	false	unknown
s-part-0029.t-0009.t-msedge.net	13.107.246.57	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL0.6.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	play.google.com	United States	15169	GOOGLEUS	false
142.250.65.174	unknown	United States	15169	GOOGLEUS	false
13.107.246.57	s-part-0029.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.165.132	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501915
Start date and time:	2024-08-30 18:30:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@71/309@15/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 43 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 74.125.206.84, 13.107.42.16, 204.79.197.239, 13.107.21.239, 13.107.6.158, 2.19.126.152, 2.19.126.145, 172.217.16.195, 142.250.184.195, 13.107.21.200, 204.79.197.200, 20.103.156.88, 93.184.221.240, 192.229.221.95, 66.102.1.84, 2.19.126.163, 142.251.35.163, 142.251.40.131, 142.251.32.99, 142.251.41.3, 142.250.65.163
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, arc.msn.com, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, cn-bing-com.cn.a-0001.a-msedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, a-0001.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, dual-a-0036.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
18:31:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
18:31:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
239.255.255.250	https://trk.klclick3.com/ls/click?upn=%75001%2ec09Q0Iaa5JBKaMwLC9cMjFMyHYn-2B6EZxbTX-2FaxXPaGrg5dbeFH4fD3EuQFBIIXLREGZ-2FcOKC34mnxZPxIQx7XghFIqGaXY6alnacloe8xRo-3DgClE_PsKyq3SDuMFd2Bvwnm7-2BcmPfS0aZrbIGf331gXNHUSe-2BhQgqUpFiX3w7h5jUnRd6n-2FE8HERNVnz6BOvKs-2F6ulrBAPhqq4y7BxG-2Bd6kG7tLUxcOuHiFWpTHeDGZUnvDZvP6FM52V2kHQ6WJAZs6KQLxfqZHXfS07MTZdpG9vj-2FyhrEPsl2OqZg5lzEsrvURNsKVvDj6AmF6Sc1Z4lZAW7CGdtCrIGzdnodzXHJg2ktm7ptAUSv125vaGKXpRXhbzmAu5lE-2BvgScXpoVnTswlbot2XqG-2FJI21NuECHLJYOtT13mulLg3LyC43ioSpIwstqzATUDNosl6pb3KNNf3I-2F07dDO2NkZcrZt-2B2G5uraxeQ-3D#/?/c3plbGxAam9uZXNqdW5jdGlvbi5jb20=	Get hash	malicious	Unknown	Browse
	https://indd.adobe.com/view/30080812-36e9-4257-a76c-64b9db55c4c1	Get hash	malicious	HTMLPhisher	Browse
	https://4271c5088749124ef40631cb8.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Ftarmacaccdpt273942.s3.eu-west-2.amazonaws.com%2Ftarmacaccdpt273942.htm/1/010301919fd504bf-f1140bbf-5bf1-4efc-a5af-08f5427832cc-000000/_gNHUUKrZwooc5axkSOIwuxNPxE=174	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3F%23%2Fsubscriptions&p=bT1lNDkwZjQyMi03YTgzLTQxZGUtOTA0My00NzMwNDhhZDBiOTUmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD1ob21l	Get hash	malicious	Unknown	Browse
	https://emp.eduyield.com/el?aid=2zkddda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/svn1y/YWFsb2NhZGFAcGVvLm9uLmNh$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	Unknown	Browse
	https://security-us.m.mimecastprotect.com/ttpwp/?tkn=3.0JfxfH8ssmm4IH6cwCFt-D9qW8OfbSAI3GS_btQfQlhldgcwCnCLHOyJ29U3WB7DtC_DhQgg-MQmn_Q3nA6YAOMW_gWm7KyNL-ia48d-H6d4D5ATg5kL5M3JPWyG3CkSJb5TEl4olwCIO6QZGRmDfJp48aiZoORuXZ_tdiGfAoM.wnVN2YKcNuAslAQ06pDpdg#/enrollment?key=7aeab67f-ce32-30f5-9feb-9cd16579fa82	Get hash	malicious	Unknown	Browse
	https://nci-rc.com/en/wp-content/uploads/2024/08/oipoilhgfjfgjh.html#OEV5eDVXNTVzVlhoeG1uc0E1V0pKWERDRis3eGhad2pOSGt3OGpwb0M2VjhJM2U0ekpsZHF3MkRXa1c1U2ZZUjhrUWhLWVBqVTlqdkZucFdmaFI4dGJBZGJkN1JKUUZKRUNBSHd0TThON2M9	Get hash	malicious	Phisher	Browse
13.107.246.57	https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3F%23%2Fsubscriptions&p=bT1lNDkwZjQyMi03YTgzLTQxZGUtOTA0My00NzMwNDhhZDBiOTUmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD1ob21l	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://l9sa.github.io/	Get hash	malicious	Unknown	Browse
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	http://v3r1fy.tdr1v.freemyip.com	Get hash	malicious	HTMLPhisher	Browse
	August Shipment - Inv No. 041.xls	Get hash	malicious	Unknown	Browse
	https://assets-usa.mkt.dynamics.com/c9f731e3-0864-ef11-a66d-6045bd003021/digitalassets/standaloneforms/0424cf3e-7364-ef11-bfe2-6045bd055762	Get hash	malicious	HTMLPhisher	Browse
172.64.41.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://www.pgregdoc.com/?lngSubscriptionID=1590&lngSubscriptionCountryID=333&lngCountryID=13&lngLanguageID=13&lngCategoryID=861&lngProductID=9939	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://www.pgregdoc.com/?lngSubscriptionID=1590&lngSubscriptionCountryID=333&lngCountryID=13&lngLanguageID=13&lngCategoryID=861&lngProductID=9939	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
s-part-0029.t-0009.t-msedge.net	https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3F%23%2Fsubscriptions&p=bT1lNDkwZjQyMi03YTgzLTQxZGUtOTA0My00NzMwNDhhZDBiOTUmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD1ob21l	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	http://l9sa.github.io/	Get hash	malicious	Unknown	Browse	13.107.246.57
	http://my.manychat.com/	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	http://v3r1fy.tdr1v.freemyip.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57
	August Shipment - Inv No. 041.xls	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://assets-usa.mkt.dynamics.com/c9f731e3-0864-ef11-a66d-6045bd003021/digitalassets/standaloneforms/0424cf3e-7364-ef11-bfe2-6045bd055762	Get hash	malicious	HTMLPhisher	Browse	13.107.246.57

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://indd.adobe.com/view/30080812-36e9-4257-a76c-64b9db55c4c1	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	https://4271c5088749124ef40631cb8.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	40.126.32.76
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.64
	https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3F%23%2Fsubscriptions&p=bT1lNDkwZjQyMi03YTgzLTQxZGUtOTA0My00NzMwNDhhZDBiOTUmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD1ob21l	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://security-us.m.mimecastprotect.com/ttpwp/?tkn=3.0JfxfH8ssmm4IH6cwCFt-D9qW8OfbSAI3GS_btQfQlhldgcwCnCLHOyJ29U3WB7DtC_DhQgg-MQmn_Q3nA6YAOMW_gWm7KyNL-ia48d-H6d4D5ATg5kL5M3JPWyG3CkSJb5TEl4olwCIO6QZGRmDfJp48aiZoORuXZ_tdiGfAoM.wnVN2YKcNuAslAQ06pDpdg#/enrollment?key=7aeab67f-ce32-30f5-9feb-9cd16579fa82	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	Bee2Pay Executed Docs#273291(Revised).pdf	Get hash	malicious	HTMLPhisher	Browse	40.99.217.130
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://www.templatent.com/nam/c14d1cf3-56d1-433d-adfd-387ae01f5a3d/11a7ae45-e7c1-4a36-bfca-6f68b1c41be1/c3ab8b4e-ffc2-43ef-924d-9d38c562c74e/login?id=UkQydXlrOUtUT2g1elpZMWx4NDcraG4zaWtnVFg5NytyMS9qcURwTHd3NHZCZVZrWDgzWGhVakNGZ2YvL3VCdER4dWhnajMzb0dqTHRST0I5WUZRNE9FRG1GNFBqUk4zMWhUV1VLK3A2U1EzNUNUQi9pKzNYN043VHZWc0Q3K01aRmQwOGxBLzhEQVlOeDZ2TzRoTjM4WjZlcnRpN2RETGphSzNTQXBEZno0YmVvZHZKbjJRSWpVOC9CaEhSTHdJT3RSTm9LWDNFalBKUDhBZzVLcHBmVThqREEzTjh1MlZtVGN6dWwzZUY2YURJUXU0YW9XT2xHU2dhUHVkdjBnWnYxTE5ENENZZzlJUTBpSWNLR2ZESU5oM3p6TUJZQ0hTM2ZNNmt2YnN3bXV2VVB4eFdIL0lQNldTQVBZS2JDUTd5Tlh6bWlvWHgwQldMYmdPTmJERThnRDIxMHVNYitMdmc4b0g1RCtRQ0orMGtJRXZUdHQ2UDZ6aHZJcGlqZkdjV0o2Zy9vTEliSGtYc2hPRDhQR0F1Y0h4clByNnFrZjBIclR6aStSMWVLVT0	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://nexgenodisha.in/	Get hash	malicious	HTMLPhisher	Browse	20.223.35.26
CLOUDFLARENETUS	https://trk.klclick3.com/ls/click?upn=%75001%2ec09Q0Iaa5JBKaMwLC9cMjFMyHYn-2B6EZxbTX-2FaxXPaGrg5dbeFH4fD3EuQFBIIXLREGZ-2FcOKC34mnxZPxIQx7XghFIqGaXY6alnacloe8xRo-3DgClE_PsKyq3SDuMFd2Bvwnm7-2BcmPfS0aZrbIGf331gXNHUSe-2BhQgqUpFiX3w7h5jUnRd6n-2FE8HERNVnz6BOvKs-2F6ulrBAPhqq4y7BxG-2Bd6kG7tLUxcOuHiFWpTHeDGZUnvDZvP6FM52V2kHQ6WJAZs6KQLxfqZHXfS07MTZdpG9vj-2FyhrEPsl2OqZg5lzEsrvURNsKVvDj6AmF6Sc1Z4lZAW7CGdtCrIGzdnodzXHJg2ktm7ptAUSv125vaGKXpRXhbzmAu5lE-2BvgScXpoVnTswlbot2XqG-2FJI21NuECHLJYOtT13mulLg3LyC43ioSpIwstqzATUDNosl6pb3KNNf3I-2F07dDO2NkZcrZt-2B2G5uraxeQ-3D#/?/c3plbGxAam9uZXNqdW5jdGlvbi5jb20=	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://indd.adobe.com/view/30080812-36e9-4257-a76c-64b9db55c4c1	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://4271c5088749124ef40631cb8.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, Vidar	Browse	188.114.96.3
	https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Ftarmacaccdpt273942.s3.eu-west-2.amazonaws.com%2Ftarmacaccdpt273942.htm/1/010301919fd504bf-f1140bbf-5bf1-4efc-a5af-08f5427832cc-000000/_gNHUUKrZwooc5axkSOIwuxNPxE=174	Get hash	malicious	HTMLPhisher	Browse	104.21.79.65
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://nci-rc.com/en/wp-content/uploads/2024/08/oipoilhgfjfgjh.html#OEV5eDVXNTVzVlhoeG1uc0E1V0pKWERDRis3eGhad2pOSGt3OGpwb0M2VjhJM2U0ekpsZHF3MkRXa1c1U2ZZUjhrUWhLWVBqVTlqdkZucFdmaFI4dGJBZGJkN1JKUUZKRUNBSHd0TThON2M9	Get hash	malicious	Phisher	Browse	104.16.225.240
	459733930_447582045387.pdf	Get hash	malicious	Unknown	Browse	104.18.33.2
CLOUDFLARENETUS	https://trk.klclick3.com/ls/click?upn=%75001%2ec09Q0Iaa5JBKaMwLC9cMjFMyHYn-2B6EZxbTX-2FaxXPaGrg5dbeFH4fD3EuQFBIIXLREGZ-2FcOKC34mnxZPxIQx7XghFIqGaXY6alnacloe8xRo-3DgClE_PsKyq3SDuMFd2Bvwnm7-2BcmPfS0aZrbIGf331gXNHUSe-2BhQgqUpFiX3w7h5jUnRd6n-2FE8HERNVnz6BOvKs-2F6ulrBAPhqq4y7BxG-2Bd6kG7tLUxcOuHiFWpTHeDGZUnvDZvP6FM52V2kHQ6WJAZs6KQLxfqZHXfS07MTZdpG9vj-2FyhrEPsl2OqZg5lzEsrvURNsKVvDj6AmF6Sc1Z4lZAW7CGdtCrIGzdnodzXHJg2ktm7ptAUSv125vaGKXpRXhbzmAu5lE-2BvgScXpoVnTswlbot2XqG-2FJI21NuECHLJYOtT13mulLg3LyC43ioSpIwstqzATUDNosl6pb3KNNf3I-2F07dDO2NkZcrZt-2B2G5uraxeQ-3D#/?/c3plbGxAam9uZXNqdW5jdGlvbi5jb20=	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://indd.adobe.com/view/30080812-36e9-4257-a76c-64b9db55c4c1	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://4271c5088749124ef40631cb8.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, Vidar	Browse	188.114.96.3
	https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Ftarmacaccdpt273942.s3.eu-west-2.amazonaws.com%2Ftarmacaccdpt273942.htm/1/010301919fd504bf-f1140bbf-5bf1-4efc-a5af-08f5427832cc-000000/_gNHUUKrZwooc5axkSOIwuxNPxE=174	Get hash	malicious	HTMLPhisher	Browse	104.21.79.65
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://nci-rc.com/en/wp-content/uploads/2024/08/oipoilhgfjfgjh.html#OEV5eDVXNTVzVlhoeG1uc0E1V0pKWERDRis3eGhad2pOSGt3OGpwb0M2VjhJM2U0ekpsZHF3MkRXa1c1U2ZZUjhrUWhLWVBqVTlqdkZucFdmaFI4dGJBZGJkN1JKUUZKRUNBSHd0TThON2M9	Get hash	malicious	Phisher	Browse	104.16.225.240
	459733930_447582045387.pdf	Get hash	malicious	Unknown	Browse	104.18.33.2

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Ftarmacaccdpt273942.s3.eu-west-2.amazonaws.com%2Ftarmacaccdpt273942.htm/1/010301919fd504bf-f1140bbf-5bf1-4efc-a5af-08f5427832cc-000000/_gNHUUKrZwooc5axkSOIwuxNPxE=174	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://emp.eduyield.com/el?aid=2zkddda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/svn1y/YWFsb2NhZGFAcGVvLm9uLmNh$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://ayurvedapancreatitisclinic.com/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://mcusercontent.com/ac01de4d51b36425f82a9f3a9/files/4e156b25-0de0-41a5-a9e5-a7bd353e1d8e/9.25.24_Scott_Lunchv3.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	file.exe	Get hash	malicious	Unknown	Browse	23.1.237.91
	Feature Status Update 3RLSM.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://netflix.netfilm.online/i/df117e8a574734eac962e44d96d884ee9?fp=a8b756deca	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://home-page---coinbase-learn.webflow.io/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://www.335166.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://kfkkfd.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	https://trk.klclick3.com/ls/click?upn=%75001%2ec09Q0Iaa5JBKaMwLC9cMjFMyHYn-2B6EZxbTX-2FaxXPaGrg5dbeFH4fD3EuQFBIIXLREGZ-2FcOKC34mnxZPxIQx7XghFIqGaXY6alnacloe8xRo-3DgClE_PsKyq3SDuMFd2Bvwnm7-2BcmPfS0aZrbIGf331gXNHUSe-2BhQgqUpFiX3w7h5jUnRd6n-2FE8HERNVnz6BOvKs-2F6ulrBAPhqq4y7BxG-2Bd6kG7tLUxcOuHiFWpTHeDGZUnvDZvP6FM52V2kHQ6WJAZs6KQLxfqZHXfS07MTZdpG9vj-2FyhrEPsl2OqZg5lzEsrvURNsKVvDj6AmF6Sc1Z4lZAW7CGdtCrIGzdnodzXHJg2ktm7ptAUSv125vaGKXpRXhbzmAu5lE-2BvgScXpoVnTswlbot2XqG-2FJI21NuECHLJYOtT13mulLg3LyC43ioSpIwstqzATUDNosl6pb3KNNf3I-2F07dDO2NkZcrZt-2B2G5uraxeQ-3D#/?/c3plbGxAam9uZXNqdW5jdGlvbi5jb20=	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	https://indd.adobe.com/view/30080812-36e9-4257-a76c-64b9db55c4c1	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	https://download.metatrader.com/cdn/web/gvd.markets.capital/mt5/gvdmarkets5setup.exe	Get hash	malicious	LummaC Stealer	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	https://t4w86zlc.r.sa-east-1.awstrack.me/L0/https:%2F%2Ftarmacaccdpt273942.s3.eu-west-2.amazonaws.com%2Ftarmacaccdpt273942.htm/1/010301919fd504bf-f1140bbf-5bf1-4efc-a5af-08f5427832cc-000000/_gNHUUKrZwooc5axkSOIwuxNPxE=174	Get hash	malicious	HTMLPhisher	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fadmin.microsoft.com%2Fadminportal%2Fhome%3F%23%2Fsubscriptions&p=bT1lNDkwZjQyMi03YTgzLTQxZGUtOTA0My00NzMwNDhhZDBiOTUmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD1ob21l	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	https://emp.eduyield.com/el?aid=2zkddda0e6c-1865-11ef-80aa-0217a07992df&rid=33766156&pid=771868&cid=497&dest=google.com.////amp/s/bioesolutions.com/dayo2/svn1y/YWFsb2NhZGFAcGVvLm9uLmNh$%C3%A3%E2%82%AC%E2%80%9A	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	https://nci-rc.com/en/wp-content/uploads/2024/08/oipoilhgfjfgjh.html#OEV5eDVXNTVzVlhoeG1uc0E1V0pKWERDRis3eGhad2pOSGt3OGpwb0M2VjhJM2U0ekpsZHF3MkRXa1c1U2ZZUjhrUWhLWVBqVTlqdkZucFdmaFI4dGJBZGJkN1JKUUZKRUNBSHd0TThON2M9	Get hash	malicious	Phisher	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	459733930_447582045387.pdf	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.242.39.171
	file.exe	Get hash	malicious	Unknown	Browse	184.28.90.27 40.68.123.157 20.242.39.171

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	69972
Entropy (8bit):	6.0721920997604615
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBG+k88bieMo4+HrbYo6BKLMyOTCPcgEqksQmb:LMrJM8+yL42UogyFEzsQmb
MD5:	4B447DC2722C07DC123745C60A9AFE2B
SHA1:	5CC77113526756A49699C4A8E43066D30B6251C8
SHA-256:	9E0B5773237121E69E2BC3035A675B308496B2E2A1EAFC2485AE745875CFCB9F
SHA-512:	E2A8EE0407FFE7D86F452D8D4FA0A6B609177AFD789E788DCAECFA9CB2CB421D62F9EF99CC9287BEC2C6B93DD5C6010CE45F9679FC544348501C4F7A951D0DEB
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\14471d28-7bf4-447a-ac19-71acd5b155f7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.487342622160133
Encrypted:	false
SSDEEP:	96:0q8NkGS1fXXaPv9ZZ58rh/cI9URoDotok/BTeCvNu16Jkkc4SDS4S4SDS2I4a:/8NBS8PFEeoDUBi712kk0
MD5:	577A5EEFC09867434689C019FC735A4D
SHA1:	B5F11D75D9BA20BEECA32B330B162B0D4B67FE5E
SHA-256:	652DF029DD5815D0DD4885FE0A0CB9128122B187C7B438F3CDA2C25B6F385434
SHA-512:	D0418B94B17046D94CF0F2E97421CABC77FB55C4F951C9E8D77C1DD514D72C788EF03FBCA09C7BCBFC54EF8A24C83B878B68D61CFA08DDDC97281658F608AB00
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnM

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\218c33b2-4ad2-4e8f-a430-05a961adea29.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24126
Entropy (8bit):	6.0533419951550576
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NGAVw6oYqdaVEQaaYv+Mh0lkdHd5qU:LMGQ7FCYXGIgtDAWtJ4nAw6o7QzYDh08
MD5:	531DB6BF264D4B9F00C397510D28CB39
SHA1:	411D46C8359E495B52CAFD37FFB1B1EF60575D27
SHA-256:	4B3784F90A21F5E7DF0D7EFA06A330AF58CC21257F74558F924C35E23C2509D1
SHA-512:	CE9AAF61AF21E89A07FE987879E405277AF6A70E4759B90B4C567CFE37A6E4F80BB25CF4531DB0641A5956BB45D3FA7B1B76F9BD5B973CB71874265D59A079C7
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3fc43106-a348-4b9b-b1ae-5b2e561d126a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20786
Entropy (8bit):	6.064991417855391
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSMVw81Fk/+Mh0lkdHd5qU:LMGQ7FCYXGIgtDAWtJ4niw81FkTh02tp
MD5:	24BE63BF8955813C39CAF46D0F025A35
SHA1:	1574F0FD7D59604D817E6AB883B44B242B743E2E
SHA-256:	F087A08EA8E9D32F6B5BF08EF743688FEE6A61563EE6499A4886F918381B5B01
SHA-512:	27187AB45C132C583BC2C792F9CB91BD41011C3520372CCB21668BBF4ACB75819B431A49E555864B0B657DE6F0D711002791D53D68AE71B4103672B69018ED0D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5944c7a5-676e-4988-bacc-f5299d32955c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\627325ba-5c5b-4645-9781-d4df6b42557e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20786
Entropy (8bit):	6.065026546446571
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSAVw81Fk/+Mh0lkdHd5qU:LMGQ7FCYXGIgtDAWtJ4n2w81FkTh02tp
MD5:	2C42FC94580EE784C4A321D33DEBE5A4
SHA1:	DB73A8539EF3A3613F16F5586F61DF60C42AEED2
SHA-256:	EA517A6D158149EA3C72A75A1B95BB7072905B96722C048DFF0467851CDF4CCD
SHA-512:	393F039B127E530B6DE40ECF6D88244C08E08C00DF1025B9DF8F99E3C8E11133DDD6A84BB442763100D445A7E29BBECD191166FEB76C313433DAD295970CE9BA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\74095bdd-8b27-4ff4-b9d4-4903cbfc8f59.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.588693899877185
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afXXaPoTTq9ZZokHB+5kdrxcCvBvC+RUkaJkXBSc5wlR+7YB0:Xq8NkC1fXXaPv9ZZ7BTeCvNJUNJkkcGm
MD5:	DFFEC5B41FB60F9B13CC5D69447667F0
SHA1:	88B5F480A76098C3C5929E58AAB4F2B1D3C12E25
SHA-256:	CC5C72314DCFA7E25989B34A40E34413417BCBC50A574119DB280BA613F21C89
SHA-512:	AED425BC673214EF3E160F8CBC67743F24491A928CC0BE953846E2D9B86C97B0E879072ACF4F2A8C3D8C46D80CE0E95DC84424F8D84F9B6C52EDDC949AA69508
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"policy":{"last_statistics_update":"13369509057324527"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\8a0873c2-d80e-47b9-b1be-dd662ff7257a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.588693899877185
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afXXaPoTTq9ZZokHB+5kdrxcCvBvC+RUkaJkXBSc5wlR+7YB0:Xq8NkC1fXXaPv9ZZ7BTeCvNJUNJkkcGm
MD5:	DFFEC5B41FB60F9B13CC5D69447667F0
SHA1:	88B5F480A76098C3C5929E58AAB4F2B1D3C12E25
SHA-256:	CC5C72314DCFA7E25989B34A40E34413417BCBC50A574119DB280BA613F21C89
SHA-512:	AED425BC673214EF3E160F8CBC67743F24491A928CC0BE953846E2D9B86C97B0E879072ACF4F2A8C3D8C46D80CE0E95DC84424F8D84F9B6C52EDDC949AA69508
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"policy":{"last_statistics_update":"13369509057324527"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\28a60655-5da3-442f-b98e-f606dc994f1c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640136267101608
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Q:fwUQC5VwBIiElEd2K57P7Q
MD5:	46EC1899F11FE2F524F4A0ED857B2BF7
SHA1:	830620AD3E3FAC7FE25BD86C291A17AFA245B2CA
SHA-256:	07965BB5BA96950A38D1B7E50D9564F84D383F21D6FB17B6A411925728AF5146
SHA-512:	5496B3873B3C5FA3560593D4E3E9F43F6BFA288C5FC3B879D14269A51938D5DDAD950326D86D8DB606A34F7B235E615237136DB19539A1740CAD9B527BEBAEB2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640136267101608
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Q:fwUQC5VwBIiElEd2K57P7Q
MD5:	46EC1899F11FE2F524F4A0ED857B2BF7
SHA1:	830620AD3E3FAC7FE25BD86C291A17AFA245B2CA
SHA-256:	07965BB5BA96950A38D1B7E50D9564F84D383F21D6FB17B6A411925728AF5146
SHA-512:	5496B3873B3C5FA3560593D4E3E9F43F6BFA288C5FC3B879D14269A51938D5DDAD950326D86D8DB606A34F7B235E615237136DB19539A1740CAD9B527BEBAEB2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D1F3C1-1994.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.040496632331398816
Encrypted:	false
SSDEEP:	192:GPKUjLYiVWK+ggCdlmJtD+FX9XNokgV8vYhXxNEq4bcRQM9c3Vn8y08Tcm2RGOdB:xUjjlKqsnhBCQ23V08T2RGOD
MD5:	131C4780D43073F3BBC41CC43043D53F
SHA1:	B3BD7A180A752F4AB2A7B5C21AEF166F3AEFFB6D
SHA-256:	753AD0FE6D736231BC3C10C066C35095B2DD92F481F8337D7719B667718D9875
SHA-512:	9871B3219575F44D6A178DA9ADE706B0824EA29E4803B24947D0A086E02A74B8CE0F8D50B764711F802CF3914CB1A17705F6C884653965E1ACAFF65E08E87C56
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".wccloa20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.............'.....................$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...,.....@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D1F3C1-1BD4.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 256-0, spot sensor temperature 0.000000, unit celsius, color scheme 1, minimum point enabled, calibration: offset 134221824.000000, slope 75015551881388056232440365056.000000
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.49756425650383
Encrypted:	false
SSDEEP:	3072:Q4sKtCZ2F6SMRnXUODfX5afY0DPpIrI4m4nhbg1HFX+N2eSkx34rmqm6k1frma9r:tCBuGnhbaHSmf60caHvA7b
MD5:	CFC3145191B04F5A69BE806675C6CF5D
SHA1:	59179DFF35FC0DFDE1D226A33A147842D4EC7B77
SHA-256:	6182624D43AD70AE2A9D2ED981BC70F4FF735EFA123217F09D6D8CCBF9CD391E
SHA-512:	D660C5571B6883375605C6E47048F80933ED04611AE7C63902ECDD16E7F857CBB5ABF9EB2449D560A4FFDAD7835B9F2FA04CABA1A49D960E01E1AE3ABC816E73
Malicious:	false
Preview:	...@..@...@.....C.].....@...............(...X...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".wccloa20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.073746321783774
Encrypted:	false
SSDEEP:	3:FiWWltlG2swSs4eHSRqOFhJXI2EyBl+BVP/Sh/JzvsAUAGi80I3UddTDWcQctl:o1G2sRwyRqsx+BVsJDhUS80a2D+cX
MD5:	09902C66911676CD41B5662BC6D35A47
SHA1:	709A7304540366B5B6EBE5464F8B88C957AFD7D4
SHA-256:	F6E44F30574F840FD30021A28DAA9F0806723767A05BB151E6B74EF26DE91AB9
SHA-512:	961912F37C51E99F8E46891B24DC2D180491A379E1F780250B3EA4CE0B3DD9DCC9DB2F6AA3CD190FAAE649E311B66D9225E1A5E075A077FB3040504A5275CB5B
Malicious:	false
Preview:	sdPC......................S4...C...3gh\."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................3a3e1e7c-1374-48e4-8463-18fd31f3fe87............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0655f069-1e85-4c26-9345-976986ac5f0f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6426
Entropy (8bit):	4.98430249162978
Encrypted:	false
SSDEEP:	96:stIqfLis1rb9bsqN8zG8s85eh6Cb7/x+6MhmuecmAeKccPQ3C2Mn/EJ:stI3scqNkNs88bV+FiA2CPnMJ
MD5:	D131B41216D446396766899075FD159B
SHA1:	72D5F70AC665F9B636A894F15D7D51AB9CDB3158
SHA-256:	692EEEB88797B70EF27403B7D8165F3F294DA0750E6DBED7EF98928DE040383C
SHA-512:	6AADB0B62930F6CA71B4C0979EF288C6E175A9F16299F5A629E56575DE639319DDCAA9F589EEA99A78EDA1C1047342A64C4A07FF49B1221BB215FB8A85300BAC
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509059687007","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369509059693502"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0f6d13c1-7504-478e-96ef-50b53d97040b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.320493489747785
Encrypted:	false
SSDEEP:	192:pAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:SOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	7B35954CD61F7C1DCFAF42C420440DA9
SHA1:	1AD759E20796C66AF6BC4130A95871719F9921D0
SHA-256:	4A6A58E35970F999027BD2FE0ED3F09AC8AAF8748B8B8F11C381CC68306B7231
SHA-512:	C14ADBBABDF08D2F720FF48BD26F54354CD609838B77E8FCC571D0DDDE5D0EC509CDEA0D07CBD428CC7B0C4606B817DE626E2F80C04DC4B11AAEFDD66D0BFF6C
Malicious:	false
Preview:	...m.................DB_VERSION.1o.t..................QUERY_TIMESTAMP:arbitration_priority_list4...13369509063632566.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.116265686313939
Encrypted:	false
SSDEEP:	6:0KdQEq1923oH+TcwtOEh1ZB2KLlWYIq2P923oH+TcwtOEh1tIFUv:0KdRfYebOEh1ZFL85v4YebOEh16FUv
MD5:	89BE7018435D1BA6241FA9F92F059BD9
SHA1:	DAFEF80E6F40EC3DAA71954DEE72868A67F5CC58
SHA-256:	7178BC33D4D18399786ADDC23A5C7C605448C8B5E23CA83BF9D5BC99D0C02CE7
SHA-512:	D6130CBE286960A67BF3AA16C57D2D3F84A9BD723F36AE60C5DBF164BC4A1A82FE493833FEE62163F61D4C08B2F27B2226C7060C6D3D765CEA88DA9B3EDC688A
Malicious:	false
Preview:	2024/08/30-12:31:02.799 2160 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/08/30-12:31:02.932 2160 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.04325139691037826
Encrypted:	false
SSDEEP:	6:/Fii2u2p8kM/lL0xN0crt0wlXRllxwrH/lat:dlo1ELQN06PX/xAat
MD5:	271DA0A16491C587FF6CEF9C67FCE348
SHA1:	CD889CDFCDDF6AA754E9A16A58B4FAB3AFFBA496
SHA-256:	32972F94E5D1F266E0E35D72DF48A6933A38C97C1FE4BEDD003FD19D5A0B7037
SHA-512:	62F3FE2DCAA85B673BC7FCDEA9A736E3E6709D8CC5CFAB914137B4CFBDE2CEBFBF8F5D611E6D57510EA1F9AB7D7B31CFC8AD8CB79E8562346A59D41F3004BFB8
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09574972623119013
Encrypted:	false
SSDEEP:	48:yV4Xes1Nt7V4A3es3NUeG7qAzKVT3lWp4:yV4X31jV4A333NLG2Aup3L
MD5:	970C6B853934EBD2A06365FD692CF73A
SHA1:	54E4F7E11C3E3330C470DAD3996D0518FB2D3F82
SHA-256:	2C619704BA3A79D521DFBF310FE42EC2FCA86C65266803607B5830EA694498CF
SHA-512:	FE955F9962194F273DF99DFDA947D634F25BB757B62DA8BF0778CF11046375B7BD5B86C026AB963C12EEBBBE232329643034A38870C2D5E6CB6AFBC73B38AF7B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.28364878699357415
Encrypted:	false
SSDEEP:	384:hzqGJtniezqGJtnYd3MOJtdvMOJtdfQ25JtL7q:hzqGJtnzqGJtJOJtmOJtuUJtnq
MD5:	F1F39590C5C42E8D771617334EA924D0
SHA1:	30BDC0D5BEE8C81EC6F70023F54B15742167C208
SHA-256:	1EDC260A37744D5D5807070640020063BFFCF4D97FD98A004F745A31688F719A
SHA-512:	834A5A2619931C25234DF152E56137B81ED342F5333D0FB7A6DC9361189150B3F72CCD8DD33AD153FFD62FC3908EE5D77C8D5CD8BD5BBA7243CD64EB6D64A1B6
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.989325630401085E-4
Encrypted:	false
SSDEEP:	3:LsulsGBt:LsY
MD5:	A697DF64B9597154E7AE4A2196275638
SHA1:	BA3999B3D660785981E28C5456BAA8622D002C89
SHA-256:	38010E221AA67AFB7BE0F83DABC05DD9F8A1CD1250039BF4181B8DF429B9C673
SHA-512:	CFECE5E6655782F7D177E47A3189F4D85E21FDA6EE5B67E2DFD13F2062697750708F5B5C53808339F2B4E5B90D0596701F3B974A672C42A9FD0E372E9CFB2141
Malicious:	false
Preview:	........................................[Maf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:qeNAyEixTn:qeS98Tn
MD5:	E6173D8EF7B74C0626046F05817363C9
SHA1:	C3F49EBE96B9F3ACC0F983001ADC89D9C02DBBC9
SHA-256:	FFF373E43997F3BA49BD2A4F9231D5F1DE4102A27E7006C55438E033C30926E1
SHA-512:	EFCAF8C401C9C4D8F106F8CA1C16F34025EA5E08BFE86BAAEBC1071A86C8477E3E8F160BB60EB301C17A9433D26A4D804AF6F64588F2688A8C1D1AA40F757B3A
Malicious:	false
Preview:	(...w.k.oy retne..........................=f../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:qeNAyEixTn:qeS98Tn
MD5:	E6173D8EF7B74C0626046F05817363C9
SHA1:	C3F49EBE96B9F3ACC0F983001ADC89D9C02DBBC9
SHA-256:	FFF373E43997F3BA49BD2A4F9231D5F1DE4102A27E7006C55438E033C30926E1
SHA-512:	EFCAF8C401C9C4D8F106F8CA1C16F34025EA5E08BFE86BAAEBC1071A86C8477E3E8F160BB60EB301C17A9433D26A4D804AF6F64588F2688A8C1D1AA40F757B3A
Malicious:	false
Preview:	(...w.k.oy retne..........................=f../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9138909867280645
Encrypted:	false
SSDEEP:	3:ARQyEw5YDaTn:AG9MYDaTn
MD5:	ECCBEB778D950A281BD0947117365609
SHA1:	B0ED0BEED80039ECA704374FB8EAFDF4B9DCF7D9
SHA-256:	831A2C86A879C0DFC81B9187A558162B7B23EE292CA6F412E129C2ECEA43547A
SHA-512:	3EF6290FB585DE384FF2A591C59FBB206127487115EB07BC75FCE7A92B82E6E1C255E9C51479044FD08BE731D680A3548F1C2CD2FFACF438E965064BB815CDD6
Malicious:	false
Preview:	(.... ..oy retne..........................=f../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9138909867280645
Encrypted:	false
SSDEEP:	3:ARQyEw5YDaTn:AG9MYDaTn
MD5:	ECCBEB778D950A281BD0947117365609
SHA1:	B0ED0BEED80039ECA704374FB8EAFDF4B9DCF7D9
SHA-256:	831A2C86A879C0DFC81B9187A558162B7B23EE292CA6F412E129C2ECEA43547A
SHA-512:	3EF6290FB585DE384FF2A591C59FBB206127487115EB07BC75FCE7A92B82E6E1C255E9C51479044FD08BE731D680A3548F1C2CD2FFACF438E965064BB815CDD6
Malicious:	false
Preview:	(.... ..oy retne..........................=f../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlcKl/:Ls37
MD5:	9DF91719A357301EEE426E15CDF1D182
SHA1:	08D9A7B0BE5522B35BD4A816804614877F35C274
SHA-256:	89B3811A3B9BFB7792459047A4133502F7DA7C34BE4ABBC5865B2E5CD6E6BDCD
SHA-512:	02384E0529A7ED7803C9456A9BA7E160FEB210A7A010EC522B017CD254299A1DAEB3B893FFBA15A5BC68172CBC4AE127EF96DE8B905BCBA1FD6583D93C7863F1
Malicious:	false
Preview:	........................................F.Xf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	375520
Entropy (8bit):	5.354092260794579
Encrypted:	false
SSDEEP:	6144:YA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:YFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	919747BEB826A58EAF6A2DF22AE84874
SHA1:	A802EB50F16DCF661F65F0FAA34F9B120F85024F
SHA-256:	DEA5380E7BAB737F8CF34FE99B66CFF4E66204DFA623538ED4BE08C87E285D14
SHA-512:	B121CB9D8270A46ED598A42C72A02C628D8B369E62932C18F1158626A00368EEA4DAF7CF5FA62C46AB224663D1148D978349EF5A8A406EB22B0E2D70B4AEA8D9
Malicious:	false
Preview:	...m.................DB_VERSION.1(..Pq...............&QUERY_TIMESTAMP:domains_config_gz2...13369509063631047..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.1686548616931764
Encrypted:	false
SSDEEP:	6:0YD1923oH+Tcwtj2WwnvB2KLlWejdVFIq2P923oH+Tcwtj2WwnvIFUv:01YebjxwnvFL8ejdVFIv4YebjxwnQFUv
MD5:	DDCA997AB76831A1AD0061D63D06F8AC
SHA1:	73730D25102528DE90F4518FCAC084060CEC6121
SHA-256:	004255A9B7783AC2E5D42D47A89A83C53C26016DB200CFCA3CAD2B5F764185FC
SHA-512:	1D810AB2390F94C9C994D5AA3EED11E5B835EA3E341354338657A32CCC5BA3D8E8BED5E3D025AFF0E585AEC1B2A743DCADF82ACC3A88956C9F03FB2B9CC07914
Malicious:	false
Preview:	2024/08/30-12:31:02.888 2180 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/08/30-12:31:02.961 2180 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	358860
Entropy (8bit):	5.324607434052772
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6R4:C1gAg1zfvA
MD5:	7F04C409BB46EB3BC61809B13AFBD7F6
SHA1:	F2D05312466F39CE32FF15E37202A84F042E7854
SHA-256:	7C839E2F315542F86D91A3C70033114061A5F32F1D9A218335D8ECD79F7704EF
SHA-512:	00F73C6942EB11EBF521361763A9E84602D77CC199A267FF5A8F610284A0C75DB5737B937C9E294C844356DC2EAD98DD957D612437EF6097829056EA800F5748
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.1701416965497256
Encrypted:	false
SSDEEP:	6:G1923oH+TcwttaVdg2KLl7SDM+q2P923oH+TcwttaPrqIFUv:DYebDL0M+v4Yeb83FUv
MD5:	014270606C9F30A8CBA708387B4FD0BF
SHA1:	01550E0EA846D38DEE67A1D0453DF2A6EDE9B29C
SHA-256:	F7B6414820AF54ED2F05A0690070B44C2E767AA10667BD5C3272D8A6D21484A7
SHA-512:	D3FACD5ECE64B2F70DE6397E6214F882101EFF7F1B8055550B1B433B87E1322584D6983CA32466B1DE6402DC9BBFC1F8A070EEEE39E8E388F0F23F3F0C25744C
Malicious:	false
Preview:	2024/08/30-12:30:58.072 1cfc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/08/30-12:30:58.147 1cfc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.166512315901096
Encrypted:	false
SSDEEP:	6:zUq1923oH+Tcwtt6FB2KLllDM+q2P923oH+Tcwtt65IFUv:4fYeb8FFLTM+v4Yeb8WFUv
MD5:	71EB19E5406FE8F81B45EFFBC6D9071D
SHA1:	EB80F5DFF407B2E4C96F72C106CB8E4B64984AF7
SHA-256:	19BEB0FBC18D83E48014145479D736FD724EA6E16DE5E1F356B77C1638EC58EE
SHA-512:	C8109E0E08D99B9030BE64FADAF1606A65DEC3124B4F58692CF8BA7B73A12F179F119981704708ABE7947ED9735EF64CD797959489DF5EF9EEDE03C5CBF1DAE4
Malicious:	false
Preview:	2024/08/30-12:30:58.149 1cfc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/08/30-12:30:58.171 1cfc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.15555404682894
Encrypted:	false
SSDEEP:	6:uOM1923oH+TcwttYg2KLl4wOq2P923oH+TcwttNIFUv:uOhYebJLEv4Yeb0FUv
MD5:	A7710A0D4C98C317AA18B8290155CF5D
SHA1:	E3F86B89154D3F25099E579C0CCA30A6568246D1
SHA-256:	C093EE02683A2AA5DB0B2DAEF97AA44F9A06F4A8B5AD307162FE3E367B5F6A2A
SHA-512:	DDC575638320D8ADCC7A54FFC632CE54F8215030AA586FB845D40420707DD72FFE0CB4CA61992A86CF5BA464F45A65EDD91D904CCD01713D363993477627DDE9
Malicious:	false
Preview:	2024/08/30-12:30:59.941 1ca4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/08/30-12:30:59.953 1ca4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlmML:Ls3mM
MD5:	59DAB8F01D00F0F834941152ECB027BC
SHA1:	775F84C354089C685D3E3C16C861BC064E0E00F3
SHA-256:	49A62EAD1F9FFCC723B6A30415EA42F44512465A44E15E9FC6001213B0299EFE
SHA-512:	41F9AABD811AB95E0BCAE0850DE0E067A0E91530288A8A8DB3D45DD6C9AAB2820FB7A19C20E6F23B9F9C5D1A7ADB1E187875D9B338111ACAC1339098A228C044
Malicious:	false
Preview:	........................................mnXf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2182285738090153
Encrypted:	false
SSDEEP:	3:+8LvtFlljq7A/mhWJFuQ3yy7IOWUSU4dweytllrE9SFcTp4AGbNCV9RUIZ92:+8w75fOIbd0Xi99pEYnU
MD5:	8B83363F952E3434FD29AD70D08056C2
SHA1:	7CDB0BF86CB11DCB3579B9DF0A3F061D83AF4688
SHA-256:	B79F2B2F8501B30A67BE49BE3652602C66ED0B77C71A6C5584691F86297B96A8
SHA-512:	A8E8697FE8D084582DB874C04415FFE708F316C19FC1AD593FA5FB8A96268FB1AD5025B6F3DEBCDAFDD32D1F15567919AADF26DBFA3BE9F035362D3B25B77C6D
Malicious:	false
Preview:	............_.X....&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.186330697981179
Encrypted:	false
SSDEEP:	6:0pGms1923oH+TcwtRage8Y55HEZzXELIx2KLlWYbL+q2P923oH+TcwtRage8Y55U:0pG8YebRrcHEZrEkVL8Yf+v4YebRrcH0
MD5:	1AC3E90307FA9E695A58E3BAC6B0CBA5
SHA1:	EA550205397C3C780C0B08BEE527917C58C0C515
SHA-256:	FDDC3DB517F23987C992C6857085928F10251A1B3271FB32ADDF056211E9DE75
SHA-512:	7C076895C20C0D8FEC62144F00F7F911B3326BB41F8C3E6982ED65FE3C3C15F81ABAE0F45E8984CECD44D3260630EE76DD32663CA89458213FA464840547F98C
Malicious:	false
Preview:	2024/08/30-12:31:00.810 1c9c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/08/30-12:31:00.821 1c9c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.22525453243987
Encrypted:	false
SSDEEP:	6:siAB1923oH+TcwtRa2jM8B2KLl+qX9+q2P923oH+TcwtRa2jMGIFUv:aMYebRjFLQk4v4YebREFUv
MD5:	2062806463DA79E6620D8E0218108C14
SHA1:	012E69CF5DC0B9F36DD8BC6363C6A68D6718759A
SHA-256:	F5D6D8FB97465C26248C8D3E540D3FF434213EA935342926B3A832AADAE64EFD
SHA-512:	4776173F0C2A94F914DD466A020C16981BF84BFD881F4067B62E2E4B08E54641A29214BAB34751F241FEA8EDABD745568FA3D36B43E0056A98A967287D9EA373
Malicious:	false
Preview:	2024/08/30-12:30:58.560 1db8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/08/30-12:30:59.717 1db8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\557695a0-bcfd-4d17-9656-4a4b9167e021.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\8a4ab217-44b1-4cfb-90dc-36cecbee268e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF4461d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7600530621725264
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBkUD:uIEumQv8m1ccnvS6f
MD5:	3AABC99151992387281A80F67492F0AB
SHA1:	C0B67F8582905B4843A0235DC975DCC206FD6D28
SHA-256:	6360A3A6EDFF2CDE7EE2180B6F6502C859FB742F72AC0BEFE51507D3A90C0C16
SHA-512:	27910FB93355AC75B4FA75143C52F48F6B09CE805823BC4F269D292335CC392753C3BF8B6624798ACBFFD2940C4FF4DFA0B41DCB207D6C134DEE6B3230C4B64F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF324b0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\a718b114-971c-4b8f-bc74-9559ba8c1be9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\a78505d7-bc4e-4584-bf3e-bfc56f998bed.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\e09ca84d-4210-486f-8d7a-ed606d740c31.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.977588915276136
Encrypted:	false
SSDEEP:	96:stIqfLis1rb9bsqN8zG8s85eh6Cb7/x+6MhmuecmAeKciGC2Mn/EJ:stI3scqNkNs88bV+FiA8CPnMJ
MD5:	68010C8279C3BE00F8817A3BC38F0E53
SHA1:	A96CABA575447CE1770B48BA1780D31FDFA1EE62
SHA-256:	83643DB5CE7426AFB9384A626B0B910F0C48DFFA31B5C1D49ADD66F3AC5C46C7
SHA-512:	43C54A467186A3770DF46192D5507ECA8ADC22CF8BE38977422AA6F37642E0052DEF458C8F37C8864C0C0FDBD37BABA6A434F2E5D02D1F6017C8EE4C047396BC
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509059687007","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369509059693502"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3b46c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.977588915276136
Encrypted:	false
SSDEEP:	96:stIqfLis1rb9bsqN8zG8s85eh6Cb7/x+6MhmuecmAeKciGC2Mn/EJ:stI3scqNkNs88bV+FiA8CPnMJ
MD5:	68010C8279C3BE00F8817A3BC38F0E53
SHA1:	A96CABA575447CE1770B48BA1780D31FDFA1EE62
SHA-256:	83643DB5CE7426AFB9384A626B0B910F0C48DFFA31B5C1D49ADD66F3AC5C46C7
SHA-512:	43C54A467186A3770DF46192D5507ECA8ADC22CF8BE38977422AA6F37642E0052DEF458C8F37C8864C0C0FDBD37BABA6A434F2E5D02D1F6017C8EE4C047396BC
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509059687007","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369509059693502"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF4299c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.977588915276136
Encrypted:	false
SSDEEP:	96:stIqfLis1rb9bsqN8zG8s85eh6Cb7/x+6MhmuecmAeKciGC2Mn/EJ:stI3scqNkNs88bV+FiA8CPnMJ
MD5:	68010C8279C3BE00F8817A3BC38F0E53
SHA1:	A96CABA575447CE1770B48BA1780D31FDFA1EE62
SHA-256:	83643DB5CE7426AFB9384A626B0B910F0C48DFFA31B5C1D49ADD66F3AC5C46C7
SHA-512:	43C54A467186A3770DF46192D5507ECA8ADC22CF8BE38977422AA6F37642E0052DEF458C8F37C8864C0C0FDBD37BABA6A434F2E5D02D1F6017C8EE4C047396BC
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509059687007","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369509059693502"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566404397670506
Encrypted:	false
SSDEEP:	768:bKSIwrWPKofDG8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mdJNrwgpGtur:bKSIwrWPKofDGu1jaGAJ25tw
MD5:	2DC1DBDFD4843B090BE59E38E313FA5E
SHA1:	94D01D1D30F9AA646CE779222D1892072659CCA1
SHA-256:	728C67CAF331E09AF7E24C43227AA2D67F35A6ED7AC1F4E715A9BECE88B11AEF
SHA-512:	3D07F9154F28191CD44EA240F8C336DBF1A786CEC668272B9C95A5F2D7147E1D993474888D2FFA1A2FD21AE97205AB42605A0DEAEFDE45040B36F66B5015D188
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369509058049402","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369509058049402","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF38444.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566404397670506
Encrypted:	false
SSDEEP:	768:bKSIwrWPKofDG8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mdJNrwgpGtur:bKSIwrWPKofDGu1jaGAJ25tw
MD5:	2DC1DBDFD4843B090BE59E38E313FA5E
SHA1:	94D01D1D30F9AA646CE779222D1892072659CCA1
SHA-256:	728C67CAF331E09AF7E24C43227AA2D67F35A6ED7AC1F4E715A9BECE88B11AEF
SHA-512:	3D07F9154F28191CD44EA240F8C336DBF1A786CEC668272B9C95A5F2D7147E1D993474888D2FFA1A2FD21AE97205AB42605A0DEAEFDE45040B36F66B5015D188
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369509058049402","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369509058049402","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.187386893530227
Encrypted:	false
SSDEEP:	6:XAAB1923oH+TcwtSQM72KLlkabN9+q2P923oH+TcwtSQMxIFUv:1MYeb0Liah4v4YebrFUv
MD5:	016ADE2B59FB54997925015B9CE4D497
SHA1:	0FFBF204B444E83BB3628F9FD08B49436AC0117A
SHA-256:	149D096D85407B1D391875991C5981BD0DC9F025C599973DF800CFEB21758A34
SHA-512:	3373C591A48A07616AF7DC464CC2AA640B7F0D64F2F0C469A64FAD8299CB1E962887FDCBE8505A1D705909EC54C6D14394DAB70B8C39E291EB07D4612F08C692
Malicious:	false
Preview:	2024/08/30-12:31:15.794 1db8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/08/30-12:31:15.826 1db8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.086292612500269
Encrypted:	false
SSDEEP:	6:rWGR1923oH+TcwtgUh2gr52KLleQ+q2P923oH+TcwtgUh2ghZIFUv:OYeb3hHJLh+v4Yeb3hHh2FUv
MD5:	E85813649C1D4F69922DEB985FD2A6BF
SHA1:	B1CAD8A49D56333D3C3E80E61698E315085144E7
SHA-256:	3C13C6285F967E65B3070CE287C038BA997B1FDD31AF875D9348651C6D072F3F
SHA-512:	62079936985C076256EA1BCC3A735554CEB724600BD31988529027C1BD34FFBD993A969451A89D5B314A106E0E64B5A6A8E51F68847B8BAC23733A21197D99D6
Malicious:	false
Preview:	2024/08/30-12:30:58.185 1cdc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/08/30-12:30:58.211 1cdc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.989325630401085E-4
Encrypted:	false
SSDEEP:	3:LsulXEL:Ls
MD5:	BDAEC07AC7894E3EBD8CB617B7036FF3
SHA1:	51FAE590A418D681BE52DEFB17B6E8C409840270
SHA-256:	8D34399E2E35D2BF2C746630EE94A2BB5DD4E8083B4108DC0AB4D33E6200F71F
SHA-512:	51CDF099B45A502338F34C0917CDFEA529DCBD09CE480895AE06476F180F85313E1C5BAB484E9065EC6A6062AEF5753AFA0C40466FF3E35195F66B700E15E231
Malicious:	false
Preview:	.........................................'.f../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:6zE5uaBl:6A5VT
MD5:	7237B743C07965043338EFA6152424B0
SHA1:	FF81909F1A56D81E0ACB72FBFA432C4F3EFCBAD6
SHA-256:	86BBB388068A07CA30F27F804904E946939B72585CA479164548E02BE3359FBA
SHA-512:	1E4A3C8D00D15F52A1113EF8C18EF2E24B04A400291DF4022F610574946111C1F704038BE23797642F7EFE5AAE84EF6108F02B0FC4305B000711F169DB7B8D1C
Malicious:	false
Preview:	(...'...oy retne.........................:Uf../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:6zE5uaBl:6A5VT
MD5:	7237B743C07965043338EFA6152424B0
SHA1:	FF81909F1A56D81E0ACB72FBFA432C4F3EFCBAD6
SHA-256:	86BBB388068A07CA30F27F804904E946939B72585CA479164548E02BE3359FBA
SHA-512:	1E4A3C8D00D15F52A1113EF8C18EF2E24B04A400291DF4022F610574946111C1F704038BE23797642F7EFE5AAE84EF6108F02B0FC4305B000711F169DB7B8D1C
Malicious:	false
Preview:	(...'...oy retne.........................:Uf../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:t1mKaExrwDsl:GK1xkI
MD5:	360FEC04CF256484BD59030EA39DDDD2
SHA1:	A7F2AEAD4FB7E993CB99EF7A4BA69056102EF23D
SHA-256:	15C2E02B4D161FA20D6954ABCFCB08DDA8E67AB95B15DA821ED7FD5F559789A2
SHA-512:	B618789111C509D1522A93999F17B8B558118529F403FB6584D49C3ED851E3B8AC5A9BBAB45BB30CBE06C0818D13145C5036E419ED7918CE8AEDC477F486F7CC
Malicious:	false
Preview:	(...p...oy retne........................mNUf../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:t1mKaExrwDsl:GK1xkI
MD5:	360FEC04CF256484BD59030EA39DDDD2
SHA1:	A7F2AEAD4FB7E993CB99EF7A4BA69056102EF23D
SHA-256:	15C2E02B4D161FA20D6954ABCFCB08DDA8E67AB95B15DA821ED7FD5F559789A2
SHA-512:	B618789111C509D1522A93999F17B8B558118529F403FB6584D49C3ED851E3B8AC5A9BBAB45BB30CBE06C0818D13145C5036E419ED7918CE8AEDC477F486F7CC
Malicious:	false
Preview:	(...p...oy retne........................mNUf../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlDTll:Ls3nl
MD5:	5D82E553610F950DE65C4389C1A6702B
SHA1:	AB2E723E24836FE49883465E9A98319B19763BD2
SHA-256:	281DCDE36519D155BE7B7FFFC2FA4767C366E5F6515B9875D8E06D8508BC7AA4
SHA-512:	838AE1CDBE8025335294F85A436B8BA3CBC2C2CAC86BA5F7B8F2C4CCD51BD0C5AC8615287AEB623283E5E2AA036F650AF90B4B136C8D3E1EE7B5F5C7C313C5C0
Malicious:	false
Preview:	..........................................Yf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlkRal:Ls3V
MD5:	B56BD3A59DBEECE6C7AF19BAC646C00C
SHA1:	63EAEEF94972288931862E8B4BF315E0F62A6A94
SHA-256:	1B45FAB966E7BBD6FCCA38220B17B6C208B018294C755066ADB92749B1CA25D1
SHA-512:	488BB6ADDBE1B3B8E8FEAD8AC9D0B6E4BCA6AECAEFE0688C202826CC69A1C542FE8B35CC57264DE673BC8146DE3FAD13E55A3ED5C6EABF7BDA5656CC58C69440
Malicious:	false
Preview:	.........................................]Yf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.1978706714850995
Encrypted:	false
SSDEEP:	6:2AB1923oH+Tcwt0jqEKj3K/2jM8B2KLlWay9+q2P923oH+Tcwt0jqEKj3K/2jMGh:nMYebqqBvFL8ay4v4YebqqBQFUv
MD5:	A1DE70A4046BE299603C979B60546960
SHA1:	0F940017FFBDC6A65D9DA2007CCB80AF20A2046E
SHA-256:	EEE76BBFCDD4E8194813B7907F19A5A409E99EE5602E41C510A6C2C3270C6E15
SHA-512:	CE255D3C3ED22DDA9B5FEA03A3C4157302960DBA65DE92BDDF610785768F4C10976C502F5AB4347B46E5BF7C498B61354ABA5D3E27D46F9E241432F01632B0F2
Malicious:	false
Preview:	2024/08/30-12:30:59.971 1db8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/08/30-12:31:00.001 1db8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\045bb0b9-dc26-4398-b85e-db252c72aed5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\776101c8-06a3-4792-a258-61887158aab5.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\90e8cf14-49d0-46cf-8549-110992b0ba82.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF446f8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\d9bd6c49-1870-42db-a927-24d576670057.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.202035173596416
Encrypted:	false
SSDEEP:	6:AAB1923oH+Tcwt0jqEKj0QM72KLlwY39+q2P923oH+Tcwt0jqEKj0QMxIFUv:lMYebqqB6LN34v4YebqqBZFUv
MD5:	6E62D2090897485AD0FDB0B3E64E19E8
SHA1:	F8C6770FCD71AA4E1D3313B9BA643AB8AA6BEC35
SHA-256:	9DCD653B716FBCFDE01CA5959090607544FF3B9F8EBBDE5B88FBD876E168B1B9
SHA-512:	6E70ADDD149CD5A2FF058B8E91FBD9F7AE45DD3C1547462997E689E2E72EFBC13D3411BBBD6247B08E65D8094DF904B7F9DF3ACBC7ECC9929A85ED7B119B2AED
Malicious:	false
Preview:	2024/08/30-12:31:15.732 1db8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/08/30-12:31:15.763 1db8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.203579608742338
Encrypted:	false
SSDEEP:	6:FFF4M1923oH+Tcwtkx2KLlymq2P923oH+TcwtCIFUv:/F4hYebkVLVv4YebLFUv
MD5:	FF9713385E1E231C0F503F15C478DD45
SHA1:	0618DFAE93A993E450A1FB77EBFEE949C60D2F15
SHA-256:	9C37522B6AC2B9179F1C7F257E6E184BA59C5F5B96A80FE57A19BBBD9C2A85CC
SHA-512:	5441DA9C394634022ECFAA85E330DEB56DDDD2E4A492AE05B7BAD658FBF6B3DB592E5FBA88A51C259C7D2662935C7A6A551F8B0944CE2B55E453CA8D384D513F
Malicious:	false
Preview:	2024/08/30-12:30:58.030 1cd4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/08/30-12:30:58.239 1cd4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVuz/:IiVq/
MD5:	DBF7469B933D2E82EE0D951AB606480C
SHA1:	54E1F61394020219B60FADB1EC452DF903789466
SHA-256:	3644148C737ED428F4C15D768A190F83D85CE4EAE7FB1349EC0C2C45BC8D81F6
SHA-512:	5CA5631C724C9116ED4BC764A99C6C8D8DC557926C7E9D1642D6194076E21B3DBA5B8117D76BF1E613330E0C86C611BE04EB0A3679B39C117DB1B2EB35AE3825
Malicious:	false
Preview:	VLnk.....?........A&..+.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0768681755619252
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkOZSAE+WslKOMq+vVumYSyn66:e/2qOB1nxCkOZSAELyKOMq+vVumMp
MD5:	24303A21E258F79515A65739BAF0D29C
SHA1:	ECE8887DC8136CF77C01AD39A339C0FA8972D636
SHA-256:	464AA7C7E8794851FB3FDC229103454C5A7674B6CAA5828624DE5E2AD1C40E14
SHA-512:	FC59EA2ABF21F6ED2FF59BC8160A5368357767305E5269060D02ED9CC5BB046EC5F150A8DF57D0AC8CDE08A72E82B5C76F06F1B35119B3180FCFB747E34DD634
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\afc7f873-4530-4bcd-a97e-df4b46a3e29f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\cf36d5a2-6bfc-4ad7-9a34-4c2a907ca51f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.977588915276136
Encrypted:	false
SSDEEP:	96:stIqfLis1rb9bsqN8zG8s85eh6Cb7/x+6MhmuecmAeKciGC2Mn/EJ:stI3scqNkNs88bV+FiA8CPnMJ
MD5:	68010C8279C3BE00F8817A3BC38F0E53
SHA1:	A96CABA575447CE1770B48BA1780D31FDFA1EE62
SHA-256:	83643DB5CE7426AFB9384A626B0B910F0C48DFFA31B5C1D49ADD66F3AC5C46C7
SHA-512:	43C54A467186A3770DF46192D5507ECA8ADC22CF8BE38977422AA6F37642E0052DEF458C8F37C8864C0C0FDBD37BABA6A434F2E5D02D1F6017C8EE4C047396BC
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509059687007","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369509059693502"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\f805e449-b109-4192-8641-c69eb55e45fc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566319693511481
Encrypted:	false
SSDEEP:	768:bKSIwrWPKofsG8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mdJNrwlpGtuj:bKSIwrWPKofsGu1jaGAJ2ytk
MD5:	182CA42323CE4DCE3B90C33454B6A44A
SHA1:	532E9D062D626ACF74ECFB10EDB1E7603629F763
SHA-256:	AAAF31B185ADD3A6FF7EE6C79EE76165083B513857CEB231573444AE5689FC5F
SHA-512:	9554B97E57E5E749B1229271D4AB1EEE0EEE0CACE81EAB05679CB32FE2737BCFB994B1271D976CC6E749A7A4B7044BC8562DEC53380B3414B3104A71D9224210
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369509058049402","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369509058049402","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\fd01e9bd-0feb-4019-b270-85026a55d160.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6528
Entropy (8bit):	4.986392760540051
Encrypted:	false
SSDEEP:	96:stIqfLis1rb9bsqN8zG8s85eh6Cb7/x+6MhmuecmAeKcvx0Q3C2Mn/EJ:stI3scqNkNs88bV+FiAWCPnMJ
MD5:	FBF05F336F6F4CF699C31FAF54F89EC0
SHA1:	2D2059009F0AA638FA1194E531FB268195F96422
SHA-256:	97A53CEEE65883F74B17392B4CBA0A2F6BE696F8FB9201EC152FE2D64B947BBE
SHA-512:	F344BD8DD138CD8DDA06C4EF821BEB01361EF1489B030CE80078FC075A42053A21162444801DDFCF3859331143D3FFBA118C5AFBBD8B5F5E04153954E1DA5D3F
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509059687007","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369509059693502"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\fd990e22-4e49-4fd0-9ad5-b3994408708c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566404397670506
Encrypted:	false
SSDEEP:	768:bKSIwrWPKofDG8F1+UoAYDCx9Tuqh0VfUC9xbog/OV7mdJNrwgpGtur:bKSIwrWPKofDGu1jaGAJ25tw
MD5:	2DC1DBDFD4843B090BE59E38E313FA5E
SHA1:	94D01D1D30F9AA646CE779222D1892072659CCA1
SHA-256:	728C67CAF331E09AF7E24C43227AA2D67F35A6ED7AC1F4E715A9BECE88B11AEF
SHA-512:	3D07F9154F28191CD44EA240F8C336DBF1A786CEC668272B9C95A5F2D7147E1D993474888D2FFA1A2FD21AE97205AB42605A0DEAEFDE45040B36F66B5015D188
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369509058049402","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369509058049402","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/jHG//l/lFll:7+/l/jG
MD5:	FA55B51A1A459B16157677D44F4D534D
SHA1:	7BA80418D30F684DC9DB0AF81BBB8170E45D79F0
SHA-256:	64ED15BB70DE01BD29847A31CF43FE5B1B9830AF32F30D24A418C6C641AEDB17
SHA-512:	2E0D2A2C4B0B38C7C9CFBDC71A008B170E7498D75BF5CD14801F895F8F712F44F1106DB14B4ED4E08ED4A053E07F03F3D8BE1562692FDFD48E837AAEF5A893E3
Malicious:	false
Preview:	.... .c......57.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04998394447396411
Encrypted:	false
SSDEEP:	6:GLW0CuRweE0TW0CuRweE+L9X8hslotGLNl0ml/XoQDeX:aCuZEQCuZEuGEjVl/XoQ
MD5:	256853E9365F3973441145A2619BB06B
SHA1:	A21DEE4A2DB16E4690869558A6F3B18B32A3D495
SHA-256:	23323D54BB7DB512AFC2D8F07D75773EDA74B7E63EAFD001E74DB15584F2F0EC
SHA-512:	07761035897E35BAF40C788A62E2CBC7B42476A7B0F10BA9EE02FC136F04354DE5588E85ACE3F6F6C3286410347D555FDD73795058D65557B43772C1653D2BBE
Malicious:	false
Preview:	..-.........................!...0.!.L..v.9sk.+..-.........................!...0.!.L..v.9sk.+........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9972426366767843
Encrypted:	false
SSDEEP:	48:xzxYNt/6lO+/cbX+ln9VAKAFXX+YR2VAKAFXX+JoxOqVAKAFXX+EnUYVAKAFXX+J:FxA/yJGNsY/NswO5NsPNsaXW
MD5:	2046D9DE8837154216C2F05362EE56DE
SHA1:	2D375C8F867C8E1F2E16FBC0E1727BD48D5437F1
SHA-256:	0B8CEA23BE0DD5D1FF49E8699CE68704C983A15DF0F400EA78086A550EF109B3
SHA-512:	8FFFA223C8CC30D105C16AD9027CE7827F84D36C62B387D20668EBA2CD363AD984D5504422F5933154CB94957060BFA0953E8C8725FEC50BC05C4F12B7F5CD46
Malicious:	false
Preview:	7....-............0.!.L.....tL............0.!.L.-.B.&s..SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.484124229322949
Encrypted:	false
SSDEEP:	48:gEQ8ZbLSBSGQtP0HRHSxgIYjIYqzqqkHMYjMY9yxAlkfAlkZ0c3X:tC0GQyIYjIYqzqbHMYjMYCYcYWN3X
MD5:	7EEF380ADBE4143FB06EEEBB9F856535
SHA1:	8A395F199F32C5FBE9F012EFAAC720387FFB98EE
SHA-256:	7B735F4FBEB7D0A3BAC1A6D822E7C43A71FD90F5EAF1826EE126ED4697FC1DBD
SHA-512:	03F41BA3063699C4F42951FF119F0216B3F72FE34100D7C4A2D4C1897E04A75161B42300BA0BF611D525C04F9BC9FF92BD00FC6B8AE17019E41ACC0C68A67AE8
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f....................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.258775244067926
Encrypted:	false
SSDEEP:	6:J11923oH+Tcwt0rl2KLlLPf9+q2P923oH+Tcwt0rK+IFUv:JoYebeL5wv4Yeb13FUv
MD5:	8AF6C0CE685E32E9B3DC3B4C53264020
SHA1:	D39F8DB8325B2485813A14DE1F61BB0F32EEADED
SHA-256:	903A70FF88DDCA9CDC0532A43073E47A76F26BDD64840CF8B4FB8BDE27C301CB
SHA-512:	CC7AB65CA1DA1B4419666CEF160C3EF58F8D06AB27CFE82F021C776896BA74B9F338AC460D1BD75F197B1CA2A98754BD6887B2B9FA284EBD5AE7BB3A1706A354
Malicious:	false
Preview:	2024/08/30-12:30:59.369 1cd8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/08/30-12:30:59.613 1cd8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.958141412815535
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Wui+it/4JbZfPStub/RG0lbANqa:G0nYUtypD3RXi6FZfc25m
MD5:	FBC524D02048C176A0A5D1B8B752932A
SHA1:	294C48557549A4C978326D9B7969E293A024F157
SHA-256:	F3FC95AE128DB918FC126F15CD9D96618482BA6ACCC622AAA19B10CE80B15EA0
SHA-512:	9B6434442E11610B8B5DDA43AA56656599925C9C8F0A364DDB69D15B37A912D223EE600012468E0DB723CAF3546FFBDF56F085A0159EA7968BBACE894AAFF856
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................37_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.231987364991464
Encrypted:	false
SSDEEP:	6:JpRD1923oH+Tcwt0rzs52KLlDWX9+q2P923oH+Tcwt0rzAdIFUv:vQYeb99LlWov4YebyFUv
MD5:	50E10E0C2DAFE0EF1049458382B3C5EF
SHA1:	F3B853F3C90351A8DF5DA4EAFF8D6BCA924F1D25
SHA-256:	944C6C390CD790490B3E98031960C359220DA4C26B5B10D0851F857261F98453
SHA-512:	2D86C1491239AA93F15348421C74D6C8A750C5867CD0BCEF91A907079589C7C0957C1F348D5B23AD88DDA94BB9F63A65B1FC7B43CB460485C0511737AE428A08
Malicious:	false
Preview:	2024/08/30-12:30:59.257 1cd8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/08/30-12:30:59.366 1cd8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.400746676417616E-4
Encrypted:	false
SSDEEP:	3:LsNls:Ls3
MD5:	D4EAC2380E8604BA396409D0D0036A57
SHA1:	B2636AB9200555CD3678CD8B916C892AC3A505DB
SHA-256:	D5D06865AFD9872B6ED6B329CDD85FB2CA1A1E2367A6BE2E047C4B81DA93AC21
SHA-512:	2672CD56F320A6E73140957ED7AB98F2A596EBB28899D96ABE87B19F81991C461E04BDB3F772CD859E85FA1E592C771D864AF60B4C328092949C235A6654523A
Malicious:	false
Preview:	........................................f.Sf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNl6R+/:Ls36R+
MD5:	B2660094F69B00159F1B990919006EB1
SHA1:	10934EA18DCD473A323D1F4DEF108C8D05E79FCC
SHA-256:	1B656C8F262F380C76B4CAB3270F27977F9C4BFC2DC88B840B11B6CDC241276B
SHA-512:	219462D906626347306D1DCC86F01EDA81C7C00DE491923571C2B7B9DB4B9417617F7B02B6FD0D7814B783625A3EE9F8BB6FBD8A4EDFDCAB9A8360F3098E37C5
Malicious:	false
Preview:	.........................................>Uf../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF31648.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF31658.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF318b9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF318c9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF33fe8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF37a32.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF4024e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF4296e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF489ed.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.536477595395229
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtptxaPoHKjyTJA9oawCsc6yikBJdXBuBuwBvadyNhAz+XLQQRZ:YuBqDPafXXaPoTTq9ZmogBzBv1Az+UB0
MD5:	2C2506DAE0E953664ED12BD11EDE771D
SHA1:	52EC40EB892BA8B24663EFC3189C483C96E808ED
SHA-256:	6CE82203CD10E99177E72FC2CBE2A75A5D4D30DF885BCB3B62817C161A8A657F
SHA-512:	73B11016A8FE893CE2F89BE77931E003A71E84795C77F72AAA9E221326D1636BF704A42DCD72DA4CF8852818D95660F97A04C7E6A20EAEC19CFBDAFF314AE582
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369509057296144","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725035457"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.400746676417616E-4
Encrypted:	false
SSDEEP:	3:LsNld/:Ls3d
MD5:	54FABD97296761059B4D456B0AD99A97
SHA1:	D86B6DF7DCE2A76CEF69215010EFF392C875C5C1
SHA-256:	EE3695D58CFED6A492D9CC8CF2000E5D5DAF979DF22CE4EBD827B3804CEC67CE
SHA-512:	58D5F1DD7E7FDCA699E88154C3D377CB59A770BD85E2590B39936947DC4FB78A8E8828CF1FBA258D4459F06658E15F9FE76CB804694531B56808E083B5C32773
Malicious:	false
Preview:	........................................oS/f../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\c84f2004-dcd1-4ba0-8ce6-4f3411248c69.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.598686792435549
Encrypted:	false
SSDEEP:	96:0q8NkC1fXXaPv9ZZLdBTeCvNu16Jkkc4SDS4S4SDS2I4a:/8Nb8PF7i712kk0
MD5:	B96117F65036FC2AC385A222C82D5478
SHA1:	9CDBEC2E4CE25CE2AA09807BC3B60DD6CBEDF5B8
SHA-256:	159B798BF0C8FC436A381A20DE267819E48D6C6AB277429C8940BE8565EBC77C
SHA-512:	2FBC1D783D9292DBF94B97727D6114308BF50D314854F780C9ED3FD7F2F0A40569838CE615164F575B03074DD86EA7FB790E100A2049AB57149BA6BB35454E6E
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACnWmdOP3QmRINP2C7CWDY3EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAACSRFxoGKo+TtlQIo60hduHGhMC7KK2RC0bVLhxUlaAAAAAAAOgAAAAAIAACAAAAA/VYZ7+bOWY9wOphM7Oa+zInjS4g8h1MChgv5D0b8EkTAAAACdDLZkgeGmNWk3BQDnXtnmQJULcnPNdQs5s8hkbJ43n/62Jc5BKWYBOyI5dCBOxo9AAAAAPVf0baxcCnlBtJG91eXlTFi8+dcHBDovUy52t82SxSbMJXox2jzO0sLB4f+2EUsK/7CENbxVBeU4onvnMddCOw=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\eb3a71fa-b145-43ea-92ae-bb6a5983cc48.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70011
Entropy (8bit):	6.072268500455389
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBGnk88bieMo4+HrbYo6BKLMyOTCPcgEqksQmb:LMrJM8nyL42UogyFEzsQmb
MD5:	F70761F613F975A925152553047AF12A
SHA1:	2DE31F9CD395E108613E70F3B8E5020CC1D9E0DD
SHA-256:	6CB4ED35A51459C5DFF16400B66E4B548DE79CC2E2ADB474066214E9D96F3ECB
SHA-512:	A1FCDC59EF966083CBDA073CFDF2BB4B1926E9BAA71CD8191B917358A18D1A09BF43E88ECE4948B59A35BA10873C44A142802944B0E4474B6501444059879C3F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0d2f4857-129a-4c0b-9770-bc2cfb6a01c3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096172992778054
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBHFuQhDO6vP6OoCc/koBPWODcGoup1Xl3jVzXr4CW:z/Ps+wsI7yOE66ICgchu3VlXr4CRo1
MD5:	436F9D306362DEEDA9804B0416D404AF
SHA1:	74F8AE01320CE3B61E94B4B1D9FEC0CDE952D348
SHA-256:	2D694F940202C0B85D7C7239CD4432663B223D32E2EAFD4174E3AD0E03B74723
SHA-512:	7135E47B4C7DCBACBA31B7E0D12975A31F5E37A1D88588696838C36C08E5D6181C50A14D052C4D6B3E8D4B52642C506923A04D8755CA48CE362F492D38C0149A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\2bd33513-d39d-4bae-b029-c5d7abe301bb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096181847960014
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBHFuQhDO6vP6OoCcTkoBPWODcGoup1Xl3jVzXr4CW:z/Ps+wsI7yOE66ICQchu3VlXr4CRo1
MD5:	F64900D4B71C760A9D69ED8D7ACE84CB
SHA1:	FD82730E5CC207F13B4C726E53B45129F76BED40
SHA-256:	D5CFC6DEC368727C806E80337CDC4A4A3EF75D767D0ED430F98AD06B8D7A68EF
SHA-512:	88BB0F33C7A566D59493113285AA9E6C0C9ACB1E33706E235688D4DD7B7A022D433051317B752970FFA9544C1569903AADA88F1C0BBF1C367CBB48B2A5FA9677
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\51948076-25a9-40b1-a19c-59b49bf5188a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44689
Entropy (8bit):	6.096104445741073
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBHFuQhDO6vP6OoCwFkC5cWcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOE66ICYchu3VlXr4CRo1
MD5:	071AEFDABFA9D64FFA1E02B6881F28E0
SHA1:	6F8521F9470396F407DF23C1B7C01DD997E93EDD
SHA-256:	5E5F452BFECAB7E0364CEFA0EB9CC1FE711878B8B0BC100C4CC2C0324F11AE57
SHA-512:	748CCC881E7E15AE5182375D74DBAE440FC3F69533A8BAE038DDA6D8096F3EDA87F2D288AB2343568539E51194B09A91DBE3B8A13ED2256F5676164D5EE6F047
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\80341595-fd16-4b6d-90f8-4b852f172555.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44688
Entropy (8bit):	6.096112975769078
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBHwuQhDO6vP6OoCwvmkC5cWcGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOE96ICe+chu3VlXr4CRo1
MD5:	F859A5684E0FF1C736D7A2EBAC9BA3D0
SHA1:	55BD43AB9B2BA122430C39EE4EE69A204E96ACF4
SHA-256:	E2A0331E8EF938806D1BC2F8124F39D0A563C33AE420E5401997279B55D67005
SHA-512:	22E9D2D95C94FFFC080FC2CC108F040F72A0C4CE6F17440704146E2C30193C7C18B21307BA7E90E5DED19DFD913B6B5F23EE13487A76C0E53BE0CE4C17B670D1
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9a105d98-77cb-4834-ac42-f35b75b95bc1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44689
Entropy (8bit):	6.096104445741073
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBHFuQhDO6vP6OoCwFkC5cWcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOE66ICYchu3VlXr4CRo1
MD5:	071AEFDABFA9D64FFA1E02B6881F28E0
SHA1:	6F8521F9470396F407DF23C1B7C01DD997E93EDD
SHA-256:	5E5F452BFECAB7E0364CEFA0EB9CC1FE711878B8B0BC100C4CC2C0324F11AE57
SHA-512:	748CCC881E7E15AE5182375D74DBAE440FC3F69533A8BAE038DDA6D8096F3EDA87F2D288AB2343568539E51194B09A91DBE3B8A13ED2256F5676164D5EE6F047
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D1F3D9-2328.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.12960215655867577
Encrypted:	false
SSDEEP:	768:/2btSKC6E2hem2GgDoSR3Nq1AeRGOBTiP1fTd+Yv3+RGO:/2hSKtEyeXVHNq1AeRGwyhTgYv3+RG
MD5:	02F8D6FA8D00802A8F20C677A7BBD9E2
SHA1:	1A16CC5C7B0784022D513CCB3731CFBCCB67C603
SHA-256:	D25151E51CE19144BAD10EF6E1BC2691289A9F57DA3F08441F37C80A01F30332
SHA-512:	18999063A774062F378A34B064EDEA77CE3FAFC45CD1A6A8E5B132768160BC61CFF1943757FE6C756299D058B8BB7AB442DDEB9141F59F623B6DC366D575FAB6
Malicious:	false
Preview:	...@..@...@.....C.].....@...............h'.. ...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".wccloa20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U].0r........>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2.........5...... .2.......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1e9cc6ab-1c35-4197-b9ee-f05f9d16fc1d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.5695009320553455
Encrypted:	false
SSDEEP:	768:wivG21WPHSfit8F1+UoAYDCx9Tuqh0VfUC9xbog/OVaPpAgrw8mpHtuj:wivG21WPHSfitu1javBAR8ytk
MD5:	A45A0ABC684C8D105844997C10113668
SHA1:	0B79EFD9604DA0EBA76F0EFA8A500F511F99F4B0
SHA-256:	4B4906B2F0CA67A924A317E3A202848CBE9E5450AA44AA213A6360F349D07573
SHA-512:	D2DDEB87F0A3067266515D0DC385AB66827446C460CD7935D23AABA06D50909248F3CE77BBAB30357602679934D3500E96DE7941052BA8292A573D29DD2D6DA6
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369509073626076","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369509073626076","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\5348b030-0c52-4300-b329-ddd625069e52.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\8be3b200-bb5e-4fcc-a690-7d7e8e2c11c3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.154722562540134
Encrypted:	false
SSDEEP:	6:kXN+q2P923oH+TcwtnG2tMsIFUt8HljFmWZmw+HljFNVkwO923oH+TcwtnG2tMsd:kN+v4Yebn9GFUt8HljFmW/+HljFNV5L5
MD5:	F86C419C18D8FCBD392EE6B44DBDE8B9
SHA1:	A67301AFC45A0CEEA9DA8CA463B4E7DB8E0E7660
SHA-256:	7DDE6646C2F8FA54474479264DA024EF982DD3EFF553267BE1072BA6281E3807
SHA-512:	3BB8E4279305ECD1E008BA50CEDD3F3F6E0F8F63A7E8CE0FEE9BDA30240386AB0AD6B9C7C70D02B27B923CE6180B6CAEC94C22C759BD997FA1D713564D69B6BD
Malicious:	false
Preview:	2024/08/30-12:31:13.851 22ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/30-12:31:13.853 22ec Recovering log #3.2024/08/30-12:31:13.853 22ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.154722562540134
Encrypted:	false
SSDEEP:	6:kXN+q2P923oH+TcwtnG2tMsIFUt8HljFmWZmw+HljFNVkwO923oH+TcwtnG2tMsd:kN+v4Yebn9GFUt8HljFmW/+HljFNV5L5
MD5:	F86C419C18D8FCBD392EE6B44DBDE8B9
SHA1:	A67301AFC45A0CEEA9DA8CA463B4E7DB8E0E7660
SHA-256:	7DDE6646C2F8FA54474479264DA024EF982DD3EFF553267BE1072BA6281E3807
SHA-512:	3BB8E4279305ECD1E008BA50CEDD3F3F6E0F8F63A7E8CE0FEE9BDA30240386AB0AD6B9C7C70D02B27B923CE6180B6CAEC94C22C759BD997FA1D713564D69B6BD
Malicious:	false
Preview:	2024/08/30-12:31:13.851 22ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/30-12:31:13.853 22ec Recovering log #3.2024/08/30-12:31:13.853 22ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF372fe.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.154722562540134
Encrypted:	false
SSDEEP:	6:kXN+q2P923oH+TcwtnG2tMsIFUt8HljFmWZmw+HljFNVkwO923oH+TcwtnG2tMsd:kN+v4Yebn9GFUt8HljFmW/+HljFNV5L5
MD5:	F86C419C18D8FCBD392EE6B44DBDE8B9
SHA1:	A67301AFC45A0CEEA9DA8CA463B4E7DB8E0E7660
SHA-256:	7DDE6646C2F8FA54474479264DA024EF982DD3EFF553267BE1072BA6281E3807
SHA-512:	3BB8E4279305ECD1E008BA50CEDD3F3F6E0F8F63A7E8CE0FEE9BDA30240386AB0AD6B9C7C70D02B27B923CE6180B6CAEC94C22C759BD997FA1D713564D69B6BD
Malicious:	false
Preview:	2024/08/30-12:31:13.851 22ec Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/08/30-12:31:13.853 22ec Recovering log #3.2024/08/30-12:31:13.853 22ec Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.155599322562505
Encrypted:	false
SSDEEP:	6:K+q2P923oH+Tcwt8aPrqIFUt8kZmw+EVkwO923oH+Tcwt8amLJ:rv4YebL3FUt8k/+E5LYebQJ
MD5:	AF4A308D632041CF2B0A9606293D89C2
SHA1:	A51A3DC694303B1E84CF571FD595F7BA9EE059B6
SHA-256:	FB55E75F0133C3C9306D89643436EAB46F44342397340377D9004143B4351BAD
SHA-512:	2C5B85E2CC3E6286AE8F2D1720C48B52D411605DF5CBA7D40337BA4F8F223097B83D081FC54F8C7140903969C5319806E3A3C8A0494358C93E837B6AD0257D4F
Malicious:	false
Preview:	2024/08/30-12:31:13.691 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/30-12:31:13.692 22d8 Recovering log #3.2024/08/30-12:31:13.692 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.155599322562505
Encrypted:	false
SSDEEP:	6:K+q2P923oH+Tcwt8aPrqIFUt8kZmw+EVkwO923oH+Tcwt8amLJ:rv4YebL3FUt8k/+E5LYebQJ
MD5:	AF4A308D632041CF2B0A9606293D89C2
SHA1:	A51A3DC694303B1E84CF571FD595F7BA9EE059B6
SHA-256:	FB55E75F0133C3C9306D89643436EAB46F44342397340377D9004143B4351BAD
SHA-512:	2C5B85E2CC3E6286AE8F2D1720C48B52D411605DF5CBA7D40337BA4F8F223097B83D081FC54F8C7140903969C5319806E3A3C8A0494358C93E837B6AD0257D4F
Malicious:	false
Preview:	2024/08/30-12:31:13.691 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/08/30-12:31:13.692 22d8 Recovering log #3.2024/08/30-12:31:13.692 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.188780773538394
Encrypted:	false
SSDEEP:	6:5jL+q2P923oH+Tcwt865IFUt88Qv5Zmw+8QSbd3VkwO923oH+Tcwt86+ULJ:9yv4Yeb/WFUt8p5/+UT5LYeb/+SJ
MD5:	E73770AE12440A2E6543A8A0CF37F1E4
SHA1:	10180BF53DEFEAA947860B5522A6BBD1BDA6DE3A
SHA-256:	27FF70A1173A04B33157294C55AA1FBF73DAF561BD5B42C8B7481EE9621A5852
SHA-512:	38272F773E4CB392F23FB8EC238736C69A00BAB33370555ADEB2E3774957645CC78B3FA637B4B9D137DDE0CD6C51F8C64DA20D8F79F0CE5E76AE3574BFA63E73
Malicious:	false
Preview:	2024/08/30-12:31:13.742 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/30-12:31:13.756 22d8 Recovering log #3.2024/08/30-12:31:13.757 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.188780773538394
Encrypted:	false
SSDEEP:	6:5jL+q2P923oH+Tcwt865IFUt88Qv5Zmw+8QSbd3VkwO923oH+Tcwt86+ULJ:9yv4Yeb/WFUt8p5/+UT5LYeb/+SJ
MD5:	E73770AE12440A2E6543A8A0CF37F1E4
SHA1:	10180BF53DEFEAA947860B5522A6BBD1BDA6DE3A
SHA-256:	27FF70A1173A04B33157294C55AA1FBF73DAF561BD5B42C8B7481EE9621A5852
SHA-512:	38272F773E4CB392F23FB8EC238736C69A00BAB33370555ADEB2E3774957645CC78B3FA637B4B9D137DDE0CD6C51F8C64DA20D8F79F0CE5E76AE3574BFA63E73
Malicious:	false
Preview:	2024/08/30-12:31:13.742 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/08/30-12:31:13.756 22d8 Recovering log #3.2024/08/30-12:31:13.757 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.174137081335816
Encrypted:	false
SSDEEP:	6:2/esSQ+q2P923oH+Tcwt8NIFUt85LgZmw+5LQVkwO923oH+Tcwt8+eLJ:8SVv4YebpFUt8Bg/+BI5LYebqJ
MD5:	30C287E6EA04475917B925529EDA0182
SHA1:	065A863E1FC1266A97ECF0AD318E4F2B862D2EE5
SHA-256:	F6C5E6AF0EABD6C330F5FC8660D21658282ED81AB3EC5273ACB8207A526BBC04
SHA-512:	28BF557160D6FB6773443127796BACAF8D891ACA9A47E76CC31D731CBA15BB6DAF4FE3877E791FCAFC4553799EBB5DBBB37C3B5006383D49056A8FFDB99AD9A5
Malicious:	false
Preview:	2024/08/30-12:31:21.397 1b98 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/30-12:31:21.398 1b98 Recovering log #3.2024/08/30-12:31:21.398 1b98 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.174137081335816
Encrypted:	false
SSDEEP:	6:2/esSQ+q2P923oH+Tcwt8NIFUt85LgZmw+5LQVkwO923oH+Tcwt8+eLJ:8SVv4YebpFUt8Bg/+BI5LYebqJ
MD5:	30C287E6EA04475917B925529EDA0182
SHA1:	065A863E1FC1266A97ECF0AD318E4F2B862D2EE5
SHA-256:	F6C5E6AF0EABD6C330F5FC8660D21658282ED81AB3EC5273ACB8207A526BBC04
SHA-512:	28BF557160D6FB6773443127796BACAF8D891ACA9A47E76CC31D731CBA15BB6DAF4FE3877E791FCAFC4553799EBB5DBBB37C3B5006383D49056A8FFDB99AD9A5
Malicious:	false
Preview:	2024/08/30-12:31:21.397 1b98 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/30-12:31:21.398 1b98 Recovering log #3.2024/08/30-12:31:21.398 1b98 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF3734d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.174137081335816
Encrypted:	false
SSDEEP:	6:2/esSQ+q2P923oH+Tcwt8NIFUt85LgZmw+5LQVkwO923oH+Tcwt8+eLJ:8SVv4YebpFUt8Bg/+BI5LYebqJ
MD5:	30C287E6EA04475917B925529EDA0182
SHA1:	065A863E1FC1266A97ECF0AD318E4F2B862D2EE5
SHA-256:	F6C5E6AF0EABD6C330F5FC8660D21658282ED81AB3EC5273ACB8207A526BBC04
SHA-512:	28BF557160D6FB6773443127796BACAF8D891ACA9A47E76CC31D731CBA15BB6DAF4FE3877E791FCAFC4553799EBB5DBBB37C3B5006383D49056A8FFDB99AD9A5
Malicious:	false
Preview:	2024/08/30-12:31:21.397 1b98 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/08/30-12:31:21.398 1b98 Recovering log #3.2024/08/30-12:31:21.398 1b98 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.158511937293365
Encrypted:	false
SSDEEP:	6:K3uN+q2P923oH+Tcwt8a2jMGIFUt8X7XZmw+JuNVkwO923oH+Tcwt8a2jMmLJ:K+Iv4Yeb8EFUt8X7X/+J25LYeb8bJ
MD5:	8967E7E1C6FFD6399FEAB148933FE536
SHA1:	7B3FFCB1C00BC3FEF463020DFBA4FAF11E9B3339
SHA-256:	C7FEA389D788E33F89A1EF9A3FD559AEFB939715DA3E1010FC5A7BD2B87D9800
SHA-512:	44E11D5F6E1099E9CB3347868503DEDB36E0EF6F5CC3820C5554CE204D9D05396BCC13323E042A9AA3CECBA5F5F29DDC59301C2D6CC599591483E87BB9AAD3B2
Malicious:	false
Preview:	2024/08/30-12:31:14.745 1e68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/30-12:31:14.786 1e68 Recovering log #3.2024/08/30-12:31:14.800 1e68 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.158511937293365
Encrypted:	false
SSDEEP:	6:K3uN+q2P923oH+Tcwt8a2jMGIFUt8X7XZmw+JuNVkwO923oH+Tcwt8a2jMmLJ:K+Iv4Yeb8EFUt8X7X/+J25LYeb8bJ
MD5:	8967E7E1C6FFD6399FEAB148933FE536
SHA1:	7B3FFCB1C00BC3FEF463020DFBA4FAF11E9B3339
SHA-256:	C7FEA389D788E33F89A1EF9A3FD559AEFB939715DA3E1010FC5A7BD2B87D9800
SHA-512:	44E11D5F6E1099E9CB3347868503DEDB36E0EF6F5CC3820C5554CE204D9D05396BCC13323E042A9AA3CECBA5F5F29DDC59301C2D6CC599591483E87BB9AAD3B2
Malicious:	false
Preview:	2024/08/30-12:31:14.745 1e68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/08/30-12:31:14.786 1e68 Recovering log #3.2024/08/30-12:31:14.800 1e68 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF35a56.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\c627aa2f-fd1e-4da3-a549-ebcc193669cb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\fb5d44c9-e2a3-4d50-8f78-d7b8490c2cc8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\ff70330e-d169-4146-9446-cad4af17c1c4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.092535003094333
Encrypted:	false
SSDEEP:	192:stU4swx8CZihnkDsY8bV+FiA66WbKaFIMYgbLMJ:stU4swx8xhTbGix6WbKaTYP
MD5:	02B5A6CA0ACD31E96406FCB419560BD7
SHA1:	FCC86EA3C01A413C0BAA3C1756687B4666FA43C3
SHA-256:	9718F6ACB7259C1D981173A52CEACC86FD7C87873D66E633BA1609454F31080D
SHA-512:	F4CF376501DBBA231C02294F8812FEBFE59CF611601211DF96FF0CD34E5FCC243A51E4E646868BB19459B6579C0357511EF24A5821C7B97C3648C6089D6C905C
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509073894998","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369509073887086"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF373d9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.092535003094333
Encrypted:	false
SSDEEP:	192:stU4swx8CZihnkDsY8bV+FiA66WbKaFIMYgbLMJ:stU4swx8xhTbGix6WbKaTYP
MD5:	02B5A6CA0ACD31E96406FCB419560BD7
SHA1:	FCC86EA3C01A413C0BAA3C1756687B4666FA43C3
SHA-256:	9718F6ACB7259C1D981173A52CEACC86FD7C87873D66E633BA1609454F31080D
SHA-512:	F4CF376501DBBA231C02294F8812FEBFE59CF611601211DF96FF0CD34E5FCC243A51E4E646868BB19459B6579C0357511EF24A5821C7B97C3648C6089D6C905C
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509073894998","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369509073887086"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.5695009320553455
Encrypted:	false
SSDEEP:	768:wivG21WPHSfit8F1+UoAYDCx9Tuqh0VfUC9xbog/OVaPpAgrw8mpHtuj:wivG21WPHSfitu1javBAR8ytk
MD5:	A45A0ABC684C8D105844997C10113668
SHA1:	0B79EFD9604DA0EBA76F0EFA8A500F511F99F4B0
SHA-256:	4B4906B2F0CA67A924A317E3A202848CBE9E5450AA44AA213A6360F349D07573
SHA-512:	D2DDEB87F0A3067266515D0DC385AB66827446C460CD7935D23AABA06D50909248F3CE77BBAB30357602679934D3500E96DE7941052BA8292A573D29DD2D6DA6
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369509073626076","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369509073626076","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.148896190821233
Encrypted:	false
SSDEEP:	6:KtMq2P923oH+TcwtrQMxIFUt8XD9Zmw+XXkwO923oH+TcwtrQMFLJ:KtMv4YebCFUt8XD9/+XX5LYebtJ
MD5:	A6B413AB4BBD3508B282FF50FCB31C88
SHA1:	A4838694334A2749C4DA6A34CAD3EAF8590732A7
SHA-256:	272F44264CA0456AA11D998E58C3BAF1E45D82657FCC3DCD7DF5FEAEB41F671D
SHA-512:	05AA8583E5BF59BE61C40D395B3D4FA7191D38BEF0F657B4401BF3CEEA64ECB163C6268DE64751AB558B05981153B8F07BB14AC26A5ABCC46FC83907A093B2D7
Malicious:	false
Preview:	2024/08/30-12:31:14.744 1f94 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/08/30-12:31:14.786 1f94 Recovering log #3.2024/08/30-12:31:14.791 1f94 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.148896190821233
Encrypted:	false
SSDEEP:	6:KtMq2P923oH+TcwtrQMxIFUt8XD9Zmw+XXkwO923oH+TcwtrQMFLJ:KtMv4YebCFUt8XD9/+XX5LYebtJ
MD5:	A6B413AB4BBD3508B282FF50FCB31C88
SHA1:	A4838694334A2749C4DA6A34CAD3EAF8590732A7
SHA-256:	272F44264CA0456AA11D998E58C3BAF1E45D82657FCC3DCD7DF5FEAEB41F671D
SHA-512:	05AA8583E5BF59BE61C40D395B3D4FA7191D38BEF0F657B4401BF3CEEA64ECB163C6268DE64751AB558B05981153B8F07BB14AC26A5ABCC46FC83907A093B2D7
Malicious:	false
Preview:	2024/08/30-12:31:14.744 1f94 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/08/30-12:31:14.786 1f94 Recovering log #3.2024/08/30-12:31:14.791 1f94 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.142408710222043
Encrypted:	false
SSDEEP:	6:Or3+q2P923oH+Tcwt7Uh2ghZIFUt8sh5Zmw+VVkwO923oH+Tcwt7Uh2gnLJ:OrOv4YebIhHh2FUt8g/+b5LYebIhHLJ
MD5:	9C11B262C2983FB89A282D8235BD0317
SHA1:	FB0F42D05892F901800706199B7EBCEABFD36CDA
SHA-256:	88BA3427322D0887721C0E28F151B146BC3292A926AD21898AE412F2209115D3
SHA-512:	E6362583CC76B0F4DD6A52CAA096F622D89F7FBEC30E400ED86B06EB8955164C5E41D3A945833EB6C4E54A496799F0257E8AD02F3C79B7F344A31B62782BB2E7
Malicious:	false
Preview:	2024/08/30-12:31:13.651 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/30-12:31:13.652 22d8 Recovering log #3.2024/08/30-12:31:13.655 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.142408710222043
Encrypted:	false
SSDEEP:	6:Or3+q2P923oH+Tcwt7Uh2ghZIFUt8sh5Zmw+VVkwO923oH+Tcwt7Uh2gnLJ:OrOv4YebIhHh2FUt8g/+b5LYebIhHLJ
MD5:	9C11B262C2983FB89A282D8235BD0317
SHA1:	FB0F42D05892F901800706199B7EBCEABFD36CDA
SHA-256:	88BA3427322D0887721C0E28F151B146BC3292A926AD21898AE412F2209115D3
SHA-512:	E6362583CC76B0F4DD6A52CAA096F622D89F7FBEC30E400ED86B06EB8955164C5E41D3A945833EB6C4E54A496799F0257E8AD02F3C79B7F344A31B62782BB2E7
Malicious:	false
Preview:	2024/08/30-12:31:13.651 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/30-12:31:13.652 22d8 Recovering log #3.2024/08/30-12:31:13.655 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF372ef.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.142408710222043
Encrypted:	false
SSDEEP:	6:Or3+q2P923oH+Tcwt7Uh2ghZIFUt8sh5Zmw+VVkwO923oH+Tcwt7Uh2gnLJ:OrOv4YebIhHh2FUt8g/+b5LYebIhHLJ
MD5:	9C11B262C2983FB89A282D8235BD0317
SHA1:	FB0F42D05892F901800706199B7EBCEABFD36CDA
SHA-256:	88BA3427322D0887721C0E28F151B146BC3292A926AD21898AE412F2209115D3
SHA-512:	E6362583CC76B0F4DD6A52CAA096F622D89F7FBEC30E400ED86B06EB8955164C5E41D3A945833EB6C4E54A496799F0257E8AD02F3C79B7F344A31B62782BB2E7
Malicious:	false
Preview:	2024/08/30-12:31:13.651 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/08/30-12:31:13.652 22d8 Recovering log #3.2024/08/30-12:31:13.655 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.202613321147397
Encrypted:	false
SSDEEP:	12:KMyL+v4YebvqBZFUt8XRW/+jLV5LYebvqBaJ:KQ4Yebvyg8XRLYebvL
MD5:	E73E512E3B84643E3B4942655141A7F0
SHA1:	DB0EB2C5C9D60D05371341B9CA7C4493384A7646
SHA-256:	D522436226D44BFA1D8AC3BA74A62F251DF899253679826F70A94BB902ADD2ED
SHA-512:	F8B9CCE2B31B7A838767BA97AC36E6851ABEA9424609234BC18A5326B8742CF81938A315C7F85A9B6E837FC91F42CC70A83DE249F7AD8E517D4C6CEED10C09C7
Malicious:	false
Preview:	2024/08/30-12:31:14.782 1e3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/08/30-12:31:14.787 1e3c Recovering log #3.2024/08/30-12:31:14.812 1e3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.202613321147397
Encrypted:	false
SSDEEP:	12:KMyL+v4YebvqBZFUt8XRW/+jLV5LYebvqBaJ:KQ4Yebvyg8XRLYebvL
MD5:	E73E512E3B84643E3B4942655141A7F0
SHA1:	DB0EB2C5C9D60D05371341B9CA7C4493384A7646
SHA-256:	D522436226D44BFA1D8AC3BA74A62F251DF899253679826F70A94BB902ADD2ED
SHA-512:	F8B9CCE2B31B7A838767BA97AC36E6851ABEA9424609234BC18A5326B8742CF81938A315C7F85A9B6E837FC91F42CC70A83DE249F7AD8E517D4C6CEED10C09C7
Malicious:	false
Preview:	2024/08/30-12:31:14.782 1e3c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/08/30-12:31:14.787 1e3c Recovering log #3.2024/08/30-12:31:14.812 1e3c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.176908766947772
Encrypted:	false
SSDEEP:	6:5BA0Qyq2P923oH+TcwtpIFUt88oG1Zmw+8n3QRkwO923oH+Tcwta/WLJ:4yv4YebmFUt8o/+VR5LYebaUJ
MD5:	C1F50DA9FAE6FD8CC2FBF6A0FDF330C8
SHA1:	E6A774C56DECCB89578F9D64D78321FBA4AD223E
SHA-256:	C1D16978F9F7284EF22F8D8AB5AE07C198325E31F2396686B529D0D4988A673E
SHA-512:	F15F0DDEF5FE06402BAB3BAE9D6E882EF5BA42334146BE26F117829FDEB06E5D8D1FFB9AD4517FF01B3588046B0E82728A6169071757C85499C472445BA5BEF2
Malicious:	false
Preview:	2024/08/30-12:31:13.748 22e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/30-12:31:13.763 22e4 Recovering log #3.2024/08/30-12:31:13.764 22e4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.176908766947772
Encrypted:	false
SSDEEP:	6:5BA0Qyq2P923oH+TcwtpIFUt88oG1Zmw+8n3QRkwO923oH+Tcwta/WLJ:4yv4YebmFUt8o/+VR5LYebaUJ
MD5:	C1F50DA9FAE6FD8CC2FBF6A0FDF330C8
SHA1:	E6A774C56DECCB89578F9D64D78321FBA4AD223E
SHA-256:	C1D16978F9F7284EF22F8D8AB5AE07C198325E31F2396686B529D0D4988A673E
SHA-512:	F15F0DDEF5FE06402BAB3BAE9D6E882EF5BA42334146BE26F117829FDEB06E5D8D1FFB9AD4517FF01B3588046B0E82728A6169071757C85499C472445BA5BEF2
Malicious:	false
Preview:	2024/08/30-12:31:13.748 22e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/30-12:31:13.763 22e4 Recovering log #3.2024/08/30-12:31:13.764 22e4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF372c0.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.176908766947772
Encrypted:	false
SSDEEP:	6:5BA0Qyq2P923oH+TcwtpIFUt88oG1Zmw+8n3QRkwO923oH+Tcwta/WLJ:4yv4YebmFUt8o/+VR5LYebaUJ
MD5:	C1F50DA9FAE6FD8CC2FBF6A0FDF330C8
SHA1:	E6A774C56DECCB89578F9D64D78321FBA4AD223E
SHA-256:	C1D16978F9F7284EF22F8D8AB5AE07C198325E31F2396686B529D0D4988A673E
SHA-512:	F15F0DDEF5FE06402BAB3BAE9D6E882EF5BA42334146BE26F117829FDEB06E5D8D1FFB9AD4517FF01B3588046B0E82728A6169071757C85499C472445BA5BEF2
Malicious:	false
Preview:	2024/08/30-12:31:13.748 22e4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/08/30-12:31:13.763 22e4 Recovering log #3.2024/08/30-12:31:13.764 22e4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1222194896745246
Encrypted:	false
SSDEEP:	384:b2qOB1nxCkCSAELyKOMq+8yC8F/YfU5m+OlT:Kq+n0d9ELyKOMq+8y9/Ow
MD5:	46402DE7C4682D984F5F8ED3D63A997B
SHA1:	E5FEA0C17F910CA2CDD6A45F46E8E9EC36F67547
SHA-256:	0F4B9C8BFB9941407FBB3CAC5FA531BC76EE1E5A993DA903B2A617E3DB79E668
SHA-512:	E9C550AD1B15D3C8AD7D715AC3444A0A1EF558A1E02EE4BB0B70B9B9DF1E101EE10B765DCCC0C5575AA7539515D97214A9FF2F2A7EB4B93EE3F0F86FB8525375
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a19d140e-6d68-4157-b377-f8ff095ba909.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.092535003094333
Encrypted:	false
SSDEEP:	192:stU4swx8CZihnkDsY8bV+FiA66WbKaFIMYgbLMJ:stU4swx8xhTbGix6WbKaTYP
MD5:	02B5A6CA0ACD31E96406FCB419560BD7
SHA1:	FCC86EA3C01A413C0BAA3C1756687B4666FA43C3
SHA-256:	9718F6ACB7259C1D981173A52CEACC86FD7C87873D66E633BA1609454F31080D
SHA-512:	F4CF376501DBBA231C02294F8812FEBFE59CF611601211DF96FF0CD34E5FCC243A51E4E646868BB19459B6579C0357511EF24A5821C7B97C3648C6089D6C905C
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369509073894998","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369509073887086"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\a97956b2-e494-4236-ba73-e37a3b9fab33.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\b5feb3cf-374e-4035-8983-949a3da217cb.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049731726990245535
Encrypted:	false
SSDEEP:	6:Gd0JAmu8jH0JAmu8rtCL9XCChslotGLNl0ml/XoQDeX:zJXsJXQpEjVl/XoQ
MD5:	C54B3D1870E84B11D259971CBC7B34F7
SHA1:	5F3D7D108711BA075CC8DFD4A079363B4F36DADB
SHA-256:	AC3A97348BF70C13B6BA0618708EE0F39FCA5644BAC0D2CD12CD9B5647D18F15
SHA-512:	4A0033E46E0309DC121922D795DC011FF830BA85FA02681A80C1FC1F145820526C328980034B21F20DFE4F83FA15F8D9D7FBB6F85024A614021E73AD24CFEFAD
Malicious:	false
Preview:	..-.....................:Db.W.v..4..}..tT...l...-.....................:Db.W.v..4..}..tT...l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.159389509110435
Encrypted:	false
SSDEEP:	6:3/lL+q2P923oH+TcwtfrK+IFUt8yaXZmw+ya3VkwO923oH+TcwtfrUeLJ:3/lyv4Yeb23FUt8yq/+yW5LYeb3J
MD5:	0DD0FD7A8D5A6F958ABAFA63A6E4F6F5
SHA1:	360F65463EA0CC725AADDF4FD73615613C7D1E9F
SHA-256:	BD174F042E1A583D453A2B6D8739B8B64BAC915D73266BBF78B8BFE08BF87530
SHA-512:	A036618F2EA1EFF07D0220D56B4B2DEFFEA58FB8B0E8030BA0E21663C5C2CB075DC8C8C653EB10431C89D4958716CB8BCBC1CF7240DDF6C7A3B11DD7AD0A0967
Malicious:	false
Preview:	2024/08/30-12:31:13.900 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/30-12:31:13.901 22d8 Recovering log #3.2024/08/30-12:31:13.901 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.159389509110435
Encrypted:	false
SSDEEP:	6:3/lL+q2P923oH+TcwtfrK+IFUt8yaXZmw+ya3VkwO923oH+TcwtfrUeLJ:3/lyv4Yeb23FUt8yq/+yW5LYeb3J
MD5:	0DD0FD7A8D5A6F958ABAFA63A6E4F6F5
SHA1:	360F65463EA0CC725AADDF4FD73615613C7D1E9F
SHA-256:	BD174F042E1A583D453A2B6D8739B8B64BAC915D73266BBF78B8BFE08BF87530
SHA-512:	A036618F2EA1EFF07D0220D56B4B2DEFFEA58FB8B0E8030BA0E21663C5C2CB075DC8C8C653EB10431C89D4958716CB8BCBC1CF7240DDF6C7A3B11DD7AD0A0967
Malicious:	false
Preview:	2024/08/30-12:31:13.900 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/30-12:31:13.901 22d8 Recovering log #3.2024/08/30-12:31:13.901 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF3734d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.159389509110435
Encrypted:	false
SSDEEP:	6:3/lL+q2P923oH+TcwtfrK+IFUt8yaXZmw+ya3VkwO923oH+TcwtfrUeLJ:3/lyv4Yeb23FUt8yq/+yW5LYeb3J
MD5:	0DD0FD7A8D5A6F958ABAFA63A6E4F6F5
SHA1:	360F65463EA0CC725AADDF4FD73615613C7D1E9F
SHA-256:	BD174F042E1A583D453A2B6D8739B8B64BAC915D73266BBF78B8BFE08BF87530
SHA-512:	A036618F2EA1EFF07D0220D56B4B2DEFFEA58FB8B0E8030BA0E21663C5C2CB075DC8C8C653EB10431C89D4958716CB8BCBC1CF7240DDF6C7A3B11DD7AD0A0967
Malicious:	false
Preview:	2024/08/30-12:31:13.900 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/08/30-12:31:13.901 22d8 Recovering log #3.2024/08/30-12:31:13.901 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.059252238767438
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvB1ys:G0nYUtypD3RUovhC+lvBOL+t3IvB8s
MD5:	D8D8899761F621B63AD5ED6DF46D22FE
SHA1:	23E6A39058AB3C1DEADC0AF2E0FFD0D84BB7F1BE
SHA-256:	A5E0A78EE981FB767509F26021E1FA3C506F4E86860946CAC1DC4107EB3B3813
SHA-512:	4F89F556138C0CF24D3D890717EB82067C5269063C84229E93F203A22028782902FA48FB0154F53E06339F2FDBE35A985CE728235EA429D8D157090D25F15A4E
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.1782326403754615
Encrypted:	false
SSDEEP:	6:WtXBt+q2P923oH+TcwtfrzAdIFUt8YXrZmw+YX7VkwO923oH+TcwtfrzILJ:Wlyv4Yeb9FUt86r/+6h5LYeb2J
MD5:	EE80D72E45E5F74AA3F023A6D8500237
SHA1:	EA5F93BD269C5C49AB4AC0821FA7F50E4522DFFC
SHA-256:	4F31479C7AD98DE4DE871D5CF8B0E58037BB2B49797406418CE8969922FB305D
SHA-512:	571D08E0FA1153EE40B7CD3F8D0FA54A5A70FA750A67351C389BDAFBAD3CC971473BD39BDA020CCD0DA61397B903A22A0912A9796100577786DA62F890FA3AAB
Malicious:	false
Preview:	2024/08/30-12:31:13.897 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/30-12:31:13.898 22d8 Recovering log #3.2024/08/30-12:31:13.898 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.1782326403754615
Encrypted:	false
SSDEEP:	6:WtXBt+q2P923oH+TcwtfrzAdIFUt8YXrZmw+YX7VkwO923oH+TcwtfrzILJ:Wlyv4Yeb9FUt86r/+6h5LYeb2J
MD5:	EE80D72E45E5F74AA3F023A6D8500237
SHA1:	EA5F93BD269C5C49AB4AC0821FA7F50E4522DFFC
SHA-256:	4F31479C7AD98DE4DE871D5CF8B0E58037BB2B49797406418CE8969922FB305D
SHA-512:	571D08E0FA1153EE40B7CD3F8D0FA54A5A70FA750A67351C389BDAFBAD3CC971473BD39BDA020CCD0DA61397B903A22A0912A9796100577786DA62F890FA3AAB
Malicious:	false
Preview:	2024/08/30-12:31:13.897 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/30-12:31:13.898 22d8 Recovering log #3.2024/08/30-12:31:13.898 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF3734d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.1782326403754615
Encrypted:	false
SSDEEP:	6:WtXBt+q2P923oH+TcwtfrzAdIFUt8YXrZmw+YX7VkwO923oH+TcwtfrzILJ:Wlyv4Yeb9FUt86r/+6h5LYeb2J
MD5:	EE80D72E45E5F74AA3F023A6D8500237
SHA1:	EA5F93BD269C5C49AB4AC0821FA7F50E4522DFFC
SHA-256:	4F31479C7AD98DE4DE871D5CF8B0E58037BB2B49797406418CE8969922FB305D
SHA-512:	571D08E0FA1153EE40B7CD3F8D0FA54A5A70FA750A67351C389BDAFBAD3CC971473BD39BDA020CCD0DA61397B903A22A0912A9796100577786DA62F890FA3AAB
Malicious:	false
Preview:	2024/08/30-12:31:13.897 22d8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/08/30-12:31:13.898 22d8 Recovering log #3.2024/08/30-12:31:13.898 22d8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE+:/M/xT02zj
MD5:	4473CF2BD940249F8A7B9ED52D022E96
SHA1:	68BABEE9AC9DC4BA627BB0D00FD5C30F0A4D0EFE
SHA-256:	2FABC4E16F66F9031EA8777D41FF5BF93FDF69F5A3ACE67787BC2A67601D6B2F
SHA-512:	452707E18132933A22E0B5138E9A346D4A010E80C8B4DB5960FC4B3DCEE179A5B1977624BE0FAAD6EF5DEBE3CA2B41DC36F080906C790423A4007462117A7BE9
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE+1:/M/xT02z9
MD5:	D9E3718F09622C49E19FC2FB745FAA72
SHA1:	4FC32FEC369062C71166FC739AAA0F0223C6B719
SHA-256:	9D575079A8BCDBCD9C5E73E49C3EB2CB76A7A35109BA52A7B4AEA8E52FAADE1F
SHA-512:	C539E2A7B18CD78C4A632791AD9962D00E25A9E774FF7E8C636694ED117C26DAC9A98CBC8B35886BF353CC88D3F222F2050E90BF071D755A9EC14BC844C5165B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35584.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF356eb.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3591d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3731e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3737b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF373aa.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zET:/M/xT02z8
MD5:	AC81EF9540AC3DDCC4546B82AC3801BD
SHA1:	1AC27855FABFA8AF62752DA91E2A6EADC815CBBC
SHA-256:	4A2C8BA05BE86A2182B9BCC9AEC916588CC9502F4F505CD79991AF8326EC11E4
SHA-512:	D27635D446F0AEA20E138F96BEDEDF118CCF0BC8560CB2E11AB0AACE9D320E989164E2971DAB20571A9B6D9A1B4A52CAAF78084D2141372D77516F52ABD222AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\fc89c38f-9c47-4be1-b375-ce48ce7faf89.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.090736124130403
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMWwuF9hDO6vP6O+v3tbzy70FqHoPFkGoup1Xl3j0:z/Ps+wsI7ynEg6E3tbz8hu3VlXr4CRo1
MD5:	8430DD81FF5E7E7B45BA224A045602DA
SHA1:	1491E1357710300B6B0BC831FD2FA2F70E479BE4
SHA-256:	A207FC37A34B51E34D9858B3857AE1FF968F2C8F72972E7C27DF20AE9286C60C
SHA-512:	A4634D7CF3923365A39F2837915E09242A20CA265A1C5AAE6E15B3722BC90336749D01622B3A5952F5D2341FF493D731E6F4E044573ECB7FBABA0A9F6F693EDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.860085226025036
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxVxl9Il8umvmk7aHcneev0sh5f1+1GCvMtd1rc:mAYxQaHcneG0sff1YdvM2
MD5:	826078A7426A142EEEE6B23E9861807E
SHA1:	87B3D138E753633DDB3C2D8C9D0B164E63299218
SHA-256:	D7154B188357FF832170A999CD1A516DCB62C9E3C9CD139E7395573043D03A91
SHA-512:	C0556E62862DFF9B74E0AF26F386AB723C6B8507FC00AD0C7AAFF4C8A13760874352CCAA792E22E775E4621D9B352BE8DE5F378E2634DF6062D554E71684B5E2
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.D.j.K.Y.Q.L.7.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.p.1.p.n.T.j.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	3.995191871524967
Encrypted:	false
SSDEEP:	96:DYxN7kvsaBORx7sy0fiWRwbcB6uohv7jNgwa4hyUD:D84VwxggWWcBkZlgwaUD
MD5:	7B54A2B6B208D0EEF5B7CDE5356F0B0F
SHA1:	B24C006178180BB3D9761D4ED4FADBC985D007FD
SHA-256:	29CE04B439FBEF0B8856A1F7B34210E0BFB868D35F7C41011E3416B19E06D736
SHA-512:	C3E09133C07395BDCB8471B32749E277586DED186C75751DD5CA899FB74E38653D4601349CBE850E090D78FA5F056F12F5C4E0FB71D6DB3CC742E91074DC771D
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".M.E.m.u.R./.r.6.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.p.1.p.n.T.j.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.397993376191371
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854RrS:8e2Fa116uCntc5toYHy
MD5:	71768CC3A488E810E0719B690EA09EFA
SHA1:	09F482382D8CF53F5DADBD7F1A87F96CFBA51F74
SHA-256:	A6456C3D88173B92C4AC693C28A866E16BFD30AC147644599131C37721DF7189
SHA-512:	DAC230DED3F10E2B4AD2A4E32E9D698D84A8A0629917CBF5A0FECE0589511600F0C249752F1E18C4F23088BBB1FF28830607A6300B4E03598582E6E83DDDC7E5
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2Z95E5YMJ97QGFBH37S4.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5115506811535817
Encrypted:	false
SSDEEP:	48:/EJ8dOr+i++sJfr7zBdLXuHJkDpZ2AhCdOr+x+sJfr7zngdLXuHJk+21:MC3upkDS1nIupkz
MD5:	8CB2B23F807BC4A82BD79A7276BF9F4E
SHA1:	70C8A6E11DF20C317200B820141D193CA7B6B93F
SHA-256:	27902059060E01F95C452DFAD868AF215982A993B944A289C8358662AE60D07E
SHA-512:	C383A8FF3FB1E9D9C811F78B0BA9DD3DF4568626AD24185930DFA4E9CD771F0A2CD4F40FCAB72EA681AA705345D10B20A18553073F172C7AA268954943EA74A1
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...}c.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V......*..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y..............................L.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........P.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5115506811535817
Encrypted:	false
SSDEEP:	48:/EJ8dOr+i++sJfr7zBdLXuHJkDpZ2AhCdOr+x+sJfr7zngdLXuHJk+21:MC3upkDS1nIupkz
MD5:	8CB2B23F807BC4A82BD79A7276BF9F4E
SHA1:	70C8A6E11DF20C317200B820141D193CA7B6B93F
SHA-256:	27902059060E01F95C452DFAD868AF215982A993B944A289C8358662AE60D07E
SHA-512:	C383A8FF3FB1E9D9C811F78B0BA9DD3DF4568626AD24185930DFA4E9CD771F0A2CD4F40FCAB72EA681AA705345D10B20A18553073F172C7AA268954943EA74A1
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...}c.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V......*..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y..............................L.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........P.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C7Y596NXYL16065314E2.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.511617834434232
Encrypted:	false
SSDEEP:	48:/EhCdOr+x+sJfr7zBdLXuHJkDpZ2AhCdOr+x+sJfr7zngdLXuHJk+21:53upkDS1nIupkz
MD5:	BD912878E63A39E96FBAF1E18A82684E
SHA1:	3075096BE3969D4D59309E7636C493A3C352C14D
SHA-256:	D7A9051C2C33FD9A65BFF7CFBEAD6FE00582735728BD9B658CDA491D88F18D0C
SHA-512:	A5C8814719CC31848993C9727B6BEF74DBED5656C165DE32CC70B4061251881194C2558355A8EEB6D480AD0DD678C96F1A4B3797A7C1859BD37AA823DFE0C349
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...}c.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~2.........O.I.Y.....................V.....=...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y..............................L.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........P.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.511617834434232
Encrypted:	false
SSDEEP:	48:/EhCdOr+x+sJfr7zBdLXuHJkDpZ2AhCdOr+x+sJfr7zngdLXuHJk+21:53upkDS1nIupkz
MD5:	BD912878E63A39E96FBAF1E18A82684E
SHA1:	3075096BE3969D4D59309E7636C493A3C352C14D
SHA-256:	D7A9051C2C33FD9A65BFF7CFBEAD6FE00582735728BD9B658CDA491D88F18D0C
SHA-512:	A5C8814719CC31848993C9727B6BEF74DBED5656C165DE32CC70B4061251881194C2558355A8EEB6D480AD0DD678C96F1A4B3797A7C1859BD37AA823DFE0C349
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...}c.......?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1......Y...PROGRA~2.........O.I.Y.....................V.....=...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux..Y..............................L.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8..Y............................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8..Y...............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8..Y.....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j...........P.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579761068014417
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	b6561154e0d9d0aa82b41feaacc09fc6
SHA1:	b9bbc9cefde409c16aeb4d3d2f958ae87cbd0972
SHA256:	245a43088a2febf9d3b3b0e9f0825518f0df6ee5330627b73dbc5a3c8a371bbb
SHA512:	44f1629d39eb7d2ea4eb53b927ddff4345e135a640adb990fd991de3faa7b01a47434d023889c59e050292f3cd22070d078a236f66fb7719bd9ea360d71f945d
SSDEEP:	12288:xqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTe:xqDEvCTbMWu7rQYlBQcBiT6rprG8ase
TLSH:	DD159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D1F18A [Fri Aug 30 16:21:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3E18E93353h
jmp 00007F3E18E92C5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3E18E92E3Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3E18E92E0Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3E18E959FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3E18E95A48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3E18E95A31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	ad35265d428a3e0a08f54a9210e4b54c	False	0.28692708333333333	data	5.165871954074645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 18:30:54.851839066 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:30:54.851840019 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:30:55.039196014 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:03.779664040 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:03.779704094 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:03.779781103 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:03.781501055 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:03.781512976 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.418056011 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.418128967 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.421375990 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.421384096 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.421776056 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.482944965 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.528496027 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.532604933 CEST	49675	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:04.582235098 CEST	49674	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:04.689094067 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.689142942 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.689224958 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.689483881 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.689497948 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.689513922 CEST	49716	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.689519882 CEST	443	49716	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.706175089 CEST	49673	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:04.737206936 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.737225056 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.737301111 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.737638950 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:04.737648964 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:04.755650043 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:04.755681038 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:04.755780935 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:04.757097006 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:04.757111073 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:04.763600111 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:04.763622046 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:04.763739109 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:04.763851881 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:04.763864994 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.403613091 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.403706074 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:05.411174059 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.426017046 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.426038027 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.426810026 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.427088976 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.427151918 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.427256107 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.427263975 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.428278923 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.428330898 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.428972960 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.429053068 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.429081917 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.429145098 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.429790974 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.429800034 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.431118965 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.431126118 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.484489918 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.517046928 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:05.517062902 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.517370939 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.519366026 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:05.528846025 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.528862000 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.528911114 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.528930902 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.528939962 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.528975964 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.531343937 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531363010 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531369925 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531395912 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531410933 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531419992 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.531430960 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531436920 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531451941 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.531482935 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.531486034 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.531531096 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.564510107 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.615349054 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.615358114 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.615371943 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.615391016 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.615406990 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.615431070 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.615447044 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.616842985 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616851091 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616873026 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616883039 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616894007 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616899967 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.616905928 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616915941 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.616919041 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.616930962 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.616957903 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.675285101 CEST	49725	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.675299883 CEST	443	49725	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.700865030 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.700877905 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.700913906 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.700932026 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.700948000 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.700968981 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.700977087 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.700994015 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.701016903 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.701023102 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.701087952 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.701816082 CEST	49724	443	192.168.2.5	13.107.246.57
Aug 30, 2024 18:31:05.701829910 CEST	443	49724	13.107.246.57	192.168.2.5
Aug 30, 2024 18:31:05.704986095 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.705035925 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.705147028 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:05.759393930 CEST	49723	443	192.168.2.5	184.28.90.27
Aug 30, 2024 18:31:05.759409904 CEST	443	49723	184.28.90.27	192.168.2.5
Aug 30, 2024 18:31:05.875046015 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.875071049 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.875183105 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.875463009 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.875475883 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.875965118 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.875994921 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.876151085 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.876404047 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.876416922 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.876811981 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.876840115 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.877034903 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.877062082 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.877077103 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.877155066 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.877367020 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.877377033 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:05.877567053 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:05.877578020 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.077775955 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.077800989 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.078078985 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.079694033 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.079711914 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.329341888 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:06.329425097 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:06.338309050 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.338531971 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.338738918 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.338768005 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.339293003 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.339303017 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.339776993 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.339840889 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.340790987 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.340846062 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.341339111 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.341779947 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.341851950 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.342350960 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.342370033 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.342458963 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.342514038 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.342870951 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.342884064 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.342952013 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.342959881 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.343467951 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.343533993 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.345771074 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.345848083 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.346229076 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.346235991 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.352735043 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.352963924 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.352977991 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.354015112 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.354077101 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.354969978 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.355029106 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.355252981 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.355258942 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.399770021 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.399787903 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.450098991 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.450155973 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.450241089 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.450480938 CEST	49728	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.450493097 CEST	443	49728	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.451268911 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.451350927 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.451472044 CEST	49726	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.451494932 CEST	443	49726	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.467431068 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.467502117 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.467554092 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.467780113 CEST	49727	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.467794895 CEST	443	49727	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.483906984 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.485403061 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.485460997 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.485548973 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.486099958 CEST	49729	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:06.486109972 CEST	443	49729	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:06.531142950 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.532244921 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.532253981 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.533505917 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.533561945 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.534657001 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.534737110 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.534938097 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.534945011 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.670109034 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:06.670160055 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.670319080 CEST	49732	443	192.168.2.5	172.64.41.3
Aug 30, 2024 18:31:06.670330048 CEST	443	49732	172.64.41.3	192.168.2.5
Aug 30, 2024 18:31:07.972995996 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.973023891 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:07.973251104 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.973474979 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.973493099 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:07.973567009 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.974214077 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.974225998 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:07.974375963 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.974386930 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.604073048 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:08.604126930 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:08.604191065 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:08.604227066 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:08.604238987 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:08.604358912 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:08.604526043 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:08.604541063 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:08.604679108 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:08.604695082 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:08.756846905 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.757066965 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.757078886 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.757436037 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.757827997 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.757903099 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.758440018 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.758629084 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.758649111 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.758959055 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.761152983 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.761220932 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.797769070 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.812762976 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.961215973 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:08.961249113 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:08.961308956 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:08.961493015 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:08.961507082 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.073627949 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.073857069 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.073868990 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.074268103 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.074338913 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.075077057 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.075136900 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.076293945 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.076359034 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.076541901 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.076551914 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.084366083 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.084563017 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.084583998 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.084940910 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.085004091 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.085625887 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.085674047 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.085832119 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.085886955 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.086008072 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.126311064 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.126312017 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.126332998 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.178540945 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.250403881 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.251254082 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.251306057 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.251472950 CEST	443	49739	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.251511097 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.251535892 CEST	49739	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.267571926 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.268176079 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.268207073 CEST	443	49738	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.268269062 CEST	49738	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.454076052 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.454411983 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.454440117 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.455471992 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.455524921 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.456567049 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.456626892 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.456867933 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.500365973 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.500394106 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.547302961 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.559217930 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559252977 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559294939 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559344053 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.559360027 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559416056 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559429884 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.559437990 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559473038 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.559535027 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559582949 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.559638023 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.560924053 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.560964108 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.561089039 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.561309099 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.561321974 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.561367989 CEST	49740	443	192.168.2.5	172.217.165.132
Aug 30, 2024 18:31:09.561383963 CEST	443	49740	172.217.165.132	192.168.2.5
Aug 30, 2024 18:31:09.578043938 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.578053951 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.578113079 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.578272104 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.578283072 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.022634029 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.022926092 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.022953987 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.023296118 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.023375034 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.023981094 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.024044037 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.024296999 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.024344921 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.038135052 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.038455963 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.038489103 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.038868904 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.038953066 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.039566994 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.039633989 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.039788008 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.039849043 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.078521013 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.078538895 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.094122887 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.094165087 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:10.125228882 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.140832901 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:17.454737902 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:17.454761028 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:17.454917908 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:17.456124067 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:17.456140041 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:18.228729963 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:18.228729963 CEST	49703	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:18.229135990 CEST	49746	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:18.229187965 CEST	443	49746	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:18.231795073 CEST	49746	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:18.232026100 CEST	49746	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:18.232043982 CEST	443	49746	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:18.234571934 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:18.234594107 CEST	443	49703	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:18.239061117 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:18.239130020 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:18.240933895 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:18.240943909 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:18.241529942 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:18.297116995 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:18.837815046 CEST	443	49746	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:18.837888002 CEST	49746	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:19.904190063 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:19.948515892 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162250042 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162280083 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162293911 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162322998 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162341118 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162353992 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162369967 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.162384987 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162422895 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.162435055 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.162601948 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162657976 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.162664890 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162776947 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.162827969 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.928374052 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.928416967 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:20.928435087 CEST	49745	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:20.928442001 CEST	443	49745	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:23.663496017 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:23.663563013 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:23.663732052 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:23.667470932 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:23.667548895 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:23.667627096 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:33.218223095 CEST	63125	53	192.168.2.5	162.159.36.2
Aug 30, 2024 18:31:33.223038912 CEST	53	63125	162.159.36.2	192.168.2.5
Aug 30, 2024 18:31:33.223109961 CEST	63125	53	192.168.2.5	162.159.36.2
Aug 30, 2024 18:31:33.227935076 CEST	53	63125	162.159.36.2	192.168.2.5
Aug 30, 2024 18:31:33.691226959 CEST	63125	53	192.168.2.5	162.159.36.2
Aug 30, 2024 18:31:33.697302103 CEST	53	63125	162.159.36.2	192.168.2.5
Aug 30, 2024 18:31:33.697357893 CEST	63125	53	192.168.2.5	162.159.36.2
Aug 30, 2024 18:31:33.708668947 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:33.708714008 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:33.708797932 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:33.709170103 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:33.709183931 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.327888012 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.327980995 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:34.331979990 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:34.331990957 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.332228899 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.340296984 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:34.384500027 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.460210085 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.460289001 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.460355043 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:34.460479975 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:34.460501909 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.460530043 CEST	63126	443	192.168.2.5	20.242.39.171
Aug 30, 2024 18:31:34.460535049 CEST	443	63126	20.242.39.171	192.168.2.5
Aug 30, 2024 18:31:34.479470968 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:34.479495049 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:34.479568958 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:34.479873896 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:34.479883909 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.267981052 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.268074036 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:35.269619942 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:35.269632101 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.269854069 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.270894051 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:35.316503048 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.515249014 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.515325069 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.515444040 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:35.515614986 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:35.515634060 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:35.515666962 CEST	63127	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:35.515672922 CEST	443	63127	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:36.584954977 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:36.585005045 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:36.585100889 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:36.585454941 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:36.585474968 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.390610933 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.390706062 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.414311886 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.414345980 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.414596081 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.416817904 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.460500956 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.732656956 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.732681990 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.732697010 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.732739925 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.732770920 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.732785940 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.732820034 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.732839108 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.732887030 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.732892990 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.733277082 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.733323097 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.736385107 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.736399889 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.736412048 CEST	63128	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.736417055 CEST	443	63128	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.872347116 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.872401953 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:37.872474909 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.872884035 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:37.872900009 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:38.003330946 CEST	443	49746	23.1.237.91	192.168.2.5
Aug 30, 2024 18:31:38.003432035 CEST	49746	443	192.168.2.5	23.1.237.91
Aug 30, 2024 18:31:38.663898945 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:38.663992882 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:38.665667057 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:38.665678978 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:38.665901899 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:38.666882038 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:38.708509922 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.004084110 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.004110098 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.004122972 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.004195929 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.004215002 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.004262924 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.005172968 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.005208015 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.005234003 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.005239010 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.005261898 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.005266905 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.005302906 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.007976055 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.007992983 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:39.008002043 CEST	63129	443	192.168.2.5	40.68.123.157
Aug 30, 2024 18:31:39.008007050 CEST	443	63129	40.68.123.157	192.168.2.5
Aug 30, 2024 18:31:55.094347000 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:55.094369888 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:55.110023975 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:55.110032082 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:32:08.673466921 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:32:08.673470974 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:32:08.673502922 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:32:08.673506021 CEST	443	49737	162.159.61.3	192.168.2.5
Aug 30, 2024 18:32:40.109515905 CEST	49741	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:32:40.109551907 CEST	443	49741	142.250.65.174	192.168.2.5
Aug 30, 2024 18:32:40.125346899 CEST	49742	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:32:40.125359058 CEST	443	49742	142.250.65.174	192.168.2.5
Aug 30, 2024 18:32:53.686748981 CEST	49736	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:32:53.686745882 CEST	49737	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:32:53.686778069 CEST	443	49736	162.159.61.3	192.168.2.5
Aug 30, 2024 18:32:53.686779022 CEST	443	49737	162.159.61.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 30, 2024 18:31:01.790050030 CEST	53	57712	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:02.825227022 CEST	51526	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:02.825479031 CEST	54048	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:04.324454069 CEST	53	61676	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:04.327157974 CEST	53	56650	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.867360115 CEST	52080	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.867512941 CEST	57829	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.867902040 CEST	49776	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.868145943 CEST	63657	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.868765116 CEST	52556	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.869160891 CEST	54931	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.869532108 CEST	57204	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.869879007 CEST	57401	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:05.874409914 CEST	53	52080	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.874578953 CEST	53	57829	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.875286102 CEST	53	63657	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.875439882 CEST	53	49776	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.875947952 CEST	53	52556	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.875958920 CEST	53	54931	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.876606941 CEST	53	57204	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:05.876617908 CEST	53	57401	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:06.065110922 CEST	55583	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:06.065305948 CEST	62764	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:06.074264050 CEST	53	55583	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:06.074279070 CEST	53	62764	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:07.656372070 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:07.971985102 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.298285961 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.298299074 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.298310995 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.298322916 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.298835039 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.301003933 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.301341057 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.301459074 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.302095890 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.302222967 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.390420914 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.395143986 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.395200968 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.395210981 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.395219088 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.395564079 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.395564079 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.397761106 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.399553061 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.400821924 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.400983095 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.489281893 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.500694990 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.500881910 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.595653057 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.596410036 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.597305059 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.603502035 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.864160061 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.864237070 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:08.959342003 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.959963083 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.960592031 CEST	443	62477	162.159.61.3	192.168.2.5
Aug 30, 2024 18:31:08.960767031 CEST	62477	443	192.168.2.5	162.159.61.3
Aug 30, 2024 18:31:09.252829075 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.560445070 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.709930897 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.709949017 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.716610909 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.716669083 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.716684103 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.716701984 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.716972113 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.716972113 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.718422890 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.718422890 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.718980074 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.718980074 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.719126940 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.719126940 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.835565090 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.836183071 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.836191893 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.836195946 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.836472034 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.836472988 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.911390066 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.914047956 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:09.915493965 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:09.917179108 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:10.017163038 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:17.410083055 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:17.410125971 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:17.510226965 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:17.547244072 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:17.630605936 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:17.631987095 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:17.633250952 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:17.672209024 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:17.757322073 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:33.217710972 CEST	53	64577	162.159.36.2	192.168.2.5
Aug 30, 2024 18:31:33.698488951 CEST	65122	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:31:33.706818104 CEST	53	65122	1.1.1.1	192.168.2.5
Aug 30, 2024 18:31:38.671751022 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.671796083 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.752247095 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.772313118 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:38.814239979 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.853441000 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:38.853856087 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.855057001 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:38.891664028 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.936471939 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:38.938513994 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:38.941910982 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.971184015 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:38.978645086 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:39.068171024 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:39.314680099 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:39.314726114 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:39.447262049 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:39.484637976 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:39.527040005 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:39.527945995 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:39.528985977 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:31:39.562616110 CEST	64557	443	192.168.2.5	142.250.65.174
Aug 30, 2024 18:31:39.652448893 CEST	443	64557	142.250.65.174	192.168.2.5
Aug 30, 2024 18:32:09.586296082 CEST	63881	53	192.168.2.5	1.1.1.1
Aug 30, 2024 18:32:09.593764067 CEST	53	63881	1.1.1.1	192.168.2.5
Aug 30, 2024 18:32:09.596206903 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:09.596370935 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:09.957972050 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.159372091 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.159502029 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.159943104 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.166806936 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.166820049 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.166831017 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.167028904 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.167412996 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.168107986 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.168344021 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.168368101 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.188855886 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.188878059 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.579643965 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.599080086 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599260092 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599286079 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599322081 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599370003 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599435091 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599443913 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599451065 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.599519968 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.599565029 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.599683046 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.599760056 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.625642061 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.673764944 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.680008888 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:10.775300026 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.778125048 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:10.803251028 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:39.738584995 CEST	57517	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:39.917818069 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:39.947351933 CEST	443	57517	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.034461975 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.034653902 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.587088108 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.587171078 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.587798119 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.587798119 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.588092089 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.588135958 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.604727030 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.766426086 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.766969919 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.766980886 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.767160892 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.799530983 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.799804926 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:32:44.799971104 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:44.828182936 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:32:45.005587101 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:33:01.665251017 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:33:01.665396929 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:33:01.848078012 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:33:01.875289917 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:33:01.878390074 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:33:01.878602028 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:33:01.879182100 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:33:01.906528950 CEST	53443	443	192.168.2.5	142.250.185.78
Aug 30, 2024 18:33:02.082309961 CEST	443	53443	142.250.185.78	192.168.2.5
Aug 30, 2024 18:33:02.845223904 CEST	60582	53	192.168.2.5	1.1.1.1

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 30, 2024 18:32:39.918039083 CEST	192.168.2.5	142.250.185.78	547c	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 30, 2024 18:31:02.825227022 CEST	192.168.2.5	1.1.1.1	0x7ec2	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:02.825479031 CEST	192.168.2.5	1.1.1.1	0x46ed	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Aug 30, 2024 18:31:05.867360115 CEST	192.168.2.5	1.1.1.1	0xbd62	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.867512941 CEST	192.168.2.5	1.1.1.1	0xff25	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 30, 2024 18:31:05.867902040 CEST	192.168.2.5	1.1.1.1	0x6cd1	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.868145943 CEST	192.168.2.5	1.1.1.1	0xe436	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 30, 2024 18:31:05.868765116 CEST	192.168.2.5	1.1.1.1	0x464a	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.869160891 CEST	192.168.2.5	1.1.1.1	0xbc41	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 30, 2024 18:31:05.869532108 CEST	192.168.2.5	1.1.1.1	0x7837	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.869879007 CEST	192.168.2.5	1.1.1.1	0x9643	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 30, 2024 18:31:06.065110922 CEST	192.168.2.5	1.1.1.1	0x34a7	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:06.065305948 CEST	192.168.2.5	1.1.1.1	0x6501	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Aug 30, 2024 18:31:33.698488951 CEST	192.168.2.5	1.1.1.1	0xc44	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Aug 30, 2024 18:32:09.586296082 CEST	192.168.2.5	1.1.1.1	0x6c19	Standard query (0)	play.google.com	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:33:02.845223904 CEST	192.168.2.5	1.1.1.1	0x6ff6	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 30, 2024 18:31:02.833875895 CEST	1.1.1.1	192.168.2.5	0x7ec2	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 18:31:02.833890915 CEST	1.1.1.1	192.168.2.5	0x46ed	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 18:31:04.755038023 CEST	1.1.1.1	192.168.2.5	0xb34c	No error (0)	shed.dual-low.s-part-0029.t-0009.t-msedge.net	s-part-0029.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 30, 2024 18:31:04.755038023 CEST	1.1.1.1	192.168.2.5	0xb34c	No error (0)	s-part-0029.t-0009.t-msedge.net		13.107.246.57	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.874409914 CEST	1.1.1.1	192.168.2.5	0xbd62	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.874409914 CEST	1.1.1.1	192.168.2.5	0xbd62	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.874578953 CEST	1.1.1.1	192.168.2.5	0xff25	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 30, 2024 18:31:05.875286102 CEST	1.1.1.1	192.168.2.5	0xe436	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 30, 2024 18:31:05.875439882 CEST	1.1.1.1	192.168.2.5	0x6cd1	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.875439882 CEST	1.1.1.1	192.168.2.5	0x6cd1	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.875947952 CEST	1.1.1.1	192.168.2.5	0x464a	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.875947952 CEST	1.1.1.1	192.168.2.5	0x464a	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.875958920 CEST	1.1.1.1	192.168.2.5	0xbc41	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 30, 2024 18:31:05.876606941 CEST	1.1.1.1	192.168.2.5	0x7837	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.876606941 CEST	1.1.1.1	192.168.2.5	0x7837	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:05.876617908 CEST	1.1.1.1	192.168.2.5	0x9643	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 30, 2024 18:31:06.074264050 CEST	1.1.1.1	192.168.2.5	0x34a7	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:06.074264050 CEST	1.1.1.1	192.168.2.5	0x34a7	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:31:06.074279070 CEST	1.1.1.1	192.168.2.5	0x6501	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Aug 30, 2024 18:31:33.706818104 CEST	1.1.1.1	192.168.2.5	0xc44	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Aug 30, 2024 18:32:09.593764067 CEST	1.1.1.1	192.168.2.5	0x6c19	No error (0)	play.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Aug 30, 2024 18:33:02.854526043 CEST	1.1.1.1	192.168.2.5	0x6ff6	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

edgeassetservice.azureedge.net

fs.microsoft.com

chrome.cloudflare-dns.com

https:

www.google.com

slscr.update.microsoft.com

fe3cr.delivery.mp.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49716	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:04 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-30 16:31:04 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=61549 Date: Fri, 30 Aug 2024 16:31:04 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49724	13.107.246.57	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:05 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-30 16:31:05 UTC	583	IN	HTTP/1.1 200 OK Date: Fri, 30 Aug 2024 16:31:05 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 66f87118-601e-001a-2116-f94768000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240830T163105Z-16579567576p25xcxh3nycmsaw00000003d00000000022ng Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-30 16:31:05 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-08-30 16:31:05 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-08-30 16:31:05 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-08-30 16:31:05 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-08-30 16:31:05 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	13.107.246.57	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:05 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-08-30 16:31:05 UTC	559	IN	HTTP/1.1 200 OK Date: Fri, 30 Aug 2024 16:31:05 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 23 Aug 2024 00:10:35 GMT ETag: 0x8DCC30802EF150E x-ms-request-id: 903262f1-801e-001b-4826-f94695000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240830T163105Z-16579567576p25xcxh3nycmsaw00000003bg000000007x0u Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 69316365 X-Cache: TCP_HIT X-Cache-Info: L1_T2 Accept-Ranges: bytes
2024-08-30 16:31:05 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49723	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:05 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-08-30 16:31:05 UTC	514	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=61501 Date: Fri, 30 Aug 2024 16:31:05 GMT Content-Length: 55 Connection: close X-CID: 2
2024-08-30 16:31:05 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49726	162.159.61.3	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-30 16:31:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-30 16:31:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 30 Aug 2024 16:31:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bb62b510a793308-EWR alt-svc: h3=":443"; ma=86400
2024-08-30 16:31:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 12 00 04 8e fb 28 83 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49728	162.159.61.3	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-30 16:31:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-30 16:31:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 30 Aug 2024 16:31:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bb62b510d460cae-EWR alt-svc: h3=":443"; ma=86400
2024-08-30 16:31:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 63 00 04 8e fb 23 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomc#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49727	162.159.61.3	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-30 16:31:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-30 16:31:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 30 Aug 2024 16:31:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bb62b512a0c4295-EWR alt-svc: h3=":443"; ma=86400
2024-08-30 16:31:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 eb 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49729	162.159.61.3	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-30 16:31:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-30 16:31:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 30 Aug 2024 16:31:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bb62b513e2c8c69-EWR alt-svc: h3=":443"; ma=86400
2024-08-30 16:31:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 10 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49732	172.64.41.3	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-08-30 16:31:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-08-30 16:31:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Fri, 30 Aug 2024 16:31:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bb62b526af743a3-EWR alt-svc: h3=":443"; ma=86400
2024-08-30 16:31:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1e 00 04 8e fa 41 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49739	142.250.65.174	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:09 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-30 16:31:09 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Fri, 30 Aug 2024 16:31:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49738	142.250.65.174	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:09 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-30 16:31:09 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Fri, 30 Aug 2024 16:31:09 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49740	172.217.165.132	443	7476	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:09 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-08-30 16:31:09 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Fri, 30 Aug 2024 16:10:07 GMT Expires: Sat, 07 Sep 2024 16:10:07 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 1262 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-08-30 16:31:09 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-08-30 16:31:09 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-08-30 16:31:09 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-08-30 16:31:09 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-08-30 16:31:09 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49745	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:19 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Mx9tg1GeheCSLR1&MD=CBHt6lMH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-30 16:31:20 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 50936cd2-2402-4259-a652-4d6c51f8e67c MS-RequestId: f2e054f0-aa97-4a50-ad82-620d586df5be MS-CV: tcL47lA6UESHGr7j.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 30 Aug 2024 16:31:19 GMT Connection: close Content-Length: 24490
2024-08-30 16:31:20 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-30 16:31:20 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	63126	20.242.39.171	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:34 UTC	142	OUT	GET /clientwebservice/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: fe3cr.delivery.mp.microsoft.com
2024-08-30 16:31:34 UTC	234	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET X-Content-Type-Options: nosniff Date: Fri, 30 Aug 2024 16:31:33 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	63127	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:35 UTC	124	OUT	GET /sls/ping HTTP/1.1 Connection: Keep-Alive User-Agent: DNS resiliency checker/1.0 Host: slscr.update.microsoft.com
2024-08-30 16:31:35 UTC	318	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Expires: -1 MS-CV: cZfdbbUQMUC7j5xd.0 MS-RequestId: 7e3b7eac-53be-43cf-9af0-4e0659c7f17e MS-CorrelationId: 1cbbdbca-eef4-470f-bbd8-6976aa10b326 X-Content-Type-Options: nosniff Date: Fri, 30 Aug 2024 16:31:35 GMT Connection: close Content-Length: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	63128	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:37 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Mx9tg1GeheCSLR1&MD=CBHt6lMH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-30 16:31:37 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: ac2c55f7-814e-4fce-a950-46ed42221c14 MS-RequestId: f36ab68c-dd22-4386-af5c-af565503e6ae MS-CV: s7kamw74Lk+zqeZJ.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 30 Aug 2024 16:31:37 GMT Connection: close Content-Length: 24490
2024-08-30 16:31:37 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-08-30 16:31:37 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	63129	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-08-30 16:31:38 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Mx9tg1GeheCSLR1&MD=CBHt6lMH HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-08-30 16:31:38 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 8533e561-a53b-4a42-b810-de7674af020c MS-RequestId: 97dcc97f-c221-471d-ac4e-bd118aab164d MS-CV: tQT8Cypbo0if5lWr.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 30 Aug 2024 16:31:37 GMT Connection: close Content-Length: 30005
2024-08-30 16:31:38 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-08-30 16:31:39 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	12:30:56
Start date:	30/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf70000
File size:	917'504 bytes
MD5 hash:	B6561154E0D9D0AA82B41FEAACC09FC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:30:56
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:30:57
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1992 --field-trial-handle=2052,i,14543500253682485423,14285576021756251855,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:30:57
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:30:58
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	12:31:02
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5540 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:31:02
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=5876 --field-trial-handle=2076,i,15516634676617675372,7871555798940630191,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:31:13
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:31:14
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2328 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:31:15
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4292 --field-trial-handle=2024,i,9586786140042106640,15399430692976579656,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:31:20
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:31:21
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3136 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:31:21
Start date:	30/08/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3632 --field-trial-handle=3084,i,16894461250703694639,15650387076746428452,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.9%
Total number of Nodes:	1419
Total number of Limit Nodes:	32

Executed Functions

Function 00F8F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130
keyboardthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F8F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FCF474
IsIconic.USER32(00000000), ref: 00FCF47D
ShowWindow.USER32(00000000,00000009), ref: 00FCF48A
SetForegroundWindow.USER32(00000000), ref: 00FCF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCF4AA
GetCurrentThreadId.KERNEL32 ref: 00FCF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00FCF4DE
SetForegroundWindow.USER32(00000000), ref: 00FCF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF4F6
keybd_event.USER32(00000012,00000000), ref: 00FCF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF50B
keybd_event.USER32(00000012,00000000), ref: 00FCF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF519
keybd_event.USER32(00000012,00000000), ref: 00FCF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCF528
keybd_event.USER32(00000012,00000000), ref: 00FCF52D
SetForegroundWindow.USER32(00000000), ref: 00FCF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00FCF557

Strings

Shell_TrayWnd, xrefs: 00FCF46F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 816e9d1c0e9ae2c918f0dad446d5c1ad487ac1db11adcee2879a380568a4f636
Instruction ID: de9e4a708187afdcb879b4985bc4ff78bc9e1317e704b66071adc519a33333b6
Opcode Fuzzy Hash: 816e9d1c0e9ae2c918f0dad446d5c1ad487ac1db11adcee2879a380568a4f636
Instruction Fuzzy Hash: 1E319271A40218BFFB316BB58D4AFBF7E6DEB44B50F140569FA00E61C1C6B65D00ABA0

Function 00F742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F7430D

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

GetCurrentProcess.KERNEL32(?,0100CB64,00000000,?,?), ref: 00F74422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00F74429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F74454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F74466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F74474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00F7447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00F744A0

Strings

GetNativeSystemInfo, xrefs: 00F74460
kernel32.dll, xrefs: 00F7444F
|O, xrefs: 00FB36F8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f81627774e75ca12677d4298a722c4aed07a37d418f005604b89ded5218d0bed
Instruction ID: dc1d649e3667fc43762e3a1bf7dd094041a7bfe35c1b9566d4cf78e05972a41a
Opcode Fuzzy Hash: f81627774e75ca12677d4298a722c4aed07a37d418f005604b89ded5218d0bed
Instruction Fuzzy Hash: AAA1B7FB90D2C0DFC731CB6976C02D57F946B26342B14C499D4C5A3A09E23A7584EF62

Function 00F742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F750AA,?,?,00000000,00000000), ref: 00F742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F750AA,?,?,00000000,00000000), ref: 00F742C9
LoadResource.KERNEL32(?,00000000,?,?,00F750AA,?,?,00000000,00000000,?,?,?,?,?,?,00F74F20), ref: 00FB35BE
SizeofResource.KERNEL32(?,00000000,?,?,00F750AA,?,?,00000000,00000000,?,?,?,?,?,?,00F74F20), ref: 00FB35D3
LockResource.KERNEL32(00F750AA,?,?,00F750AA,?,?,00000000,00000000,?,?,?,?,?,?,00F74F20,?), ref: 00FB35E6

Strings

SCRIPT, xrefs: 00F742BF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: afb2a39b394afbd699b49bd3ec3e61e2f383ff188156b2c90ea2bbea36b80888
Instruction ID: 0b92ffb349a08cd64edb147f7f42da51983f8603407eb507ce53d9ef6c3bdbd1
Opcode Fuzzy Hash: afb2a39b394afbd699b49bd3ec3e61e2f383ff188156b2c90ea2bbea36b80888
Instruction Fuzzy Hash: 7311A070200700BFE7228B65DD48F277BB9EBC5B51F2082A9B44A96680DB71EC10DB31

Function 00FB2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00F72B6B

Part of subcall function 00F73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01041418,?,00F72E7F,?,?,?,00000000), ref: 00F73A78

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01032224), ref: 00FB2C10
ShellExecuteW.SHELL32(00000000,?,?,01032224), ref: 00FB2C17

Strings

runas, xrefs: 00FB2C0B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 10b9c603a49feb532a0728dff9c495cc1aa72a50543090872cb2fe4f6e49ffb5
Instruction ID: b8b91c2b8cbc2ed2f30807db0479416b909d1592962bd7aea6c3f2e01149d8ec
Opcode Fuzzy Hash: 10b9c603a49feb532a0728dff9c495cc1aa72a50543090872cb2fe4f6e49ffb5
Instruction Fuzzy Hash: 8E11B4716083056AC765FF64DC829AE77A4ABD5310F44842FF1CA56093CF399A4AB713

Function 00FDDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00FB5222), ref: 00FDDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00FDDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00FDDBEE
FindClose.KERNEL32(00000000), ref: 00FDDBFA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4116a68bf420f403d3c01e7abfcbe41bd8683f743d4c98a13ee30667630810c0
Instruction ID: 6a3e20b1b7e33c4bb2b2554243dbc062398483532d299601da47594168f843bd
Opcode Fuzzy Hash: 4116a68bf420f403d3c01e7abfcbe41bd8683f743d4c98a13ee30667630810c0
Instruction Fuzzy Hash: EBF0E5318209105792316B7CAE0E8BA376D9E02334F284743F8BAC22E0EBB55D54E7D5

Function 00FFAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00FFB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB1D4
_wcslen.LIBCMT ref: 00FFB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FFB236
_wcslen.LIBCMT ref: 00FFB332

Part of subcall function 00FE05A7: GetStdHandle.KERNEL32(000000F6), ref: 00FE05C6

_wcslen.LIBCMT ref: 00FFB34B
_wcslen.LIBCMT ref: 00FFB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FFB3B6
GetLastError.KERNEL32(00000000), ref: 00FFB407
CloseHandle.KERNEL32(?), ref: 00FFB439
CloseHandle.KERNEL32(00000000), ref: 00FFB44A
CloseHandle.KERNEL32(00000000), ref: 00FFB45C
CloseHandle.KERNEL32(00000000), ref: 00FFB46E
CloseHandle.KERNEL32(?), ref: 00FFB4E3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 7d7f154ebf1955e167e427d918cee6d23590e2c94862f6104294b645bfbecc23
Instruction ID: d69ab04204bcb0121f6c4e12c91168ea3cd10f484ea37f308ad6869a364a2a95
Opcode Fuzzy Hash: 7d7f154ebf1955e167e427d918cee6d23590e2c94862f6104294b645bfbecc23
Instruction Fuzzy Hash: CCF1C031908304DFD715EF24C881B6EBBE5AF85324F18855EF5998B2A2CB35EC44DB52

Function 00F7D730 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00F7D807
timeGetTime.WINMM ref: 00F7DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7DB28
TranslateMessage.USER32(?), ref: 00F7DB7B
DispatchMessageW.USER32(?), ref: 00F7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7DB9F
Sleep.KERNELBASE(0000000A), ref: 00F7DBB1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 7887cd9dfe14743e1f2c5106f288bf6515c012206e84d9cd136a7e98ed01f6f1
Instruction ID: 445be93b75be26d764803e15f16bc089be116b56f7820159b5ccaee3fdf6757f
Opcode Fuzzy Hash: 7887cd9dfe14743e1f2c5106f288bf6515c012206e84d9cd136a7e98ed01f6f1
Instruction Fuzzy Hash: AC420370A04242DFE739CB24C985FAAB7B0FF85310F54865EE59987291C779E844EB83

Function 00F72CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F72D07
RegisterClassExW.USER32(00000030), ref: 00F72D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F72D42
InitCommonControlsEx.COMCTL32(?), ref: 00F72D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F72D6F
LoadIconW.USER32(000000A9), ref: 00F72D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F72D94

Strings

+, xrefs: 00F72CF0
0, xrefs: 00F72CE9
AutoIt v3 GUI, xrefs: 00F72D23
TaskbarCreated, xrefs: 00F72D37

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 49fa5ac83e624634322dbf624d3aad6dff03ece58e3949f7bea83ceefbe14b4a
Instruction ID: ccca9af98d8144ea1eed9909180665fe11e20dbeff0c0b4c7380334b79d8f758
Opcode Fuzzy Hash: 49fa5ac83e624634322dbf624d3aad6dff03ece58e3949f7bea83ceefbe14b4a
Instruction Fuzzy Hash: 742121B9D01308AFEB11DF94EA89BDD7FB4FB08701F00425AF591A6284D7BA1544CF51

Function 00FB065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FB039A: CreateFileW.KERNELBASE(00000000,00000000,?,00FB0704,?,?,00000000,?,00FB0704,00000000,0000000C), ref: 00FB03B7

GetLastError.KERNEL32 ref: 00FB076F
__dosmaperr.LIBCMT ref: 00FB0776
GetFileType.KERNELBASE(00000000), ref: 00FB0782
GetLastError.KERNEL32 ref: 00FB078C
__dosmaperr.LIBCMT ref: 00FB0795
CloseHandle.KERNEL32(00000000), ref: 00FB07B5
CloseHandle.KERNEL32(?), ref: 00FB08FF
GetLastError.KERNEL32 ref: 00FB0931
__dosmaperr.LIBCMT ref: 00FB0938

Strings

H, xrefs: 00FB08BD

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a54ca21259f2139832f5b00715ae35086e56ac2ec78f6c9f1d31d5e1ecbcc5e1
Instruction ID: 41f16807f5e5003415910389eb18f8671be364ee5e5d938f04bb644ae057fa73
Opcode Fuzzy Hash: a54ca21259f2139832f5b00715ae35086e56ac2ec78f6c9f1d31d5e1ecbcc5e1
Instruction Fuzzy Hash: 6EA13732A141048FDF19EF68DC91BEE7BA0AB06320F240159F855EB391CB399D16EF91

Function 00F7344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F73A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01041418,?,00F72E7F,?,?,?,00000000), ref: 00F73A78

Part of subcall function 00F73357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F73379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F7356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FB318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FB31CE
RegCloseKey.ADVAPI32(?), ref: 00FB3210
_wcslen.LIBCMT ref: 00FB3277
_wcslen.LIBCMT ref: 00FB3286

Strings

\Include\, xrefs: 00F73527
\, xrefs: 00FB328C
Software\AutoIt v3\AutoIt, xrefs: 00F73560
Include, xrefs: 00FB3184, 00FB31C5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 756b4c8df01a52c82014675362a1729130ab2f72b060511c08b769fca1710bcc
Instruction ID: 1ef3c44f1cced97fb0d88113416708c1c871ff58fd0aab95d22abbd575c99359
Opcode Fuzzy Hash: 756b4c8df01a52c82014675362a1729130ab2f72b060511c08b769fca1710bcc
Instruction Fuzzy Hash: 5471C2B15043019FD324EF25ED8289BBBF8FF85740F40852EF589931A4DB799A48DB52

Function 00F72B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F72B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00F72B9D
LoadIconW.USER32(00000063), ref: 00F72BB3
LoadIconW.USER32(000000A4), ref: 00F72BC5
LoadIconW.USER32(000000A2), ref: 00F72BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F72BEF
RegisterClassExW.USER32(?), ref: 00F72C40

Part of subcall function 00F72CD4: GetSysColorBrush.USER32(0000000F), ref: 00F72D07
Part of subcall function 00F72CD4: RegisterClassExW.USER32(00000030), ref: 00F72D31
Part of subcall function 00F72CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F72D42
Part of subcall function 00F72CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F72D5F
Part of subcall function 00F72CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F72D6F
Part of subcall function 00F72CD4: LoadIconW.USER32(000000A9), ref: 00F72D85
Part of subcall function 00F72CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F72D94

Strings

AutoIt v3, xrefs: 00F72C2F
0, xrefs: 00F72C0F
#, xrefs: 00F72C16

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: eb1cbb03c8cd90bf6f105c4faa28afd102baf211c4eac9b290798407575e3f44
Instruction ID: 2d51fc7a2e132e28e33683aff643e9597a9c3c7ffed58377fb99a66d1c09d791
Opcode Fuzzy Hash: eb1cbb03c8cd90bf6f105c4faa28afd102baf211c4eac9b290798407575e3f44
Instruction Fuzzy Hash: D72192B8E40314AFDB219F95EA84B9D7FB5FB08B51F00815AF584A6684D3BA2580DF80

Function 00F73170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F7316A,?,?), ref: 00F731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00F7316A,?,?), ref: 00F73204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F73227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F7316A,?,?), ref: 00F73232
CreatePopupMenu.USER32 ref: 00F73246
PostQuitMessage.USER32(00000000), ref: 00F73267

Strings

TaskbarCreated, xrefs: 00F7322D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 09b9f12749357f9b0dc8f05251a31969b2e713d6378e9ddfc9ae1499432e3b03
Instruction ID: 721c31605df6d2201ae26c75fe42fa3471c3b9b3ef1f12016c5622d4ff831350
Opcode Fuzzy Hash: 09b9f12749357f9b0dc8f05251a31969b2e713d6378e9ddfc9ae1499432e3b03
Instruction Fuzzy Hash: 3A412975A50104B7DB251B38DE497B93716F705350F14812BF58E85286C7BA9E80F763

Function 00F72C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F72C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F72CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F71CAD,?), ref: 00F72CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00F71CAD,?), ref: 00F72CCF

Strings

AutoIt v3, xrefs: 00F72C89, 00F72C8E, 00F72C8F
edit, xrefs: 00F72CAC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2e8510708ca4b90df76825bef1e1799f2f65a4b53218f24886f272ee559db901
Instruction ID: cbbfe00d7910c248fc575755ac3a7451a47b4b468c89b85b3383be7fc1b5729d
Opcode Fuzzy Hash: 2e8510708ca4b90df76825bef1e1799f2f65a4b53218f24886f272ee559db901
Instruction Fuzzy Hash: DEF03AB95402907BFB321713AD8CE772EBDE7C6F51F00805EF944A2194C27A2884DBB0

Function 00FDE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00FDE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00FDE9A5
Sleep.KERNEL32(00000000), ref: 00FDE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00FDE9B7
Sleep.KERNELBASE ref: 00FDE9F3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: aa66c6e022126bca4fc1e97970cd5db5de9af348ed8c077f38794f700b885a7d
Instruction ID: f94e0d8a58c69d93dffef7dfb9c5b1026e6ced71e27737e4e1cd2defe6ab7ddc
Opcode Fuzzy Hash: aa66c6e022126bca4fc1e97970cd5db5de9af348ed8c077f38794f700b885a7d
Instruction Fuzzy Hash: EE01C031C0252DDBDF10AFE4D9686DDBB79FF09300F040686E442B2244CB388540DBA2

Function 00F73B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F73B0F,SwapMouseButtons,00000004,?), ref: 00F73B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F73B0F,SwapMouseButtons,00000004,?), ref: 00F73B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F73B0F,SwapMouseButtons,00000004,?), ref: 00F73B83

Strings

Control Panel\Mouse, xrefs: 00F73B3E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3010b6255f542de4a6a1b2da42f537d62b249317fbacb5b255af2bee93acc9ab
Instruction ID: 097dd3087245932328aa09f330fd8d55890c2aec4a5ef446bffa259240221ada
Opcode Fuzzy Hash: 3010b6255f542de4a6a1b2da42f537d62b249317fbacb5b255af2bee93acc9ab
Instruction Fuzzy Hash: 43112AB5510208FFEB21CFA9DC44AEEB7BCEF45754B10855AB809D7114D2319E40A7A1

Function 00F73923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FB33A2

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F73A04

Strings

Line: , xrefs: 00FB33EB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 398b9e32a9a32873a7927f32670d5d1d88c1c21db57873c1bbb31fadebcb3c23
Instruction ID: 94ff751aa37d11adbf23204495ec6dc9a5f61261d7fdfdfd45f8d3b6c76e4687
Opcode Fuzzy Hash: 398b9e32a9a32873a7927f32670d5d1d88c1c21db57873c1bbb31fadebcb3c23
Instruction Fuzzy Hash: 0431A371848310BBD725EB20DC45BDB77E8AB84710F04852BF59D82181DB78A649E7C3

Function 00F8FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00F90668

Part of subcall function 00F932A4: RaiseException.KERNEL32(?,?,?,00F9068A,?,01041444,?,?,?,?,?,?,00F9068A,00F71129,01038738,00F71129), ref: 00F93304

__CxxThrowException@8.LIBVCRUNTIME ref: 00F90685

Strings

Unknown exception, xrefs: 00F90692

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 9c0cf0a75cb6e204a400c1e66423f23c42080583c7bfcaf3a375a14f9c47194f
Instruction ID: bf76817ea63553804cef7b05537cf63ed6eda059afdb5617bd1166ab7e6a90c3
Opcode Fuzzy Hash: 9c0cf0a75cb6e204a400c1e66423f23c42080583c7bfcaf3a375a14f9c47194f
Instruction Fuzzy Hash: FDF0C235D0020DBBAF00B664DC46D9E776C6E40320B604165BA24D6591EF75EA6AFAC0

Function 00F710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F71BF4
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F71BFC
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F71C07
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F71C12
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F71C1A
Part of subcall function 00F71BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F71C22

Part of subcall function 00F71B4A: RegisterWindowMessageW.USER32(00000004,?,00F712C4), ref: 00F71BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F7136A
OleInitialize.OLE32 ref: 00F71388
CloseHandle.KERNEL32(00000000,00000000), ref: 00FB24AB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1bcd1e137da939966d05123081a20a4e098401f5f5aab72d6da7293fa87f4baf
Instruction ID: f0bfac337b767a27a555c76b6ffa2a5d8c82d82218fb43d64c69a0164a393c3f
Opcode Fuzzy Hash: 1bcd1e137da939966d05123081a20a4e098401f5f5aab72d6da7293fa87f4baf
Instruction Fuzzy Hash: 8D71A0F8911300CFE3A4DF79E6C56953AE1BB88344758826ED4DAC7249EB3A64C5CF81

Function 00FDC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F73A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FDC259
KillTimer.USER32(?,00000001,?,?), ref: 00FDC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FDC270

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5f9502a4b136215d05238c1299df500553f5f6da6618eb5e31036ffaa9356bee
Instruction ID: ec7778f26c4f192edd0d7def5388dd4874c321b61d8debc77b20c1d94c75783c
Opcode Fuzzy Hash: 5f9502a4b136215d05238c1299df500553f5f6da6618eb5e31036ffaa9356bee
Instruction Fuzzy Hash: 7031D571904344AFEB329F648885BE7BBEDAF06305F08449EE6DE93241C7746A84DB91

Function 00FA86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00FA85CC,?,01038CC8,0000000C), ref: 00FA8704
GetLastError.KERNEL32(?,00FA85CC,?,01038CC8,0000000C), ref: 00FA870E
__dosmaperr.LIBCMT ref: 00FA8739

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: b4593e7456a32681a276c01a2861a07e172b492e11c51c176fce7fd6d7c6cff8
Instruction ID: a391e4c427a4c4793f0bf8ea917db7f71c087e9270b210072bf96c18e424575c
Opcode Fuzzy Hash: b4593e7456a32681a276c01a2861a07e172b492e11c51c176fce7fd6d7c6cff8
Instruction Fuzzy Hash: B8016FF3E0462026E6606234A945B7E37454BC3BF4F380159F8049B2D2DDE9CC82B290

Function 00F7DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00F7DB7B
DispatchMessageW.USER32(?), ref: 00F7DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F7DB9F
Sleep.KERNELBASE(0000000A), ref: 00F7DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00FC1CC9

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 93e3f917b2fa8956970e72c38f676026257e2b627d3fd5ed84d47b0d129991a8
Instruction ID: 329cfd01b9d6ad1c44698b96ca3d4d9f2e1f95c0eac9905fb5a2b97b5b452762
Opcode Fuzzy Hash: 93e3f917b2fa8956970e72c38f676026257e2b627d3fd5ed84d47b0d129991a8
Instruction Fuzzy Hash: FEF03A31A443419BF730CB649D89FEA73B8BF85320F504619F69E930C0DB35A488AB16

Function 00F81310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F817F6

Strings

CALL, xrefs: 00F817C6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: f67c796307a0f09ad37319244d1ebae5068b6fbb1e896b1faabb99bfbf97aacc
Instruction ID: aa2ef1a9869f19b89322381502ab93a4e524d77f8b67ee48aa5598a4d6fbc874
Opcode Fuzzy Hash: f67c796307a0f09ad37319244d1ebae5068b6fbb1e896b1faabb99bfbf97aacc
Instruction Fuzzy Hash: 8322AD706082419FC714EF14C881F6ABBF5BF85314F288A6DF4968B361D735E846EB82

Function 00F72DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00FB2C8C

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

Part of subcall function 00F72DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F72DC4

Strings

X, xrefs: 00FB2C5A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 36256892bdab3a288f6130562492431dfbeba4392574ea242543715da48b2b21
Instruction ID: 7a68385f091281d69770b20a78cedd9dc7661ac8a4207daccf273027ddaf1ca3
Opcode Fuzzy Hash: 36256892bdab3a288f6130562492431dfbeba4392574ea242543715da48b2b21
Instruction Fuzzy Hash: 0521C671E00258ABDB51DF94CC45BEE7BFCAF49314F00805AE449A7241DBB85A499F61

Function 00F73837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F73908

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cf0996eea66e3f5d6a97505bc9bce91622557acefbbf557d33cb1bc91904fa46
Instruction ID: 4792b95ecd1c34938872ca62c72f1c13297a0271364a638f91c0b4d03f364d35
Opcode Fuzzy Hash: cf0996eea66e3f5d6a97505bc9bce91622557acefbbf557d33cb1bc91904fa46
Instruction Fuzzy Hash: 7C3191B1904301AFE721DF24D584B97BBE8FB49719F00492EF5DA83240E776AA44EB53

Function 00F8F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F8F661

Part of subcall function 00F7D730: GetInputState.USER32 ref: 00F7D807

Sleep.KERNEL32(00000000), ref: 00FCF2DE

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 5f28f611976d907e98879a8a2f300ddef3642cf2eb55eba0c6bcc4d6614ebf96
Instruction ID: 00e700f5dd814e44bd2ce5cf6ea6f3c96146aa41c0384e22aa21db3d1cec7b72
Opcode Fuzzy Hash: 5f28f611976d907e98879a8a2f300ddef3642cf2eb55eba0c6bcc4d6614ebf96
Instruction Fuzzy Hash: 04F08C312402059FD314EF69D949BAAB7E9FF46761F00416AE85DC7290DB70A800DB92

Function 00F7B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00F7BB4E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 0c69fdf3392df40d0779638d2dae5475b901401cd3ce8a0dae222bb8a3f10f8a
Instruction ID: fff02fda2896c10396f492c106ea3f2f7d9c7c169c065601192f1e46e9b6d83b
Opcode Fuzzy Hash: 0c69fdf3392df40d0779638d2dae5475b901401cd3ce8a0dae222bb8a3f10f8a
Instruction Fuzzy Hash: E832EE75E0020ADFDB24CF54C985FBAB7B5EF45320F14C05AE919AB251C738AD42EB92

Function 01002598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 01002649

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 786f9991d0b1f6ce1100bc6ddde38a3a3529c7d337b942b749924cf53931b466
Instruction ID: 632160cd1aa3644d9688ed0cf8f2537ab0f48d49d4787b1ae95708e0f1321586
Opcode Fuzzy Hash: 786f9991d0b1f6ce1100bc6ddde38a3a3529c7d337b942b749924cf53931b466
Instruction Fuzzy Hash: C121C174200205AFF761DF28CC9097AB799EB49368F1480ADE9968B391CB31ED41CB90

Function 010013B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 01001420

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 66c6791d466c4b607fae2fd38d288b43b12ea8051a0c52e84e6d2f707dfa7f38
Instruction ID: af0ff236bf7afa4a110b64d7bf13e35f91389bc2ff5c28f1dfc1aca6e8133cea
Opcode Fuzzy Hash: 66c6791d466c4b607fae2fd38d288b43b12ea8051a0c52e84e6d2f707dfa7f38
Instruction Fuzzy Hash: 1A31D230204202AFE715EF29C894B69B7A2FF45328F0581A9E8594F392DF35EC40CBD1

Function 00F74ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F74E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E9C
Part of subcall function 00F74E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F74EAE
Part of subcall function 00F74E90: FreeLibrary.KERNEL32(00000000,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74EFD

Part of subcall function 00F74E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E62
Part of subcall function 00F74E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F74E74
Part of subcall function 00F74E59: FreeLibrary.KERNEL32(00000000,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E87

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 265c41748fadf20a985728e32a625591fcf42ebd0985fe83ea53d30fa0ba87ae
Instruction ID: 99b719eb55ff3e4fd486ae4c901f871aff8342ffc12b2b0d8d75c08c26c2a0a6
Opcode Fuzzy Hash: 265c41748fadf20a985728e32a625591fcf42ebd0985fe83ea53d30fa0ba87ae
Instruction Fuzzy Hash: 8F11C432600205AADB15AB61DD12BED77A59F40B10F10C42EF54AAB1C1EFB8AA05BB51

Function 00FA8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FA8440

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 84835761c31cc6e62d461e4eeefb6511dab8c415dc2eb71a316e6fa4ee9528ad
Instruction ID: 4d69d9b312fb724695bde263352790175a55142eb65d0b04561ab26ed663d854
Opcode Fuzzy Hash: 84835761c31cc6e62d461e4eeefb6511dab8c415dc2eb71a316e6fa4ee9528ad
Instruction Fuzzy Hash: E31148B590420AAFCB05DF58E9409DA7BF8EF49310F104059FC08AB302DA71EA12DBA4

Function 00FA5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FA4C7D: RtlAllocateHeap.NTDLL(00000008,00F71129,00000000,?,00FA2E29,00000001,00000364,?,?,?,00F9F2DE,00FA3863,01041444,?,00F8FDF5,?), ref: 00FA4CBE

_free.LIBCMT ref: 00FA506C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: aacab9c0f7aa4a30524d715863d8915661d78d3ec9ce94941d134d982d07ce43
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 3A0149B26047056BE331CF69DC81A5AFBECFB8A370F25051DE584832C0EA70A805C7B4

Function 010029BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,010014B5,?), ref: 01002A01

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 10bc9913f84811b5972ad2ecb7ee95d7812f9f29c326f957923d14db59eb1b53
Instruction ID: 4ed22b1029729242ed23f3a3b949f55c78be10ac4267b9eed2b9dc65ce26dc43
Opcode Fuzzy Hash: 10bc9913f84811b5972ad2ecb7ee95d7812f9f29c326f957923d14db59eb1b53
Instruction Fuzzy Hash: 3901B935740641DFF366CA2CC458B2537D2EB86254F6985A9D1C78B291DB32EC82C790

Function 00F9E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 9dedec9bfae141bf83fdd74b233568bdf357c658943d11acf07e5057a18b0be8
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 93F0F972920E1496EF317A69CC05B5633989F93370F100715F420962D1DBB8D806B9A5

Function 0100149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 010014EB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 40b0bc28f2f70aaa6b63ba40c5ab452a95b7fe3b553cf39333cb98237e09c974
Instruction ID: e33b414d9e0fa739d241b123b47be6723875c3dfc0d9de46bf0967d248c32a44
Opcode Fuzzy Hash: 40b0bc28f2f70aaa6b63ba40c5ab452a95b7fe3b553cf39333cb98237e09c974
Instruction Fuzzy Hash: BF01D4353046419FA322CF69D44082ABBD5FF95364B5580ADD98A8B792DB32DD82C7C0

Function 00FA4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F71129,00000000,?,00FA2E29,00000001,00000364,?,?,?,00F9F2DE,00FA3863,01041444,?,00F8FDF5,?), ref: 00FA4CBE

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3680b65f1a2d96a71930a4d16a5e4713649527b1ce785bbc02a27c27d49aaf8f
Instruction ID: a9dcd464d3cdb61d724def35e2a7f1b61d036f19490a4e7d2bab3e5b0c8d14e5
Opcode Fuzzy Hash: 3680b65f1a2d96a71930a4d16a5e4713649527b1ce785bbc02a27c27d49aaf8f
Instruction Fuzzy Hash: FAF0B472A0623467EB215F629D05F5A3788AFD37B1B144221B81DE7184CAF5F80176A0

Function 00FA3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fcd5ae013021821f79e2f0ae616667ee8b1ae69a7aec52818e5b28fb8268fd3a
Instruction ID: 7d29e7ea762b97cd663ccfd01e93e8484e2aa7ecf301f9076b4ddf430abbf333
Opcode Fuzzy Hash: fcd5ae013021821f79e2f0ae616667ee8b1ae69a7aec52818e5b28fb8268fd3a
Instruction Fuzzy Hash: C8E0E57390122457EA3127669C04F9A374CAF437B0F050120BC4492480DB2DED01B2E0

Function 00F74F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74F6D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d378f0a611108971b9a6dbfcf3cd6fff6146fab6d7c4cd772d664a5cd85bcebd
Instruction ID: 94363479a80cbefe089a528ac8e49db53890bd0be98505607d45cb597baf1e0a
Opcode Fuzzy Hash: d378f0a611108971b9a6dbfcf3cd6fff6146fab6d7c4cd772d664a5cd85bcebd
Instruction Fuzzy Hash: ADF01571505752CFDB349F64D4A09A2BBE4AF15329320CA6FE1EE83610C732A844EB12

Function 01002A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01002A66

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 6d826375cc599b31a16b8e4213095c23281fc4cb1ecc7b7dfad85e39a2d6f391
Instruction ID: 0edada176a1d15f87c9f09d0f6f1a98cf91dfb47d673cdee1d4a447e5f2e7e65
Opcode Fuzzy Hash: 6d826375cc599b31a16b8e4213095c23281fc4cb1ecc7b7dfad85e39a2d6f391
Instruction Fuzzy Hash: 38E0DF32340116ABE721EB30DC848FE735CEB11290F000136BC5BC2240DF38A9C582A0

Function 00F72DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F72DC4

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5b9b59ee94864f4bc657173af0b46884865964e993ac441ba15fcf85c3e3fe49
Instruction ID: e5318910c09dbffff60a5071cd6b44872a5a7fa7085bad612d2db8581f5c10c1
Opcode Fuzzy Hash: 5b9b59ee94864f4bc657173af0b46884865964e993ac441ba15fcf85c3e3fe49
Instruction Fuzzy Hash: CAE0CD726001245BC72192589C05FEA77DDDFC8790F0441B1FD0DD7249D964AD80C651

Function 00F72B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F73837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F73908

Part of subcall function 00F7D730: GetInputState.USER32 ref: 00F7D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00F72B6B

Part of subcall function 00F730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F7314E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 7b411c9b9278332f1ac8a7a3be1bad947f061a82a9a40da7d5b718eee401ee3d
Instruction ID: e7f1193852df1ca60c890135cd07de65dd1c6dd31f693138bc02e2c0a0104322
Opcode Fuzzy Hash: 7b411c9b9278332f1ac8a7a3be1bad947f061a82a9a40da7d5b718eee401ee3d
Instruction Fuzzy Hash: B3E0263270420813CA18BB34AC5246DB7599BD1311F40853FF18A43193CF3D46866313

Function 00FD3D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FD3D18

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 1f6f2e424938a7c12089fd7e926b6f12c61008313dd85874e29cc47cfd56be84
Instruction ID: 706c624f9449f9507380db6acd80b59e277d7823d529364ccd827787ca76abbc
Opcode Fuzzy Hash: 1f6f2e424938a7c12089fd7e926b6f12c61008313dd85874e29cc47cfd56be84
Instruction Fuzzy Hash: 8FD08CF06A43087EFB1083718D0BEBB339CC31AE85F004BA47E02D64C1D9A5EE080230

Function 00FB039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00FB0704,?,?,00000000,?,00FB0704,00000000,0000000C), ref: 00FB03B7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37ded99acdf855b8694d83418399497ff884219fae108be6537b49f59cef3a1f
Instruction ID: 4faea014995c396adef58e92be4bf2020c5e11d5618a69bca7699a7bcda40579
Opcode Fuzzy Hash: 37ded99acdf855b8694d83418399497ff884219fae108be6537b49f59cef3a1f
Instruction Fuzzy Hash: FAD06C3204010DBBDF128F84DD06EDA3BAAFB48714F014140BE5856020C736E821AB90

Function 00F71CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F71CBC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 21c64c451f578a45877e897376b2f297a0d84baaef84735098f3d44121993e72
Instruction ID: c283d19d0d1154372cfcbe018f60de7f984211b5f97a6a76a755aff9ade13289
Opcode Fuzzy Hash: 21c64c451f578a45877e897376b2f297a0d84baaef84735098f3d44121993e72
Instruction Fuzzy Hash: 98C09B7D380304EFF2354780BE8AF107755A348F01F048001F689555C7C3B71490D750

Non-executed Functions

Function 01009576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0100961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0100965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0100969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010096C9
SendMessageW.USER32 ref: 010096F2
GetKeyState.USER32(00000011), ref: 0100978B
GetKeyState.USER32(00000009), ref: 01009798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010097AE
GetKeyState.USER32(00000010), ref: 010097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010097E9
SendMessageW.USER32 ref: 01009810
SendMessageW.USER32(?,00001030,?,01007E95), ref: 01009918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0100992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01009941
SetCapture.USER32(?), ref: 0100994A
ClientToScreen.USER32(?,?), ref: 010099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010099D6
ReleaseCapture.USER32 ref: 010099E1
GetCursorPos.USER32(?), ref: 01009A19
ScreenToClient.USER32(?,?), ref: 01009A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01009A80
SendMessageW.USER32 ref: 01009AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01009AEB
SendMessageW.USER32 ref: 01009B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01009B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01009B4A
GetCursorPos.USER32(?), ref: 01009B68
ScreenToClient.USER32(?,?), ref: 01009B75
GetParent.USER32(?), ref: 01009B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01009BFA
SendMessageW.USER32 ref: 01009C2B
ClientToScreen.USER32(?,?), ref: 01009C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01009CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01009CDE
SendMessageW.USER32 ref: 01009D01
ClientToScreen.USER32(?,?), ref: 01009D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01009D82

Part of subcall function 00F89944: GetWindowLongW.USER32(?,000000EB), ref: 00F89952

GetWindowLongW.USER32(?,000000F0), ref: 01009E05

Strings

F, xrefs: 01009D07
@GUI_DRAGID, xrefs: 0100997D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: be68022390f6e79ab188765efff417d7fa643270626bd1f367551a2ef33314e7
Instruction ID: c664ea7808c32573b94e92e598eda9b289f5f47fbb8b61f19fd169350589d353
Opcode Fuzzy Hash: be68022390f6e79ab188765efff417d7fa643270626bd1f367551a2ef33314e7
Instruction Fuzzy Hash: 7C429F75208201AFF726CF28CD84AAABBE5FF4D314F040699F6D9872E2D735A850CB51

Function 01004873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01004908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01004927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0100494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0100495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0100497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01004A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01004A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01004A7E
IsMenu.USER32(?), ref: 01004A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01004AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01004B20
GetWindowLongW.USER32(?,000000F0), ref: 01004B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01004BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01004C82
wsprintfW.USER32 ref: 01004CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01004CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01004CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01004D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01004D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01004D5A

Strings

%d/%02d/%02d, xrefs: 01004CA8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: ead7517cc3a39a9020c5c18c4d735ea72e833ce967b69160f0e7ce99c4734eb1
Instruction ID: a87b51c24d950267f1396e4bcc04b57030d5ff49fc039c66914c39655069c54b
Opcode Fuzzy Hash: ead7517cc3a39a9020c5c18c4d735ea72e833ce967b69160f0e7ce99c4734eb1
Instruction Fuzzy Hash: 2212E071500214ABFB369F28CD49FAE7BF8EF85310F0042A9F695DA2D1DB789941CB54

Function 00FD1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00FD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD170D
Part of subcall function 00FD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD173A
Part of subcall function 00FD16C3: GetLastError.KERNEL32 ref: 00FD174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FD1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FD12A8
CloseHandle.KERNEL32(?), ref: 00FD12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FD12D1
GetProcessWindowStation.USER32 ref: 00FD12EA
SetProcessWindowStation.USER32(00000000), ref: 00FD12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FD1310

Part of subcall function 00FD10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FD11FC), ref: 00FD10D4
Part of subcall function 00FD10BF: CloseHandle.KERNEL32(?,?,00FD11FC), ref: 00FD10E9

Strings

default, xrefs: 00FD130B
winsta0, xrefs: 00FD12CC
, xrefs: 00FD125A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: da27c40ec026362879b96cd2e9a784a4b313a7c6090560d85fa9cebfb6e779e4
Instruction ID: 42254577d1659fea6c4981421b400579f9511eb12abd342da62fd080f26634d3
Opcode Fuzzy Hash: da27c40ec026362879b96cd2e9a784a4b313a7c6090560d85fa9cebfb6e779e4
Instruction Fuzzy Hash: DB819D71900208BBEF21DFA4DD49FEE7BBAFF06710F18416AF910A6290C7759955EB20

Function 00FD0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD1114
Part of subcall function 00FD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1120
Part of subcall function 00FD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD112F
Part of subcall function 00FD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1136
Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FD0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FD0C00
GetLengthSid.ADVAPI32(?), ref: 00FD0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00FD0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FD0C6D
GetLengthSid.ADVAPI32(?), ref: 00FD0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FD0C8C
HeapAlloc.KERNEL32(00000000), ref: 00FD0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FD0CB4
CopySid.ADVAPI32(00000000), ref: 00FD0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FD0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FD0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FD0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0D45
HeapFree.KERNEL32(00000000), ref: 00FD0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0D55
HeapFree.KERNEL32(00000000), ref: 00FD0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0D65
HeapFree.KERNEL32(00000000), ref: 00FD0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FD0D78
HeapFree.KERNEL32(00000000), ref: 00FD0D7F

Part of subcall function 00FD1193: GetProcessHeap.KERNEL32(00000008,00FD0BB1,?,00000000,?,00FD0BB1,?), ref: 00FD11A1
Part of subcall function 00FD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FD0BB1,?), ref: 00FD11A8
Part of subcall function 00FD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FD0BB1,?), ref: 00FD11B7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3d0d5b20ff3bb529c631f85b168b5c5b65371ac575687397d6294677fc9f97cd
Instruction ID: e580448a40ce55f2a22f22bac34fb50363681b2b8017b4278cb927f751c7d81e
Opcode Fuzzy Hash: 3d0d5b20ff3bb529c631f85b168b5c5b65371ac575687397d6294677fc9f97cd
Instruction Fuzzy Hash: DD715C71D0020AABEF11DFA4DD44FEEBBBABF05310F084656F954A7280DB75A905DB60

Function 00FEEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0100CC08), ref: 00FEEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00FEEB37
GetClipboardData.USER32(0000000D), ref: 00FEEB43
CloseClipboard.USER32 ref: 00FEEB4F
GlobalLock.KERNEL32(00000000), ref: 00FEEB87
CloseClipboard.USER32 ref: 00FEEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00FEEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00FEEBC9
GetClipboardData.USER32(00000001), ref: 00FEEBD1
GlobalLock.KERNEL32(00000000), ref: 00FEEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00FEEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00FEEC38
GetClipboardData.USER32(0000000F), ref: 00FEEC44
GlobalLock.KERNEL32(00000000), ref: 00FEEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FEEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FEEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FEECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00FEECF3
CountClipboardFormats.USER32 ref: 00FEED14
CloseClipboard.USER32 ref: 00FEED59

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 1cf4b3f311d612e3222cfc7c983985a9e4468bb2fb3963b9a331483a8b8f788e
Instruction ID: 4bf68e4ef7513a134201f07dd76fe7e0a117697e9b2d25092036828de52ddf45
Opcode Fuzzy Hash: 1cf4b3f311d612e3222cfc7c983985a9e4468bb2fb3963b9a331483a8b8f788e
Instruction Fuzzy Hash: 956123342043419FE321EF21ED84F2A77A4AF84710F14865DF49A87292DB76ED09EB62

Function 00FE698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FE69BE
FindClose.KERNEL32(00000000), ref: 00FE6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FE6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FE6A75

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FE6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00FE6B32
%02d, xrefs: 00FE6C00, 00FE6C0A, 00FE6C5A, 00FE6CAA, 00FE6CFA, 00FE6D4A
%4d, xrefs: 00FE6BB1
%03d, xrefs: 00FE6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00FE6B6A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 8f84a82404628a6dafe89c2550bd1721acba1565ca0b01a373b9f700550f3e10
Instruction ID: 9861446543826c4e07a12d00c702279a10b82068dde5549cd653c695be189651
Opcode Fuzzy Hash: 8f84a82404628a6dafe89c2550bd1721acba1565ca0b01a373b9f700550f3e10
Instruction Fuzzy Hash: 3DD15072508344AEC710EB60CC81EABB7ECAF98704F44491EF589C7191EB78DA48DB63

Function 00FE9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FE9663
GetFileAttributesW.KERNEL32(?), ref: 00FE96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00FE96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00FE96D3
FindClose.KERNEL32(00000000), ref: 00FE96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00FE96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE974A
SetCurrentDirectoryW.KERNEL32(01036B7C), ref: 00FE9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FE9772
FindClose.KERNEL32(00000000), ref: 00FE977F
FindClose.KERNEL32(00000000), ref: 00FE978F

Strings

*.*, xrefs: 00FE96F5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 52ebe1c70e1ecac7806abfb06c48c58e02710755269debb7dba0e6b98aba60b7
Instruction ID: 77b1bf863dd8bd801b70cfb46ed1413e6815aac007e868a2dcf0b619be72a0bb
Opcode Fuzzy Hash: 52ebe1c70e1ecac7806abfb06c48c58e02710755269debb7dba0e6b98aba60b7
Instruction Fuzzy Hash: A93106329042597EEF25EFB6DD08ADE77AC9F49320F1041A6F854E2091DB75DE449F20

Function 00FE979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FE97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00FE9819
FindClose.KERNEL32(00000000), ref: 00FE9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00FE9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE9890
SetCurrentDirectoryW.KERNEL32(01036B7C), ref: 00FE98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FE98B8
FindClose.KERNEL32(00000000), ref: 00FE98C5
FindClose.KERNEL32(00000000), ref: 00FE98D5

Part of subcall function 00FDDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FDDB00

Strings

*.*, xrefs: 00FE983B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 2aa1f75cd66c0e97b4173997f86aeb2d39a7e1e4a09510ab7088d64804c3cc7e
Instruction ID: f989de43332e39d8e7f40c31b0a7465a399e8786cf226fb1aa2816dfd6b8d1b0
Opcode Fuzzy Hash: 2aa1f75cd66c0e97b4173997f86aeb2d39a7e1e4a09510ab7088d64804c3cc7e
Instruction Fuzzy Hash: 283116319042496AEF25EFB6DC48ADE33AC9F46330F1041A9E840A21A0DB75DF84DB30

Function 00FFBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FFBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00FFBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FFC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FFC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FFC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FFC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FFC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FFC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FFC382
RegCloseKey.ADVAPI32(00000000), ref: 00FFC38F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 2fd2c53f2780fd3ae845b8154a4e17083f57ed225aae876cebce160194b0173e
Instruction ID: 342216114c451016494bbe25d2ebaf6c025117e8dcfec2448cb703a8e948228c
Opcode Fuzzy Hash: 2fd2c53f2780fd3ae845b8154a4e17083f57ed225aae876cebce160194b0173e
Instruction Fuzzy Hash: 36028D716042049FD714DF24C981E2ABBE5EF89318F18C49DF94ACB2A2DB31EC45DB92

Function 00FE8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FE8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FE8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FE8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FE8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FE838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8395

Strings

*.*, xrefs: 00FE839B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 7cee4d7039141963cecbbab1900b9c3ad62dac23d423d0581e5a39a3d53ce3fe
Instruction ID: 52d5d50698c14bb669d7ee4ecf98c979328de682384ef65e5215a6c002601a4f
Opcode Fuzzy Hash: 7cee4d7039141963cecbbab1900b9c3ad62dac23d423d0581e5a39a3d53ce3fe
Instruction Fuzzy Hash: 3B619C725043459FDB10EF61C84099EB3E8FF89314F04891EF98D97251DB39E906DB92

Function 00FDD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

Part of subcall function 00FDE199: GetFileAttributesW.KERNEL32(?,00FDCF95), ref: 00FDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FDD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FDD1DD
MoveFileW.KERNEL32(?,?), ref: 00FDD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FDD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FDD237

Part of subcall function 00FDD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FDD21C,?,?), ref: 00FDD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00FDD253
FindClose.KERNEL32(00000000), ref: 00FDD264

Strings

\*.*, xrefs: 00FDD0CD, 00FDD0D6, 00FDD0EB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1158ee8e3ba8fefe51ff83619df9be5c24eb667c635ff3f0bb37a26f10abeb7d
Instruction ID: a53cdd0d151c771f6dbf45bc050f1ce47bd2c2ba2b939ed40895969cbce3dce6
Opcode Fuzzy Hash: 1158ee8e3ba8fefe51ff83619df9be5c24eb667c635ff3f0bb37a26f10abeb7d
Instruction Fuzzy Hash: B2618E31C0510DAADF15EBE0CE92DEDB776AF54300F288166E40577292EB395F09EB62

Function 00FEED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FEED91
EmptyClipboard.USER32 ref: 00FEED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00FEEDAC
CloseClipboard.USER32 ref: 00FEEEA3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 66145abe12413af5447e5fd1fb95cc2892620a2e6f0730500d4e2bc42e1a60a0
Instruction ID: 794326ad4fc412b22db81150550767a1a097c917b921214c069286064955ee6e
Opcode Fuzzy Hash: 66145abe12413af5447e5fd1fb95cc2892620a2e6f0730500d4e2bc42e1a60a0
Instruction Fuzzy Hash: 3B41CF35604251AFE331DF16E888F19BBE1EF44328F15C199E45A8B662C73AFC41DB90

Function 00FDE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD170D
Part of subcall function 00FD16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD173A
Part of subcall function 00FD16C3: GetLastError.KERNEL32 ref: 00FD174A

ExitWindowsEx.USER32(?,00000000), ref: 00FDE932

Strings

@, xrefs: 00FDE925
, xrefs: 00FDE95C
, xrefs: 00FDE920
SeShutdownPrivilege, xrefs: 00FDE902

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e4d48a2be197491f8492fa986f8007648270513a343833110e5c50cd13670ae9
Instruction ID: 5fae3cbdb8987d81ab8a1848d95d8ca039613b65bfd8ca5bd1da4a6a13d2adad
Opcode Fuzzy Hash: e4d48a2be197491f8492fa986f8007648270513a343833110e5c50cd13670ae9
Instruction Fuzzy Hash: 6C014973A11211BBFB2432B49C9AFBF725EA714750F1C0927FC43EA3C1D6A55C40A291

Function 00FF1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FF1276
WSAGetLastError.WSOCK32 ref: 00FF1283
bind.WSOCK32(00000000,?,00000010), ref: 00FF12BA
WSAGetLastError.WSOCK32 ref: 00FF12C5
closesocket.WSOCK32(00000000), ref: 00FF12F4
listen.WSOCK32(00000000,00000005), ref: 00FF1303
WSAGetLastError.WSOCK32 ref: 00FF130D
closesocket.WSOCK32(00000000), ref: 00FF133C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: c5ee56e21c542754a3fa06d4c07f8df83b01971153294f8495d94da268def161
Instruction ID: d2a8fe8df7b49ddaf4fdd06d3666250bc9430e2f0fac2def53304b22c1d716b9
Opcode Fuzzy Hash: c5ee56e21c542754a3fa06d4c07f8df83b01971153294f8495d94da268def161
Instruction Fuzzy Hash: F2419331A00104DFD720DF64C584B29BBE5BF46328F188189D9569F2E6C775ED81DBE1

Function 00FAB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FAB9D4
_free.LIBCMT ref: 00FAB9F8
_free.LIBCMT ref: 00FABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01013700), ref: 00FABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0104121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01041270,000000FF,?,0000003F,00000000,?), ref: 00FABC36
_free.LIBCMT ref: 00FABD4B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 5ffe9b65455af65eb91c03945a949e3e753c913179b7d0408a132e75ff0f81bf
Instruction ID: 709927be68b8ac5cbe65d56dd712efd5997e471463bb995031223d4c69be4244
Opcode Fuzzy Hash: 5ffe9b65455af65eb91c03945a949e3e753c913179b7d0408a132e75ff0f81bf
Instruction Fuzzy Hash: F3C147F1E04244AFDB209F68DD41BAA7BB8EF47320F14419AE890D7247EB399E41E750

Function 00FDD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

Part of subcall function 00FDE199: GetFileAttributesW.KERNEL32(?,00FDCF95), ref: 00FDE19A

FindFirstFileW.KERNEL32(?,?), ref: 00FDD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FDD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FDD481
FindClose.KERNEL32(00000000), ref: 00FDD498
FindClose.KERNEL32(00000000), ref: 00FDD4A1

Strings

\*.*, xrefs: 00FDD3F2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: af763d062607d2f64b0309a74d467a47950c704e4088942ffe3cdbb8869daa1b
Instruction ID: 3cd919e493eb0e087bd3ada50df99fc939561e3430b4a5433c65ad18d3564437
Opcode Fuzzy Hash: af763d062607d2f64b0309a74d467a47950c704e4088942ffe3cdbb8869daa1b
Instruction Fuzzy Hash: 0631A4314083459BC315EF60CC518AF77A9AE92314F448A1EF4D953291EB35AA09E763

Function 00FAE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FAE645

Strings

1#INF, xrefs: 00FAF852
1#SNAN, xrefs: 00FAF844
1#QNAN, xrefs: 00FAF84B
1#IND, xrefs: 00FAF83D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8f119886bb527f5d8cc982bbce8f42632d339c6e91d7e4c68ba8b0247738edaa
Instruction ID: 080e576cd5f3bf1f3285590d03431a022502bf1a8fef701d17eb9302712a26d1
Opcode Fuzzy Hash: 8f119886bb527f5d8cc982bbce8f42632d339c6e91d7e4c68ba8b0247738edaa
Instruction Fuzzy Hash: CAC25EB2E046288FDF25CE68DD407EAB7B5EB4A314F1441EAD44DE7240E778AE859F40

Function 00FE648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FE64DC
CoInitialize.OLE32(00000000), ref: 00FE6639
CoCreateInstance.OLE32(0100FCF8,00000000,00000001,0100FB68,?), ref: 00FE6650
CoUninitialize.OLE32 ref: 00FE68D4

Strings

.lnk, xrefs: 00FE64BA, 00FE6524, 00FE65E0

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 32adf7c0a1243757eaa8b1743affd76a36c07707066be705db1865f1b8df3084
Instruction ID: 3a46fed7dee34261eec50954e90687163bc34f58f9ed43e3c9046530431a3b36
Opcode Fuzzy Hash: 32adf7c0a1243757eaa8b1743affd76a36c07707066be705db1865f1b8df3084
Instruction Fuzzy Hash: 54D15971608345AFD314EF24C881D6BB7E8BF94304F04895DF5998B2A1EB70E905DBA2

Function 00FF22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00FF22E8

Part of subcall function 00FEE4EC: GetWindowRect.USER32(?,?), ref: 00FEE504

GetDesktopWindow.USER32 ref: 00FF2312
GetWindowRect.USER32(00000000), ref: 00FF2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FF2355
GetCursorPos.USER32(?), ref: 00FF2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FF23DF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: fdf66da74aa9ed4c68b23a83b76281e844ebe07e2f38035318dbc3684b514baa
Instruction ID: 2599eb2f51a1598edb6b7a0cd30cb402ac8bc4c8e0a68a02d7e54c39485a4aab
Opcode Fuzzy Hash: fdf66da74aa9ed4c68b23a83b76281e844ebe07e2f38035318dbc3684b514baa
Instruction Fuzzy Hash: FF31E3B2505319AFD721DF14C845F6BBBAAFF88314F000A19F98597191DB79E908CB92

Function 00FE9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FE9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FE9C8B

Part of subcall function 00FE3874: GetInputState.USER32 ref: 00FE38CB
Part of subcall function 00FE3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FE9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FE9C75

Strings

*.*, xrefs: 00FE9B5D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 511fbab75f2c9fce5fbb1e953af5a6c85eb202ff42e45eec4cf364178d40fcf2
Instruction ID: 00f060b6359389600fe052a2828c80e9c42e1933f7d8ee0038ec1923872eaa87
Opcode Fuzzy Hash: 511fbab75f2c9fce5fbb1e953af5a6c85eb202ff42e45eec4cf364178d40fcf2
Instruction Fuzzy Hash: F041E271C0824AAFDF25EF69CD45AEE7BB8EF05310F204196E405A2191EB749F84EF61

Function 00F8997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F89A4E
GetSysColor.USER32(0000000F), ref: 00F89B23
SetBkColor.GDI32(?,00000000), ref: 00F89B36

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 18e46d58c6c01fd839ace901fbfddd10f8449cf122a0daa70f2dee0ca27d9d10
Instruction ID: 6d7291e90a5a3c54b090d22feca0a73450c33db3e926124eb2678fe5c223929d
Opcode Fuzzy Hash: 18e46d58c6c01fd839ace901fbfddd10f8449cf122a0daa70f2dee0ca27d9d10
Instruction Fuzzy Hash: 3EA13A7160C505BEE729BA2C8D89FFB369DEB82360F18020DF542C69C5CA6A9D41F771

Function 00FF1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FF307A
Part of subcall function 00FF304E: _wcslen.LIBCMT ref: 00FF309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FF185D
WSAGetLastError.WSOCK32 ref: 00FF1884
bind.WSOCK32(00000000,?,00000010), ref: 00FF18DB
WSAGetLastError.WSOCK32 ref: 00FF18E6
closesocket.WSOCK32(00000000), ref: 00FF1915

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: f27cd5d93f69b2c3a5f556e2516cab9fd21829d6c668a7b52dee18c91639016b
Instruction ID: 2c2218ae68eb96f73f60005169ce154ab7a389fa07f28f887a9e33384221df8b
Opcode Fuzzy Hash: f27cd5d93f69b2c3a5f556e2516cab9fd21829d6c668a7b52dee18c91639016b
Instruction Fuzzy Hash: 2951D371A002009FEB20EF24C886F6A77A5AF44718F088098F9099F393C675AD41DBA1

Function 01001C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01001CC0
IsWindowEnabled.USER32 ref: 01001CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01001CDB
IsIconic.USER32 ref: 01001CE9
IsZoomed.USER32 ref: 01001CF7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fbf8ee3bc04068875285cf16926e007b57af2307be137d7ab2ae6e819bd29027
Instruction ID: 419a73461d10a0c9a560b4d03d40fa5219bdca3dc8668eec3629aa8410af6414
Opcode Fuzzy Hash: fbf8ee3bc04068875285cf16926e007b57af2307be137d7ab2ae6e819bd29027
Instruction Fuzzy Hash: A72194317006055FF7229F2AC884F5A7BE5BF95315F1980ADE88A8B281CB76D842CB90

Function 00F78060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00F783E8
VUUU, xrefs: 00FB5DF0
VUUU, xrefs: 00F7843C
ERCP, xrefs: 00F7813C
VUUU, xrefs: 00F783FA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6e03d930a43640cd7c6e641e080e8f9e41b6fabddbf2c3b0fb98561619edd55d
Instruction ID: ca7e5863c72129e075453303badee2f46894a18656596981643b3e224c22874c
Opcode Fuzzy Hash: 6e03d930a43640cd7c6e641e080e8f9e41b6fabddbf2c3b0fb98561619edd55d
Instruction Fuzzy Hash: 85A2A171E0021ACBDF24CF59C8447EDB7B1BF44760F2481AAD819A7285DB789D82EF91

Function 00FFA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FFA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00FFA6BA

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Process32NextW.KERNEL32(00000000,?), ref: 00FFA79C
CloseHandle.KERNEL32(00000000), ref: 00FFA7AB

Part of subcall function 00F8CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00FB3303,?), ref: 00F8CE8A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 4dccbde9334d8f73e01917fe25a37ed9b9697246f9746fa1b8cba87167779788
Instruction ID: d81f62be1e8776cec2ecd923ab132ec7aa8b250028d20fc296ecdbd2a835f033
Opcode Fuzzy Hash: 4dccbde9334d8f73e01917fe25a37ed9b9697246f9746fa1b8cba87167779788
Instruction Fuzzy Hash: F5512AB1508300AFD710EF24C886E6BBBE8FF89754F40891EF58997252EB75D904DB92

Function 00FDAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FDAAAC
SetKeyboardState.USER32(00000080), ref: 00FDAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FDAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FDAB88

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5dc8151e5646cc178cbe55bc9013f455ec3e1cb9031bdae09e296a42fe57e40b
Instruction ID: a5802984c705ea11f73c5594ac1d89b58b91e48aef6dabf5ddecd4ee75f13eb6
Opcode Fuzzy Hash: 5dc8151e5646cc178cbe55bc9013f455ec3e1cb9031bdae09e296a42fe57e40b
Instruction Fuzzy Hash: 6C311E31E40604AEFB359B648C057FA7BA7AB85320F0C431BF181553D1D3798982E75A

Function 00FECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00FECE89
GetLastError.KERNEL32(?,00000000), ref: 00FECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00FECEFE

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c9bf10762f1c2f3a45e66d934b3a4821069865ac1e4b2bb3b995fdc93d80c471
Instruction ID: d31cf666ac04e49c8821331fca1879bca67fd149dfb9a83c25861706e869cd0b
Opcode Fuzzy Hash: c9bf10762f1c2f3a45e66d934b3a4821069865ac1e4b2bb3b995fdc93d80c471
Instruction Fuzzy Hash: 4421BD71900345AFEB30DFA6C949BAA77FCEB40324F10441EF586D2141E775EE06ABA0

Function 00FD8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FD82AA

Strings

(, xrefs: 00FD82F0
|, xrefs: 00FD82DA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 713e4dae68280aaa76a09ffb26755045f239e0027fad2e57160ea1c93de854d8
Instruction ID: 482d248e435e9a0e63b28b4ae3665d5840cdcf86ba82d5aca876788e83f9ec5a
Opcode Fuzzy Hash: 713e4dae68280aaa76a09ffb26755045f239e0027fad2e57160ea1c93de854d8
Instruction Fuzzy Hash: 89324675A007059FCB28CF19C481A6AB7F1FF48760B15C56EE49ADB3A1EB70E942DB40

Function 00FE5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FE5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00FE5D17
FindClose.KERNEL32(?), ref: 00FE5D5F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 0439232c737d40801cf9af98c0521a3f0e712043d21845df526c85d85a51bd77
Instruction ID: ed6fe76a13fbe602996d20aa3c7443575070680eaa90a4714905fe855bd51117
Opcode Fuzzy Hash: 0439232c737d40801cf9af98c0521a3f0e712043d21845df526c85d85a51bd77
Instruction Fuzzy Hash: 4651CE34A046419FC714DF29C894E9AB7E4FF49328F14855EE99A8B3A2CB34ED04DF91

Function 00FA2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FA271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FA2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FA2731

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 32e1c5a6b7165986238ac065137a10c48cebd9759d56fab00658876130cad26d
Instruction ID: 34d40e84978ce7da9638080435382cb37fd4bb0cc9f858718f7b541107b0c218
Opcode Fuzzy Hash: 32e1c5a6b7165986238ac065137a10c48cebd9759d56fab00658876130cad26d
Instruction Fuzzy Hash: 4131D87491121CABDB61DF68DD887DCB7B8AF08310F5041DAE80CA7250E7349F819F44

Function 00FE51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FE5238
SetErrorMode.KERNEL32(00000000), ref: 00FE52A1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a5c25b03ed0d3af56574413606e112dd91608fbb8788c9c16d36e927e88f1eb2
Instruction ID: 83947e8936f078320d50b170bcae42681623870ea7ecf5f23772dd3ef635d1ea
Opcode Fuzzy Hash: a5c25b03ed0d3af56574413606e112dd91608fbb8788c9c16d36e927e88f1eb2
Instruction Fuzzy Hash: 19318E35A00508DFDB00DF54D884EADBBB4FF09318F088099E949AB396CB76E855CBA1

Function 00FD16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F90668
Part of subcall function 00F8FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F90685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FD170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FD173A
GetLastError.KERNEL32 ref: 00FD174A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3260c95ffdeb893582d1f93989f33bfd2f594c1c35790433e138ca79585f1c38
Instruction ID: b96a5fc732d4afc13065854f5c2c8d2bdc101e8771d724507d23bbde63e8af20
Opcode Fuzzy Hash: 3260c95ffdeb893582d1f93989f33bfd2f594c1c35790433e138ca79585f1c38
Instruction Fuzzy Hash: F811BFB2400204BFE728AF54DC86DAAB7BDFB04714B24852EF45652241EB74BC418B20

Function 00FDD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FDD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00FDD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00FDD650

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c65499ded277a9d57df712ad5f93ef006789865fce94e7cc14e757c496edeeb7
Instruction ID: 8c2b63fa7f80c380e1b7ff1d333f9602c0ffb941b9053a0b4016e8ff2b116c56
Opcode Fuzzy Hash: c65499ded277a9d57df712ad5f93ef006789865fce94e7cc14e757c496edeeb7
Instruction Fuzzy Hash: C8118E71E01228BFEB208F94DC44FAFBBBCEB45B60F108152F904E7280D2704A018BE1

Function 00FD1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00FD168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FD16A1
FreeSid.ADVAPI32(?), ref: 00FD16B1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ba95d149fb821f3bc25663f5780b9875f93fe366b5c36b634a069b3e2eaa0c9d
Instruction ID: 3684a44071d3724ee50d75001fa0827898afab171240fb3f6da46973a4b62619
Opcode Fuzzy Hash: ba95d149fb821f3bc25663f5780b9875f93fe366b5c36b634a069b3e2eaa0c9d
Instruction Fuzzy Hash: 3AF04471940308BBEB00CFE08989AAEBBBCFB08200F0045A1F500E2180E335AA048B50

Function 00F94CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FA28E9,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002,00000000,?,00FA28E9), ref: 00F94D09
TerminateProcess.KERNEL32(00000000,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002,00000000,?,00FA28E9), ref: 00F94D10
ExitProcess.KERNEL32 ref: 00F94D22

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9ab8a55dda44b0d335647413a45d6b15b98a0d0dffa3bc753af8568ee9d2d0cd
Instruction ID: dc87aaa58169ef50afc8a8e03089ec2e1f5b9c46d52efc63d7048c0f2cfb90e2
Opcode Fuzzy Hash: 9ab8a55dda44b0d335647413a45d6b15b98a0d0dffa3bc753af8568ee9d2d0cd
Instruction Fuzzy Hash: 1BE0B635810148ABEF26AF54DE09E583B69FB56791F108155FC458A226CB3AEE42EB80

Function 00FAC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00FAC36C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 53f13259a8bd218e3b0f0a2bbccd8a160de13a1eda2d5e4039d50cea1177a46f
Instruction ID: c10437da6dae249ae61e96257c1bbd6e38cc7e775648a459060d2640785fc916
Opcode Fuzzy Hash: 53f13259a8bd218e3b0f0a2bbccd8a160de13a1eda2d5e4039d50cea1177a46f
Instruction Fuzzy Hash: E5415BB69003186FCB20DFB9CC48EBB77B8EB85324F1042A9F905D7180E6709E40DB90

Function 00FCD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00FCD28C

Strings

X64, xrefs: 00FCD2A8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f4fc10fb820cdd2e409c75b43c4429195d6d6199012abeeeb6d7007a63aa1aa2
Instruction ID: 6ac9a1ca2cd0f9e13fc2e68fd78097bda86660ed10b8525b393f235b830ed359
Opcode Fuzzy Hash: f4fc10fb820cdd2e409c75b43c4429195d6d6199012abeeeb6d7007a63aa1aa2
Instruction Fuzzy Hash: DBD0C9B580511DEACB94DB90D988EDDB37CBB04305F100295F106A2040D73495499F10

Function 00F9CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: cf1723d9a7813c0fe1bb4733617cb0dc73a4e3feae9491a449bd1d362225534d
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 95022D72E002199FDF14DFA9C8806ADFBF1FF88324F25416AD919E7380D731AA419B94

Function 00FE68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FE6918
FindClose.KERNEL32(00000000), ref: 00FE6961

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f740b951fc958e138e04198ed2d0d335a5739223b53f82637e742d1d73e94d8b
Instruction ID: 81851a0371c8d55e7d23edb128c12667603e92ce220227b3939aa402ea356b49
Opcode Fuzzy Hash: f740b951fc958e138e04198ed2d0d335a5739223b53f82637e742d1d73e94d8b
Instruction Fuzzy Hash: FB1190316042449FD710DF2AD884A1ABBE5FF85328F14C69DE4698F6A2C734EC05DB91

Function 00FE37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FF4891,?,?,00000035,?), ref: 00FE37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FF4891,?,?,00000035,?), ref: 00FE37F4

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 62811d196099a6a97c0a33fda0f07798d6d0b74d83b0d537738bd362419e5180
Instruction ID: 94981d6f8e4f834092190060bc17adbb2ab7b9c87fe76b6e28e09208b08fbb44
Opcode Fuzzy Hash: 62811d196099a6a97c0a33fda0f07798d6d0b74d83b0d537738bd362419e5180
Instruction Fuzzy Hash: A1F0E5B16092292AEB2117678C4DFEB3BAEEFC4761F000265F509D3285D9649A04D7B0

Function 00FD10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FD11FC), ref: 00FD10D4
CloseHandle.KERNEL32(?,?,00FD11FC), ref: 00FD10E9

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1d38bd9145bcb55c7ef2f9e7c373dd2e129114f316c41fc46f215c0c9f41c602
Instruction ID: 39261f9250e2d835b204ca264b9d91df23d2d260f4a8908ca7845ed4d76fa94a
Opcode Fuzzy Hash: 1d38bd9145bcb55c7ef2f9e7c373dd2e129114f316c41fc46f215c0c9f41c602
Instruction Fuzzy Hash: 68E04F32014600BEF7362B11FC09EB377A9EB04320F14892EF5A5804B5DB676CA0EB10

Function 00F7CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00FC0C40

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 5306d7deee8299f548283d819a55c54dc648ed35f231a866ac8ba0f5cbf9e46d
Instruction ID: 64545d508fe38ef71d7c97557e19824274cebd0b17034647b333fcb4974aa6f6
Opcode Fuzzy Hash: 5306d7deee8299f548283d819a55c54dc648ed35f231a866ac8ba0f5cbf9e46d
Instruction Fuzzy Hash: 8C32AE31900219DBDF14DF94C981FEDB7B5BF05314F14806EE80AAB281DB75AD46EBA2

Function 00FA676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FA6766,?,?,00000008,?,?,00FAFEFE,00000000), ref: 00FA6998

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 591e959da23b94b0b15770f715d0cb37c07ad756e50fc558cfa5ac88ef1eb239
Instruction ID: dd987ff6221a0a3b034849ea1e937dc79b839af8dae058a6f6e2bd0c779611f4
Opcode Fuzzy Hash: 591e959da23b94b0b15770f715d0cb37c07ad756e50fc558cfa5ac88ef1eb239
Instruction Fuzzy Hash: 47B15EB2510608DFD715CF28C48AB657BE0FF46364F298658E899CF2A1C739E991DB40

Function 00F8B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00FC851F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3f3d09502f3ea8441b501bc7ecae4440df8de28e9e795636fbf840840c034d3f
Instruction ID: e73fb2a14b51c47e9c2da1cc5202f26b600158345bdf7d8378b6537bffd2a9d6
Opcode Fuzzy Hash: 3f3d09502f3ea8441b501bc7ecae4440df8de28e9e795636fbf840840c034d3f
Instruction Fuzzy Hash: C3127F71D0022ADBDB24DF58C981BEEB7B5FF48710F14819AE849EB241DB749E81DB90

Function 00FEEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00FEEABD

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ba1f8849396d92b2dafb20d83d1a1f2e9eac06cd94893dcba8aedcb9032a96d0
Instruction ID: eb13ea7dc1e34c8c3162df31c39c55821e5bcf670156ac98afc3fb1d9bd75f78
Opcode Fuzzy Hash: ba1f8849396d92b2dafb20d83d1a1f2e9eac06cd94893dcba8aedcb9032a96d0
Instruction Fuzzy Hash: C5E048352002049FD710DF5AD804E9AF7D9AF59770F00C42AFC49C7351D774E8409B91

Function 00F909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F903EE), ref: 00F909DA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c0ef898a993844408ef40368661d74f69a254c5b36d79816388e1256375430ec
Instruction ID: 004db05c8885d383fee5d96783f1027c2f128469cc679bf6916b6c4b66d084cf
Opcode Fuzzy Hash: c0ef898a993844408ef40368661d74f69a254c5b36d79816388e1256375430ec
Instruction Fuzzy Hash:

Function 00F9781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00F9798B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 6504e2ccde53075a998bb9c7b210c8a6289ee0b687e40e8794766e43efa0ec2c
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 66516772E3C7055BFF38B528885E7BF6385DB42364F280509E882DB292C619DE06F356

Function 00FA6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb1c485bc45ef01d561531f9d55093d3b060e5e90cb524ed6c2e8aeb0123de1
Instruction ID: e8b8c17ddb9cd3f6234310b69e306da8244ef8278a9ec79bcb62dce2016895cb
Opcode Fuzzy Hash: 7cb1c485bc45ef01d561531f9d55093d3b060e5e90cb524ed6c2e8aeb0123de1
Instruction Fuzzy Hash: DD322272D29F014DD723A534DC22336A689AFB73D5F25C737E81AB5999EB2EC4835200

Function 00F8CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9490369ea636d2b6f68c4a72ad8e85262c1f2f2f16116723e72812a7289d449
Instruction ID: b0acbd89f9c8e774ad7e25b47a1de575dd8439815df6a188dadd53fed9248a37
Opcode Fuzzy Hash: d9490369ea636d2b6f68c4a72ad8e85262c1f2f2f16116723e72812a7289d449
Instruction Fuzzy Hash: 6732F932E001478BCF24DE29C696BBD77A1EB45320F28856ED55E8B291D234DD81FBD0

Function 00F77920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b6f80332b37eb2bc36abb0c544bf58f3fd857099b5fdcde8d5cd413043fb09
Instruction ID: e5d7edfd7178925a39d90e57d45c271f3503202d91effe91b14c6f2e06a93d8c
Opcode Fuzzy Hash: 93b6f80332b37eb2bc36abb0c544bf58f3fd857099b5fdcde8d5cd413043fb09
Instruction Fuzzy Hash: 9622BF71E04609DFDF14DF69C881BEEB3B6FF48710F14812AE816A7290EB399914EB51

Function 00F791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18b998ecec10237fc3758a90eff08a0948d98abdb20f551b9676494f99510c32
Instruction ID: 327acd8b4f6cc35b264884e3bf3989bbdb8c0727584d261d5a743f6ad819c52a
Opcode Fuzzy Hash: 18b998ecec10237fc3758a90eff08a0948d98abdb20f551b9676494f99510c32
Instruction Fuzzy Hash: 9902A3B1E00109EFDB04EF65D881AEDB7B5FF44310F10C169E81A9B291EB75A924EF91

Function 00FA9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e7680656f8f9bc9aecb16168e77450739ef99b5bf680408eab610e3e955786
Instruction ID: 8cfe1dc7cc82162ae13946838f76ab4ecf48461d06e530cca5f1f17fd734d4a4
Opcode Fuzzy Hash: a8e7680656f8f9bc9aecb16168e77450739ef99b5bf680408eab610e3e955786
Instruction Fuzzy Hash: FFB1EF30D2AF404DD22396398821336FA5CBFBB6D5B91D31BFC5678E16EB2A85834240

Function 00F91C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: ca5a6c1edfa96352aee6dd70518bf2e7ea0fe3c0f6a1d8fe1613a58726f79dbe
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 49916773A090A34AFF6D463A857417EFFE16A523B131A07BED4F2CA1C5EE209554F620

Function 00F91F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: f5b098b3c954263ee560e6c26f7e1ad62380d46d24a93445cbbb7a8077153beb
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F7915673A090A359FFAD4239857413EFFE15A923B131A07ADD4F2CB1D5EE248568F620

Function 00F919B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 44e8734edcf96b1791d811e1193c38af858e033393d2446375aa4e7f3ce6dcca
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BB9133726090A34AFF6D467A857407EFFE16A923B231A07BDD4F2CA1C1FD148964B620

Function 00F97A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7d705327bb03ee573dfa1e22f83e9ee49b10a76c5bfdd2b8753866f874d52d
Instruction ID: 60675c65fe4f1ff8336812a99065ee74b2fb85738118e06315a88603e5ca24a2
Opcode Fuzzy Hash: da7d705327bb03ee573dfa1e22f83e9ee49b10a76c5bfdd2b8753866f874d52d
Instruction Fuzzy Hash: 1F618932A3830956FE38BD2C8C91BBE3385EFC1760F14091AE943DB2A5D6199E43B355

Function 00F97CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7e071aa2a03f615793990fa83e52f2274efffbe08240b07d8757bd682e0c60
Instruction ID: 6bdb95cb4d888eb89592313375e70b5201aeac2b6b9a00d46d98fefa5485b03f
Opcode Fuzzy Hash: cb7e071aa2a03f615793990fa83e52f2274efffbe08240b07d8757bd682e0c60
Instruction Fuzzy Hash: 41617972E2870997FE387A288C51BBF3384AF42764F14095BE843DB281DA16AD42B655

Function 00F91706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5f2865e29626974c676b8c34788d7fdd28c5ed34b4269c4e4cc79e0beb5ddefb
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: AE814F73A090A309FF6E427A853443EFFE16A923B131A07ADD4F2CA1C1EE249554F620

Function 00FE2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c26623695748c7a08a5edbfdb5a7feec561fcb65156b15d6300a58608f891d4
Instruction ID: e822489eee89d71f84cc9bc229a51331c4e04bffb2643a58a566774d91812934
Opcode Fuzzy Hash: 9c26623695748c7a08a5edbfdb5a7feec561fcb65156b15d6300a58608f891d4
Instruction Fuzzy Hash: 7921EB727205118BD728CE79C95367E73D9A754320F15862EF4A7C37C4DE3AA904D780

Function 00FF2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FF2B30
DeleteObject.GDI32(00000000), ref: 00FF2B43
DestroyWindow.USER32 ref: 00FF2B52
GetDesktopWindow.USER32 ref: 00FF2B6D
GetWindowRect.USER32(00000000), ref: 00FF2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FF2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FF2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2CF8
GetClientRect.USER32(00000000,?), ref: 00FF2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FF2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2DA8
GlobalFree.KERNEL32(00000000), ref: 00FF2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0100FC38,00000000), ref: 00FF2DDB
GlobalFree.KERNEL32(00000000), ref: 00FF2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FF2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FF2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FF303F

Strings

DISPLAY, xrefs: 00FF2EA2
, xrefs: 00FF2FC5
static, xrefs: 00FF2D3A, 00FF2E91
AutoIt v3, xrefs: 00FF2CF2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 06691151c2ec2bd98eaa71ccc45ca81594b95425a8869cf56e5023275592b319
Instruction ID: 0ea5969834a3fa56c97e4e71eb81f88ba9269ed8fe6dd525a0aa80b71cd6bb61
Opcode Fuzzy Hash: 06691151c2ec2bd98eaa71ccc45ca81594b95425a8869cf56e5023275592b319
Instruction Fuzzy Hash: DC02A271900208AFDB25DF64CD89EAE7BB9FF49710F048159F915AB2A4CB39ED01DB60

Function 010070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0100712F
GetSysColorBrush.USER32(0000000F), ref: 01007160
GetSysColor.USER32(0000000F), ref: 0100716C
SetBkColor.GDI32(?,000000FF), ref: 01007186
SelectObject.GDI32(?,?), ref: 01007195
InflateRect.USER32(?,000000FF,000000FF), ref: 010071C0
GetSysColor.USER32(00000010), ref: 010071C8
CreateSolidBrush.GDI32(00000000), ref: 010071CF
FrameRect.USER32(?,?,00000000), ref: 010071DE
DeleteObject.GDI32(00000000), ref: 010071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01007230
FillRect.USER32(?,?,?), ref: 01007262
GetWindowLongW.USER32(?,000000F0), ref: 01007284

Part of subcall function 010073E8: GetSysColor.USER32(00000012), ref: 01007421
Part of subcall function 010073E8: SetTextColor.GDI32(?,?), ref: 01007425
Part of subcall function 010073E8: GetSysColorBrush.USER32(0000000F), ref: 0100743B
Part of subcall function 010073E8: GetSysColor.USER32(0000000F), ref: 01007446
Part of subcall function 010073E8: GetSysColor.USER32(00000011), ref: 01007463
Part of subcall function 010073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01007471
Part of subcall function 010073E8: SelectObject.GDI32(?,00000000), ref: 01007482
Part of subcall function 010073E8: SetBkColor.GDI32(?,00000000), ref: 0100748B
Part of subcall function 010073E8: SelectObject.GDI32(?,?), ref: 01007498
Part of subcall function 010073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010074B7
Part of subcall function 010073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010074CE
Part of subcall function 010073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010074DB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8ff8de6eb7db287b49def7755478b550ef088dc286cbdf9390a5d45d2910dda6
Instruction ID: e50712f7458ee7b50549fbe347c2f881dbc50d50159845cf1c4ee6057732bfc8
Opcode Fuzzy Hash: 8ff8de6eb7db287b49def7755478b550ef088dc286cbdf9390a5d45d2910dda6
Instruction Fuzzy Hash: 9DA1AF72008301AFE7229F64DD48A9B7BE9FB49321F104B59FAE2961D0D73AE944CB51

Function 00F88D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00F88E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FC6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FC6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FC6F43

Part of subcall function 00F88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F88BE8,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00F88FC5

SendMessageW.USER32(?,00001053), ref: 00FC6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FC6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FC6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00FC6FB7

Strings

0, xrefs: 00FC6DCF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: dad7cbf000f55c1929eb33947e48b6739f2041de175a30e5fe55b4419f3b1470
Instruction ID: 9d124bbdd210b6c9835024f0c3f49cfe9d39d92e9041d3ea056fb07ffc9721ba
Opcode Fuzzy Hash: dad7cbf000f55c1929eb33947e48b6739f2041de175a30e5fe55b4419f3b1470
Instruction Fuzzy Hash: 1A12ED38A08202AFDB25DF14CA85FA5BBE1FB48321F54456DF485CB251CB36EC92EB51

Function 00FF2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FF273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FF286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FF28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FF28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FF2900
GetClientRect.USER32(00000000,?), ref: 00FF290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FF2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FF2964
GetStockObject.GDI32(00000011), ref: 00FF2974
SelectObject.GDI32(00000000,00000000), ref: 00FF2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FF2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FF2991
DeleteDC.GDI32(00000000), ref: 00FF299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FF29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FF29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FF2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FF2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FF2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FF2A77
GetStockObject.GDI32(00000011), ref: 00FF2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FF2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FF2A97

Strings

DISPLAY, xrefs: 00FF295A
static, xrefs: 00FF294F, 00FF2A71
AutoIt v3, xrefs: 00FF28F8
msctls_progress32, xrefs: 00FF2A13

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ead665769233cc88116ce04655d4670ef4fc31174793c2e4ca37dc60acb27498
Instruction ID: 382e432b4f19dfcb4e615b3b807a7ad6ee9a66a7499aa7c91bc99fd68a714a95
Opcode Fuzzy Hash: ead665769233cc88116ce04655d4670ef4fc31174793c2e4ca37dc60acb27498
Instruction Fuzzy Hash: 56B16FB5A40209AFEB24DF68CD85FAE7BA9EF08711F008255FA54E72D0D775AD40CB90

Function 00FE4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE4AED
GetDriveTypeW.KERNEL32(?,0100CB68,?,\\.\,0100CC08), ref: 00FE4BCA
SetErrorMode.KERNEL32(00000000,0100CB68,?,\\.\,0100CC08), ref: 00FE4D36

Strings

ATA, xrefs: 00FE4C98
ATAPI, xrefs: 00FE4C91
SATA, xrefs: 00FE4CD0
Fixed, xrefs: 00FE4C09
USB, xrefs: 00FE4CB4
iSCSI, xrefs: 00FE4CC2
FileBackedVirtual, xrefs: 00FE4CEC
SSD, xrefs: 00FE4C4A
Network, xrefs: 00FE4C02
Fibre, xrefs: 00FE4CAD
SCSI, xrefs: 00FE4C8A
CDROM, xrefs: 00FE4BFB
MMC, xrefs: 00FE4CDE
Virtual, xrefs: 00FE4CE5
PhysicalDrive, xrefs: 00FE4B76
RAID, xrefs: 00FE4CBB
\\.\, xrefs: 00FE4B3F
Removable, xrefs: 00FE4C10, 00FE4C15
Unknown, xrefs: 00FE4BED, 00FE4C83
1394, xrefs: 00FE4C9F
SAS, xrefs: 00FE4CC9
RAMDisk, xrefs: 00FE4BF4
SSA, xrefs: 00FE4CA6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ee3e2fe55576997a1ab7220f8f210f2108df8d3bdf46a3a20644686e82ab4826
Instruction ID: 08d3262e617effef0ba46ea6724fad3a7d7062293d5c93cbdb748b96472238b1
Opcode Fuzzy Hash: ee3e2fe55576997a1ab7220f8f210f2108df8d3bdf46a3a20644686e82ab4826
Instruction Fuzzy Hash: FC61F731A05145ABCB14EF1ACA81E6877B5AB85300B34802EF44A9F691DB36FE41FB42

Function 010073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01007421
SetTextColor.GDI32(?,?), ref: 01007425
GetSysColorBrush.USER32(0000000F), ref: 0100743B
GetSysColor.USER32(0000000F), ref: 01007446
CreateSolidBrush.GDI32(?), ref: 0100744B
GetSysColor.USER32(00000011), ref: 01007463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01007471
SelectObject.GDI32(?,00000000), ref: 01007482
SetBkColor.GDI32(?,00000000), ref: 0100748B
SelectObject.GDI32(?,?), ref: 01007498
InflateRect.USER32(?,000000FF,000000FF), ref: 010074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0100752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01007554
InflateRect.USER32(?,000000FD,000000FD), ref: 01007572
DrawFocusRect.USER32(?,?), ref: 0100757D
GetSysColor.USER32(00000011), ref: 0100758E
SetTextColor.GDI32(?,00000000), ref: 01007596
DrawTextW.USER32(?,010070F5,000000FF,?,00000000), ref: 010075A8
SelectObject.GDI32(?,?), ref: 010075BF
DeleteObject.GDI32(?), ref: 010075CA
SelectObject.GDI32(?,?), ref: 010075D0
DeleteObject.GDI32(?), ref: 010075D5
SetTextColor.GDI32(?,?), ref: 010075DB
SetBkColor.GDI32(?,?), ref: 010075E5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0656cb38df83a842a8f1d1ee34b3b1e17e0a4c1447a8268d36f5110b6aeadd9e
Instruction ID: 202aeff075e775fd5ed29afb76242ae8fd7ca8ab4675313105ac1efaac1b6a11
Opcode Fuzzy Hash: 0656cb38df83a842a8f1d1ee34b3b1e17e0a4c1447a8268d36f5110b6aeadd9e
Instruction Fuzzy Hash: 45619371900218AFEF129FA4DC48EDE7FB9EB09321F114251FA51A72D1D77AA940CF90

Function 01000FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01001128
GetDesktopWindow.USER32 ref: 0100113D
GetWindowRect.USER32(00000000), ref: 01001144
GetWindowLongW.USER32(?,000000F0), ref: 01001199
DestroyWindow.USER32(?), ref: 010011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0100120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0100121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01001232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01001245
IsWindowVisible.USER32(00000000), ref: 010012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010012D0
GetWindowRect.USER32(00000000,?), ref: 010012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0100130E
GetMonitorInfoW.USER32(00000000,?), ref: 01001328
CopyRect.USER32(?,?), ref: 0100133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010013AA

Strings

(, xrefs: 0100131B
0, xrefs: 010010D3
tooltips_class32, xrefs: 010011E6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 936d5ca130d70c02278e48653d6f132db5281025e9981c34ff68e4294afc563f
Instruction ID: fbe2e92396deb5323674bb04880ffcd7c61b6efccacf60d1fbdb2aa591bb4d0f
Opcode Fuzzy Hash: 936d5ca130d70c02278e48653d6f132db5281025e9981c34ff68e4294afc563f
Instruction Fuzzy Hash: 0CB1AE71608341AFE715DF68C984BAEBBE4FF88310F008959F9D99B291C771E844CB92

Function 01000241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010002E5
_wcslen.LIBCMT ref: 0100031F
_wcslen.LIBCMT ref: 01000389
_wcslen.LIBCMT ref: 010003F1
_wcslen.LIBCMT ref: 01000475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01000504

Part of subcall function 00F8F9F2: _wcslen.LIBCMT ref: 00F8F9FD

Part of subcall function 00FD223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD2258
Part of subcall function 00FD223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FD228A

Strings

FINDITEM, xrefs: 01000627
SELECT, xrefs: 01000548
SELECTCLEAR, xrefs: 0100052D
SELECTALL, xrefs: 01000515
DESELECT, xrefs: 0100059C
GETITEMCOUNT, xrefs: 01000316, 01000337
GETSUBITEMCOUNT, xrefs: 01000384, 0100039F
SELECTINVERT, xrefs: 0100057E
GETSELECTEDCOUNT, xrefs: 01000470, 0100048B
GETTEXT, xrefs: 010003EC, 01000407
ISSELECTED, xrefs: 010004DD
VIEWCHANGE, xrefs: 01000675
GETSELECTED, xrefs: 010005E1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: ca823c50616c46e081d132bfedde04f1c94034ac13262bf35ebb647b33698635
Instruction ID: e55cc9429dc4348c51ff219d1771ab4ff72dd1244f68b4e45ed967841b2d64fa
Opcode Fuzzy Hash: ca823c50616c46e081d132bfedde04f1c94034ac13262bf35ebb647b33698635
Instruction Fuzzy Hash: 2EE1C1712082018FD716DF28C850A2EB7E6BFC8354F14859DF4D69B29ADB34ED45C752

Function 00F88891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F88968
GetSystemMetrics.USER32(00000007), ref: 00F88970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F8899B
GetSystemMetrics.USER32(00000008), ref: 00F889A3
GetSystemMetrics.USER32(00000004), ref: 00F889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F88A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F88A3C
GetClientRect.USER32(00000000,000000FF), ref: 00F88A5A
GetStockObject.GDI32(00000011), ref: 00F88A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F88A81

Part of subcall function 00F8912D: GetCursorPos.USER32(?), ref: 00F89141
Part of subcall function 00F8912D: ScreenToClient.USER32(00000000,?), ref: 00F8915E
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000001), ref: 00F89183
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000002), ref: 00F8919D

SetTimer.USER32(00000000,00000000,00000028,00F890FC), ref: 00F88AA8

Strings

AutoIt v3 GUI, xrefs: 00F88A20

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f1bd62d35dee9e8a28c950a4d6687fa612abb56277e9b89150e3d0d9e78ee711
Instruction ID: e2574a1ce133fb42669e19bcbb960c9f18034b82a2128cebd5dc34eb067e9d3e
Opcode Fuzzy Hash: f1bd62d35dee9e8a28c950a4d6687fa612abb56277e9b89150e3d0d9e78ee711
Instruction Fuzzy Hash: DEB19175A0020AAFEB14DF68C985BEE3BB4FB48314F104219FA45E72C4DB39E841DB51

Function 00FD0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD1114
Part of subcall function 00FD10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1120
Part of subcall function 00FD10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD112F
Part of subcall function 00FD10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1136
Part of subcall function 00FD10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FD0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FD0E29
GetLengthSid.ADVAPI32(?), ref: 00FD0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00FD0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FD0E96
GetLengthSid.ADVAPI32(?), ref: 00FD0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FD0EB5
HeapAlloc.KERNEL32(00000000), ref: 00FD0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FD0EDD
CopySid.ADVAPI32(00000000), ref: 00FD0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FD0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FD0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FD0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0F6E
HeapFree.KERNEL32(00000000), ref: 00FD0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0F7E
HeapFree.KERNEL32(00000000), ref: 00FD0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD0F8E
HeapFree.KERNEL32(00000000), ref: 00FD0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00FD0FA1
HeapFree.KERNEL32(00000000), ref: 00FD0FA8

Part of subcall function 00FD1193: GetProcessHeap.KERNEL32(00000008,00FD0BB1,?,00000000,?,00FD0BB1,?), ref: 00FD11A1
Part of subcall function 00FD1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FD0BB1,?), ref: 00FD11A8
Part of subcall function 00FD1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FD0BB1,?), ref: 00FD11B7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: eac67f74abb00232ffa9c12f6a721ec571386b2fcdbf5425f2f227e42c704567
Instruction ID: b129f95321b7e5cd1dbf1d3c9f7afae5ffbccb70088c611bc7456a8508cea52d
Opcode Fuzzy Hash: eac67f74abb00232ffa9c12f6a721ec571386b2fcdbf5425f2f227e42c704567
Instruction Fuzzy Hash: BC718F72D0420AABEF21DFA4DC48FEEBBB9FF05310F184256F955A6280DB359905DB60

Function 00FFC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0100CC08,00000000,?,00000000,?,?), ref: 00FFC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FFC5A4
_wcslen.LIBCMT ref: 00FFC5F4
_wcslen.LIBCMT ref: 00FFC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FFC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FFC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FFC84D
RegCloseKey.ADVAPI32(?), ref: 00FFC881
RegCloseKey.ADVAPI32(00000000), ref: 00FFC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FFC960

Strings

REG_EXPAND_SZ, xrefs: 00FFC5CD
REG_BINARY, xrefs: 00FFC913
REG_QWORD, xrefs: 00FFC8C3
REG_SZ, xrefs: 00FFC644
REG_DWORD, xrefs: 00FFC804
REG_MULTI_SZ, xrefs: 00FFC6F5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 69a77eb341056e0f6858d0399a5fe610a972ca0ef7d897e6149b50dc2ba60b4b
Instruction ID: e673ec03041dbdb93c889484f1ef86d7661b17050c840f409e93a751c7a4c315
Opcode Fuzzy Hash: 69a77eb341056e0f6858d0399a5fe610a972ca0ef7d897e6149b50dc2ba60b4b
Instruction Fuzzy Hash: B2127A316042159FD714DF14C981E2AB7E5FF88724F18889DF98A9B3A2DB35EC41DB82

Function 0100091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010009C6
_wcslen.LIBCMT ref: 01000A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01000A54
_wcslen.LIBCMT ref: 01000A8A
_wcslen.LIBCMT ref: 01000B06
_wcslen.LIBCMT ref: 01000B81

Part of subcall function 00F8F9F2: _wcslen.LIBCMT ref: 00F8F9FD

Part of subcall function 00FD2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FD2BFA

Strings

COLLAPSE, xrefs: 01000B01, 01000B1C
SELECT, xrefs: 01000D11
GETTEXT, xrefs: 01000C97
GETITEMCOUNT, xrefs: 01000C1E
EXPAND, xrefs: 01000BF8
GETTOTALCOUNT, xrefs: 010009F2, 01000A17
ISCHECKED, xrefs: 01000CE1
CHECK, xrefs: 01000A85, 01000AA0
UNCHECK, xrefs: 01000D3E
GETSELECTED, xrefs: 01000C4E
EXISTS, xrefs: 01000B7C, 01000B97

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: a7ccf212f41bbf72852534fbf4997c9339557bd828f966cf06a59bfb7776db3c
Instruction ID: 7d95128c40f8ab9bdcce78d6962ded731f21699ee932cdcfdde0c483280cb30f
Opcode Fuzzy Hash: a7ccf212f41bbf72852534fbf4997c9339557bd828f966cf06a59bfb7776db3c
Instruction Fuzzy Hash: CDE17A312087018FD715EF28C850A2AB7E1BF89354F04899DF8D99B3A6DB35ED45CB92

Function 00FFC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
_wcslen.LIBCMT ref: 00FFC9F1
_wcslen.LIBCMT ref: 00FFCA68
_wcslen.LIBCMT ref: 00FFCA9E
_wcslen.LIBCMT ref: 00FFCAF9
_wcslen.LIBCMT ref: 00FFCB2F
_wcslen.LIBCMT ref: 00FFCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 00FFCB79, 00FFCB7E
HKEY_CURRENT_USER, xrefs: 00FFCBBD
HKCU, xrefs: 00FFCBCE
HKCC, xrefs: 00FFCBAC
HKU, xrefs: 00FFCBF0
HKCR, xrefs: 00FFCB29, 00FFCB2E
HKEY_USERS, xrefs: 00FFCBDF
HKEY_LOCAL_MACHINE, xrefs: 00FFCA62, 00FFCA67
HKLM, xrefs: 00FFCA98, 00FFCA9D
HKEY_CLASSES_ROOT, xrefs: 00FFCAF3, 00FFCAF8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d82fb17a7931b435e014b01657bea904ecb1e7a10eb0083176f630772fb9c1b2
Instruction ID: bfdf2df5611468ce7429f3eb1ed2d85172e52f1b3fcb0144fedd9ff897504e13
Opcode Fuzzy Hash: d82fb17a7931b435e014b01657bea904ecb1e7a10eb0083176f630772fb9c1b2
Instruction Fuzzy Hash: DB71E433E0017E8BCB20DE78CE516BA3395AFA0B64B214514FA56972A4E639DD45F3E0

Function 0100833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0100835A
_wcslen.LIBCMT ref: 0100836E
_wcslen.LIBCMT ref: 01008391
_wcslen.LIBCMT ref: 010083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01005BF2), ref: 0100844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01008487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01008501
FreeLibrary.KERNEL32(?), ref: 0100850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0100851D
DestroyIcon.USER32(?,?,?,?,?,01005BF2), ref: 0100852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01008549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01008555

Strings

.exe, xrefs: 01008388
.icl, xrefs: 01008368
.dll, xrefs: 010083AB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 9bd5b601d67a023240763ca076e9c8e52e612cadc099e6b45772a64bb4a04ee1
Instruction ID: a559f8ba8fc736c060d171863d60314bc34e71b161f396dd4c734bd793082c37
Opcode Fuzzy Hash: 9bd5b601d67a023240763ca076e9c8e52e612cadc099e6b45772a64bb4a04ee1
Instruction Fuzzy Hash: BC610271900208BAFB26CF64CC41FBE77A8BB08721F10824AF995D60D1DB79A980D7A0

Function 00F77778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00F77817
Unterminated group of comments, xrefs: 00FB528C
#include, xrefs: 00F77847
#cs, xrefs: 00F77873, 00F778C5
#comments-end, xrefs: 00F778D9
Cannot parse #include, xrefs: 00FB5279
#pragma compile, xrefs: 00F777D3
#include-once, xrefs: 00F7782F
', xrefs: 00FB5169
Bad directive syntax error, xrefs: 00FB519A
#requireadmin, xrefs: 00F777FF
#notrayicon, xrefs: 00F777E7
", xrefs: 00FB5153
#ce, xrefs: 00F778ED
#comments-start, xrefs: 00F7785F, 00F778B1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0b52cc36bf2143e846a6f9418b157b43165b90be8874c12dc000fc670d0d0fd7
Instruction ID: deee18ce3b2575aadec45a7db5677ed031f328fbdd0ee1a893cc0b275985314f
Opcode Fuzzy Hash: 0b52cc36bf2143e846a6f9418b157b43165b90be8874c12dc000fc670d0d0fd7
Instruction Fuzzy Hash: 8E812C71A14305BBEF25BF65CC42FEE3764AF15740F048025F8086A192EB78D912FB92

Function 00FE3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FE3EF8
_wcslen.LIBCMT ref: 00FE3F03
_wcslen.LIBCMT ref: 00FE3F5A
_wcslen.LIBCMT ref: 00FE3F98
GetDriveTypeW.KERNEL32(?), ref: 00FE3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FE4087

Strings

type cdaudio alias cd wait, xrefs: 00FE4001
close cd wait, xrefs: 00FE4072
close, xrefs: 00FE3EFE, 00FE3F18
open, xrefs: 00FE3F54, 00FE3F59
wait, xrefs: 00FE4044
closed, xrefs: 00FE3F08, 00FE3F2D, 00FE3F46, 00FE3F7E, 00FE3F97
set cd door , xrefs: 00FE4028
open , xrefs: 00FE3FE5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 63b979ece7c47d21d4f01f79e8bf2266066b33a00bf9305c20d479219bcd0505
Instruction ID: f1b450871679a4cc7b8360ff3da6b85afb2464e08671b9b5f281eccf4e701488
Opcode Fuzzy Hash: 63b979ece7c47d21d4f01f79e8bf2266066b33a00bf9305c20d479219bcd0505
Instruction Fuzzy Hash: 29710232A042419FC710EF25C88086AB7F4FF94764F00892DF99A97251EB35EE45EB92

Function 00FD5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00FD5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FD5A40
SetWindowTextW.USER32(?,?), ref: 00FD5A57
GetDlgItem.USER32(?,000003EA), ref: 00FD5A6C
SetWindowTextW.USER32(00000000,?), ref: 00FD5A72
GetDlgItem.USER32(?,000003E9), ref: 00FD5A82
SetWindowTextW.USER32(00000000,?), ref: 00FD5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FD5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FD5AC3
GetWindowRect.USER32(?,?), ref: 00FD5ACC
_wcslen.LIBCMT ref: 00FD5B33
SetWindowTextW.USER32(?,?), ref: 00FD5B6F
GetDesktopWindow.USER32 ref: 00FD5B75
GetWindowRect.USER32(00000000), ref: 00FD5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FD5BD3
GetClientRect.USER32(?,?), ref: 00FD5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00FD5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FD5C2F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 2893c3da59059d3d838170107846ba2b4136972cab47e031754d1228d8801557
Instruction ID: a82119c07b93bd1a074d856dd13585032107637faf43d0f80a002cf30cbea47b
Opcode Fuzzy Hash: 2893c3da59059d3d838170107846ba2b4136972cab47e031754d1228d8801557
Instruction Fuzzy Hash: A3718031900B05AFDB31DFA8CE85B6EBBF6FF48B14F14461AE182A2690D775E940DB10

Function 00FEFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00FEFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00FEFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00FEFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00FEFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00FEFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00FEFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00FEFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00FEFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00FEFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00FEFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00FEFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00FEFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00FEFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00FEFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00FEFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00FEFECC
GetCursorInfo.USER32(?), ref: 00FEFEDC
GetLastError.KERNEL32 ref: 00FEFF1E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9f23101d4cfa4e8e185e18314ffccb0934e41ef44c8cec73862e3e0490041363
Instruction ID: b2ba9178c0f203712a7be4bbcfb1f57686010116f0c69a45e1d0c656e34a05d5
Opcode Fuzzy Hash: 9f23101d4cfa4e8e185e18314ffccb0934e41ef44c8cec73862e3e0490041363
Instruction Fuzzy Hash: A0415570D043596ADB109FB68C85C5EBFE8FF04364B50466AF11DE7281DB789901CF91

Function 00F900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F900C6

Part of subcall function 00F900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0104070C,00000FA0,AB6AB5AB,?,?,?,?,00FB23B3,000000FF), ref: 00F9011C
Part of subcall function 00F900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00FB23B3,000000FF), ref: 00F90127
Part of subcall function 00F900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00FB23B3,000000FF), ref: 00F90138
Part of subcall function 00F900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F9014E
Part of subcall function 00F900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F9015C
Part of subcall function 00F900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F9016A
Part of subcall function 00F900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F90195
Part of subcall function 00F900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F901A0

___scrt_fastfail.LIBCMT ref: 00F900E7

Part of subcall function 00F900A3: __onexit.LIBCMT ref: 00F900A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F90122
SleepConditionVariableCS, xrefs: 00F90154
WakeAllConditionVariable, xrefs: 00F90162
InitializeConditionVariable, xrefs: 00F90148
kernel32.dll, xrefs: 00F90133

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b9eeea45b3e2d574ad1f6370f265cf6ebdab5d4a1ac3e937eb49d173a4a9b88c
Instruction ID: 167994b1509e2777441de1682cbe9f37fcd5d478066220c1d66d1952d281eefa
Opcode Fuzzy Hash: b9eeea45b3e2d574ad1f6370f265cf6ebdab5d4a1ac3e937eb49d173a4a9b88c
Instruction Fuzzy Hash: FD213E32E457116FFB326BA5AD45BA93394EB05B61F00017FF981E7284DF798C40AB51

Function 00FD30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD318D
_wcslen.LIBCMT ref: 00FD31F8

Strings

TEXT, xrefs: 00FD347C
REGEXPCLASS, xrefs: 00FD3255, 00FD3266
CLASSNN, xrefs: 00FD31F3, 00FD3204
INSTANCE, xrefs: 00FD3453
CLASS, xrefs: 00FD3188, 00FD31A5
NAME, xrefs: 00FD3335, 00FD3346

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3e8a369590cc102ccd4dfb247ed3474ea1f199aef191cd87b5440ee5f3bd232f
Instruction ID: cf09654875d3ccf2dbf5884a4b46ba4a95bfbfac3385dda559cd3bb85b1a5af4
Opcode Fuzzy Hash: 3e8a369590cc102ccd4dfb247ed3474ea1f199aef191cd87b5440ee5f3bd232f
Instruction Fuzzy Hash: 21E1F632E001169BCF18DF64C8517EDB7B6BF54720F18821BE656E7340DB34AE45AB91

Function 00FE44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0100CC08), ref: 00FE4527
_wcslen.LIBCMT ref: 00FE453B
_wcslen.LIBCMT ref: 00FE4599
_wcslen.LIBCMT ref: 00FE45F4
_wcslen.LIBCMT ref: 00FE463F
_wcslen.LIBCMT ref: 00FE46A7

Part of subcall function 00F8F9F2: _wcslen.LIBCMT ref: 00F8F9FD

GetDriveTypeW.KERNEL32(?,01036BF0,00000061), ref: 00FE4743

Strings

all, xrefs: 00FE4531, 00FE4536
removable, xrefs: 00FE45EA, 00FE45EF
fixed, xrefs: 00FE4635, 00FE463A
cdrom, xrefs: 00FE458F, 00FE4594
ramdisk, xrefs: 00FE46F1
network, xrefs: 00FE469D, 00FE46A2
unknown, xrefs: 00FE4708

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: d9f49dd2ac860c2c4345350e186dc8939e5c52cf137144bf86e1675c8ee94080
Instruction ID: 82672d5bef72e1d4809868ce836f1479dc74a9b0495b20cab85b754e46ed9ab1
Opcode Fuzzy Hash: d9f49dd2ac860c2c4345350e186dc8939e5c52cf137144bf86e1675c8ee94080
Instruction Fuzzy Hash: D8B10331A083429FC710DF2AC890A6AF7E5BFE5720F50891DF49AC7291D734E945EB92

Function 00FF3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0100CC08), ref: 00FF40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FF40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0100CC08), ref: 00FF40F2
FreeLibrary.KERNEL32(00000000,?,0100CC08), ref: 00FF413E
StringFromGUID2.OLE32(?,?,00000028,?,0100CC08), ref: 00FF41A8
SysFreeString.OLEAUT32(00000009), ref: 00FF4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FF42C8
SysFreeString.OLEAUT32(?), ref: 00FF42F2

Strings

GetModuleHandleExW, xrefs: 00FF40C7
kernel32.dll, xrefs: 00FF40B6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 73993216a36eff8836fd49de68addcf294fedd22633584a6fafaea6a0c70077f
Instruction ID: 54a24883e4411c015b33a39af2b2db9a529effe632593d2698e2283e1a12cd6a
Opcode Fuzzy Hash: 73993216a36eff8836fd49de68addcf294fedd22633584a6fafaea6a0c70077f
Instruction Fuzzy Hash: FF124A75A00109EFDB15DF94C884EBEBBB5FF45314F248098EA05AB261DB31ED42DBA0

Function 00F7326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01041990), ref: 00FB2F8D
GetMenuItemCount.USER32(01041990), ref: 00FB303D
GetCursorPos.USER32(?), ref: 00FB3081
SetForegroundWindow.USER32(00000000), ref: 00FB308A
TrackPopupMenuEx.USER32(01041990,00000000,?,00000000,00000000,00000000), ref: 00FB309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FB30A9

Strings

0, xrefs: 00F7327D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 6372e75735a37525c93b721405a862ac8a357c3b4bd28ce1fcc33484ad6f0a4f
Instruction ID: 58a285850b9b8d2104cbda9af7b6131aab209514e1247a0d19f11b29b79e7390
Opcode Fuzzy Hash: 6372e75735a37525c93b721405a862ac8a357c3b4bd28ce1fcc33484ad6f0a4f
Instruction Fuzzy Hash: 7C710471A44205BEFB219F26CC89FEABF65FF04364F204206F5286A1D1C7B6A950EB51

Function 01006CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01006DEB

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01006E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01006E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01006E94
DestroyWindow.USER32(?), ref: 01006EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F70000,00000000), ref: 01006EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01006EFD
GetDesktopWindow.USER32 ref: 01006F16
GetWindowRect.USER32(00000000), ref: 01006F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01006F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01006F4D

Part of subcall function 00F89944: GetWindowLongW.USER32(?,000000EB), ref: 00F89952

Strings

tooltips_class32, xrefs: 01006E58, 01006EDD
0, xrefs: 01006D98

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: d281f541dd8155dbbb605251bbef1a8f000c1204fda9652bbf11ed9fd98bfd8f
Instruction ID: c8a940536c2514f6a887f7de2a6c68e00eb4e364ef990b6f6fe323ff4bbafbd1
Opcode Fuzzy Hash: d281f541dd8155dbbb605251bbef1a8f000c1204fda9652bbf11ed9fd98bfd8f
Instruction Fuzzy Hash: 0B717C74104344AFEB22CF1CC844E7ABBEAFB89304F44055DFAC9872A1C776A955CB12

Function 0100911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

DragQueryPoint.SHELL32(?,?), ref: 01009147

Part of subcall function 01007674: ClientToScreen.USER32(?,?), ref: 0100769A
Part of subcall function 01007674: GetWindowRect.USER32(?,?), ref: 01007710
Part of subcall function 01007674: PtInRect.USER32(?,?,01008B89), ref: 01007720

SendMessageW.USER32(?,000000B0,?,?), ref: 010091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01009225
SendMessageW.USER32(?,000000B0,?,?), ref: 0100923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01009255
SendMessageW.USER32(?,000000B1,?,?), ref: 01009277
DragFinish.SHELL32(?), ref: 0100927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01009371

Strings

@GUI_DRAGFILE, xrefs: 01009320
@GUI_DROPID, xrefs: 0100929E
@GUI_DRAGID, xrefs: 010092E9

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 80518b425f25ae7f79b9a6f90b8ee1188b02036e8808f102c688f546781f4498
Instruction ID: 266bf5a27e44dfc5b72c9b54b437e0519a119e39f236ebeefb49728c31a44a0e
Opcode Fuzzy Hash: 80518b425f25ae7f79b9a6f90b8ee1188b02036e8808f102c688f546781f4498
Instruction Fuzzy Hash: F8618971108301AFE712DF64DC85DAFBBE8EFC8350F004A1EF599921A1DB75AA49CB52

Function 00FEC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FEC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FEC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FEC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FEC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FEC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FEC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FEC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FEC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FEC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FEC5F0
InternetCloseHandle.WININET(00000000), ref: 00FEC5FB

Strings

, xrefs: 00FEC575

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a9d4dbd9a246ecbaeb4abd10ab7ec37a20e1133f681a3364163da410d88590df
Instruction ID: d257ea8156787afb734d5a6b2b7cf3400a8f729cdbba366c641c25eaca8c908f
Opcode Fuzzy Hash: a9d4dbd9a246ecbaeb4abd10ab7ec37a20e1133f681a3364163da410d88590df
Instruction Fuzzy Hash: DF5160B1500344BFEB229F62C948AAB7BFCFF04754F04451AF986D6240DB35EA45EBA0

Function 0100856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01008592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0100FC38,?), ref: 01008611
GlobalFree.KERNEL32(00000000), ref: 01008621
GetObjectW.GDI32(?,00000018,?), ref: 01008641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01008671
DeleteObject.GDI32(?), ref: 01008699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010086AF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 6d1eeec2bc5fcf6ad185705d0918ef15bc0c28d54cc165c90a52d0fe0d72f808
Instruction ID: 5e9c529a8e605db48a78a9e05393a0daa4a525846907c9cae11137c499cae22a
Opcode Fuzzy Hash: 6d1eeec2bc5fcf6ad185705d0918ef15bc0c28d54cc165c90a52d0fe0d72f808
Instruction Fuzzy Hash: F1412C75600204AFEB229F69CD48EAE7BB8FF89711F108199F949E7290D7759901CB60

Function 00FE14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FE1502
VariantCopy.OLEAUT32(?,?), ref: 00FE150B
VariantClear.OLEAUT32(?), ref: 00FE1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FE15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00FE1657
VariantInit.OLEAUT32(?), ref: 00FE1708
SysFreeString.OLEAUT32(?), ref: 00FE178C
VariantClear.OLEAUT32(?), ref: 00FE17D8
VariantClear.OLEAUT32(?), ref: 00FE17E7
VariantInit.OLEAUT32(00000000), ref: 00FE1823

Strings

Default, xrefs: 00FE16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00FE1625

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: f54ddced1a168dae94df0e394a873cb08864f9d4a088aa91aa3ec9e90e21b3cf
Instruction ID: f00f56b06129898830b283076c1e1ce798d379e5d45bf5b65ed4a6ecfe3f43c2
Opcode Fuzzy Hash: f54ddced1a168dae94df0e394a873cb08864f9d4a088aa91aa3ec9e90e21b3cf
Instruction Fuzzy Hash: 6FD12332A00245EBDB10AF67D884BBDB7B5BF45700F18815AF846AB184DB38DC44FB62

Function 00FFB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FFB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00FFB80A
RegCloseKey.ADVAPI32(?), ref: 00FFB87E
RegCloseKey.ADVAPI32(?), ref: 00FFB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FFB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FFB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00FFB922
FreeLibrary.KERNEL32(00000000), ref: 00FFB983
RegCloseKey.ADVAPI32(00000000), ref: 00FFB994

Strings

RegDeleteKeyExW, xrefs: 00FFB8FE
advapi32.dll, xrefs: 00FFB8ED

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6cd4c6c8d227b7e7ce4386a64d4563257710544024334547ed90af47526a6391
Instruction ID: 4cd84cead33883138351e6a6d27562547cafd6ee34cbc1fa36962e4b025ddee8
Opcode Fuzzy Hash: 6cd4c6c8d227b7e7ce4386a64d4563257710544024334547ed90af47526a6391
Instruction Fuzzy Hash: CDC1B031608205AFD720DF14C894F2ABBE5FF85314F14859CF59A8B2A2CB75EC45DB92

Function 00FF255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FF25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FF25E8
CreateCompatibleDC.GDI32(?), ref: 00FF25F4
SelectObject.GDI32(00000000,?), ref: 00FF2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FF266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FF26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FF26D0
SelectObject.GDI32(?,?), ref: 00FF26D8
DeleteObject.GDI32(?), ref: 00FF26E1
DeleteDC.GDI32(?), ref: 00FF26E8
ReleaseDC.USER32(00000000,?), ref: 00FF26F3

Strings

(, xrefs: 00FF268D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9e12e17c3644672f5743351a3e65570e311a7945a82fccfcac50dfecb87227a7
Instruction ID: 64df6314cb0c51b88cb5fa7aeb3ef34da7a0db1131c193bbab45189623907a2b
Opcode Fuzzy Hash: 9e12e17c3644672f5743351a3e65570e311a7945a82fccfcac50dfecb87227a7
Instruction Fuzzy Hash: 35612276D00209EFDF15CFA8C984AAEBBB5FF48310F208569EA55A7250D335A941DFA0

Function 00FADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FADAA1

Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD659
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD66B
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD67D
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD68F
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6A1
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6B3
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6C5
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6D7
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6E9
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD6FB
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD70D
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD71F
Part of subcall function 00FAD63C: _free.LIBCMT ref: 00FAD731

_free.LIBCMT ref: 00FADA96

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FADAB8
_free.LIBCMT ref: 00FADACD
_free.LIBCMT ref: 00FADAD8
_free.LIBCMT ref: 00FADAFA
_free.LIBCMT ref: 00FADB0D
_free.LIBCMT ref: 00FADB1B
_free.LIBCMT ref: 00FADB26
_free.LIBCMT ref: 00FADB5E
_free.LIBCMT ref: 00FADB65
_free.LIBCMT ref: 00FADB82
_free.LIBCMT ref: 00FADB9A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: dc9655cab850734c0fa3e55d25d0ad9a39ade7b786069801bea8e6393c26ea1b
Instruction ID: 9e910cf871c52b53ee218dc33460c4cd09699403a76eadbe9f58eb965e41f583
Opcode Fuzzy Hash: dc9655cab850734c0fa3e55d25d0ad9a39ade7b786069801bea8e6393c26ea1b
Instruction Fuzzy Hash: 5D316BB1A043049FEBA1AA3CEC45B5B77E8FF46760F114419E48AD7592DF38AC40B721

Function 00FD365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FD369C
_wcslen.LIBCMT ref: 00FD36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FD3797
GetClassNameW.USER32(?,?,00000400), ref: 00FD380C
GetDlgCtrlID.USER32(?), ref: 00FD385D
GetWindowRect.USER32(?,?), ref: 00FD3882
GetParent.USER32(?), ref: 00FD38A0
ScreenToClient.USER32(00000000), ref: 00FD38A7
GetClassNameW.USER32(?,?,00000100), ref: 00FD3921
GetWindowTextW.USER32(?,?,00000400), ref: 00FD395D

Strings

%s%u, xrefs: 00FD3734

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 910dbacd8234b3126bede6f459b7a22af6cd30121e4c41cdc7c077805d57243a
Instruction ID: 490979da574b8504f45267a022fc4b3add9a474da7dcbcbfe5b7eeff3041dc2e
Opcode Fuzzy Hash: 910dbacd8234b3126bede6f459b7a22af6cd30121e4c41cdc7c077805d57243a
Instruction Fuzzy Hash: C3910C71604706AFD715DF24C894FAAF79AFF44350F04462AFA99C2280DB34EA45DB93

Function 00FD4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00FD4994
GetWindowTextW.USER32(?,?,00000400), ref: 00FD49DA
_wcslen.LIBCMT ref: 00FD49EB
CharUpperBuffW.USER32(?,00000000), ref: 00FD49F7
_wcsstr.LIBVCRUNTIME ref: 00FD4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FD4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00FD4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FD4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00FD4B20
GetWindowRect.USER32(?,?), ref: 00FD4B8B

Strings

ThumbnailClass, xrefs: 00FD4A6F, 00FD4AF1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 0ece2344f7063476113bb15f894aa21e1aa5d80a028ba131b6e9cb22a6b1be10
Instruction ID: 6bcd05db707bc4ba7a99fd4b888805f1bb23451075b9026fca368717a1ab397f
Opcode Fuzzy Hash: 0ece2344f7063476113bb15f894aa21e1aa5d80a028ba131b6e9cb22a6b1be10
Instruction Fuzzy Hash: 6291F1314082059FDB15DF10C985FAA77AAFF84324F08806BFD859A286DB34FD45EBA1

Function 01008D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01008D5A
GetFocus.USER32 ref: 01008D6A
GetDlgCtrlID.USER32(00000000), ref: 01008D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01008E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01008ECF
GetMenuItemCount.USER32(?), ref: 01008EEC
GetMenuItemID.USER32(?,00000000), ref: 01008EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01008F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01008F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01008FA1

Strings

0, xrefs: 01008E9F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6ace144fc88f4161d5d77418d15ce2418a75483a7076d91d4c20d28c8c202427
Instruction ID: 1aa2bd9ae65a48a376ec24763e37f236e8b1d6db3fb56273376f1de8285537c1
Opcode Fuzzy Hash: 6ace144fc88f4161d5d77418d15ce2418a75483a7076d91d4c20d28c8c202427
Instruction Fuzzy Hash: 3D81A071904341AFF762DF28C884AAB7BE9FB88314F04469EFAC597281D775D940CB61

Function 00FDBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01041990,000000FF,00000000,00000030), ref: 00FDBFAC
SetMenuItemInfoW.USER32(01041990,00000004,00000000,00000030), ref: 00FDBFE1
Sleep.KERNEL32(000001F4), ref: 00FDBFF3
GetMenuItemCount.USER32(?), ref: 00FDC039
GetMenuItemID.USER32(?,00000000), ref: 00FDC056
GetMenuItemID.USER32(?,-00000001), ref: 00FDC082
GetMenuItemID.USER32(?,?), ref: 00FDC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FDC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FDC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FDC145

Strings

0, xrefs: 00FDBF3D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: dff6d1e9228599ba395942361c5a380467daa194b91c84a068f7f8b261f93b65
Instruction ID: b9b47edd3db696c1536f7ce83c39a497f922486a1b2d628b3e8b911f84d3e4ec
Opcode Fuzzy Hash: dff6d1e9228599ba395942361c5a380467daa194b91c84a068f7f8b261f93b65
Instruction Fuzzy Hash: C461A3B1900256EFEF21CF64DD88AEE7B7AEB05354F084156E841E3381C736AD44EBA0

Function 00FDDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FDDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FDDC46
_wcslen.LIBCMT ref: 00FDDC50
_wcsstr.LIBVCRUNTIME ref: 00FDDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FDDCBC

Strings

%u.%u.%u.%u, xrefs: 00FDDD9A
\VarFileInfo\Translation, xrefs: 00FDDCB4
StringFileInfo\, xrefs: 00FDDC8F
04090000, xrefs: 00FDDCF2
DefaultLangCodepage, xrefs: 00FDDD1F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4e2a9d475367dcc6e618b6de0acaf89fbb7675169b6abdcf923cf7f4ad5cf803
Instruction ID: 95846f03ab19462b0da0ac2f453ffe90a2cd0702b03f08cf778f61ea6de06f90
Opcode Fuzzy Hash: 4e2a9d475367dcc6e618b6de0acaf89fbb7675169b6abdcf923cf7f4ad5cf803
Instruction Fuzzy Hash: FB4134729402017AFF11A7759C07EFF376DEF55720F1401AEF900A6282EB799A01B7A4

Function 00FFCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FFCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FFCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FFCD48

Part of subcall function 00FFCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FFCCAA
Part of subcall function 00FFCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FFCCBD
Part of subcall function 00FFCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FFCCCF
Part of subcall function 00FFCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FFCD05
Part of subcall function 00FFCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FFCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FFCCF3

Strings

RegDeleteKeyExW, xrefs: 00FFCCC9
advapi32.dll, xrefs: 00FFCCB8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9121df90f20457f8369e48def2d81c456f556535fae93bddbbdf0eabbacbed58
Instruction ID: e69dc123baa684c01769ff55d4ca89c938b0cbda5a7b2a6bcc432a0728d3fe53
Opcode Fuzzy Hash: 9121df90f20457f8369e48def2d81c456f556535fae93bddbbdf0eabbacbed58
Instruction Fuzzy Hash: 8A316B7190112CBBEB218B51DD88EFFBB7CEF46750F0001A5BA56E2254DA349A45EBE0

Function 00FE3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FE3D40
_wcslen.LIBCMT ref: 00FE3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FE3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FE3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00FE3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FE3E55
CloseHandle.KERNEL32(00000000), ref: 00FE3E60
CloseHandle.KERNEL32(00000000), ref: 00FE3E6B

Strings

:, xrefs: 00FE3D82
\??\%s, xrefs: 00FE3D5B
\, xrefs: 00FE3D77

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 969fbf678ac135dd7d5f4c341072836d91f4187ba038938b2f8ec8e8aaa575bd
Instruction ID: 4bca641407947885129b961b9dfbaaae5bd83c827384016ba44bb3f259d489ad
Opcode Fuzzy Hash: 969fbf678ac135dd7d5f4c341072836d91f4187ba038938b2f8ec8e8aaa575bd
Instruction Fuzzy Hash: CB31CF72900249ABEB319BA1DC4CFEB37BCEF88710F1041A5F549D6054EB7897449B24

Function 00FDE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FDE6B4

Part of subcall function 00F8E551: timeGetTime.WINMM(?,?,00FDE6D4), ref: 00F8E555

Sleep.KERNEL32(0000000A), ref: 00FDE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00FDE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FDE727
SetActiveWindow.USER32 ref: 00FDE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FDE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FDE773
Sleep.KERNEL32(000000FA), ref: 00FDE77E
IsWindow.USER32 ref: 00FDE78A
EndDialog.USER32(00000000), ref: 00FDE79B

Strings

BUTTON, xrefs: 00FDE719

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a0111c843549869495b77b98007955e340b6325857a4e8ddfbb9a6ab99afe8c3
Instruction ID: ea2e45dec02e32767d2f6d179905453a64135d9ea332b6f06ef4bc077d0ad59b
Opcode Fuzzy Hash: a0111c843549869495b77b98007955e340b6325857a4e8ddfbb9a6ab99afe8c3
Instruction Fuzzy Hash: 0521D7F8300204AFFB316F20EEC9A363B6AF758349F080566F49585285DB7FAC10AB11

Function 00FDE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FDEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FDEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FDEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FDEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FDEAA7

Strings

close PlayMe, xrefs: 00FDEA6E, 00FDEA9B
status PlayMe mode, xrefs: 00FDEA58
play PlayMe wait, xrefs: 00FDEA91
play PlayMe, xrefs: 00FDEAA2
alias PlayMe, xrefs: 00FDEA36
open , xrefs: 00FDEA0C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: de484d3004d9721f47ec8a1bd45a6246590a7784de888e3d8330d8affae9c494
Instruction ID: c94f826adf72bde845f4cff8ff5ce48752eeb04c3d7fc705338eda6e279543bb
Opcode Fuzzy Hash: de484d3004d9721f47ec8a1bd45a6246590a7784de888e3d8330d8affae9c494
Instruction Fuzzy Hash: D411A331A9021A79D720F7A2DC4ADFF7A7CEBD2B10F04042B7455AA0D0EEA51A05D5B1

Function 00FD9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FDA012
SetKeyboardState.USER32(?), ref: 00FDA07D
GetAsyncKeyState.USER32(000000A0), ref: 00FDA09D
GetKeyState.USER32(000000A0), ref: 00FDA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00FDA0E3
GetKeyState.USER32(000000A1), ref: 00FDA0F4
GetAsyncKeyState.USER32(00000011), ref: 00FDA120
GetKeyState.USER32(00000011), ref: 00FDA12E
GetAsyncKeyState.USER32(00000012), ref: 00FDA157
GetKeyState.USER32(00000012), ref: 00FDA165
GetAsyncKeyState.USER32(0000005B), ref: 00FDA18E
GetKeyState.USER32(0000005B), ref: 00FDA19C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8a381f32d59dec9fd6b1b43baf1f9e15534a75530fc405ba773ae55b8bca0b6b
Instruction ID: c18467f6f99dd2281c3c1e97a637afb46fad0da5a5ac6136ca8677d654b2da66
Opcode Fuzzy Hash: 8a381f32d59dec9fd6b1b43baf1f9e15534a75530fc405ba773ae55b8bca0b6b
Instruction Fuzzy Hash: 0651FC30D0878429FB35EBB048157EABFB65F12350F0C459BD5C1573C2DA94AA4CDB66

Function 00FD5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FD5CE2
GetWindowRect.USER32(00000000,?), ref: 00FD5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FD5D59
GetDlgItem.USER32(?,00000002), ref: 00FD5D69
GetWindowRect.USER32(00000000,?), ref: 00FD5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FD5DCF
GetDlgItem.USER32(?,000003E9), ref: 00FD5DDD
GetWindowRect.USER32(00000000,?), ref: 00FD5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FD5E31
GetDlgItem.USER32(?,000003EA), ref: 00FD5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FD5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00FD5E67

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bb428952186a70cf942b435a4c1a74b05a1e492f90addf483508cac92592a09d
Instruction ID: 160090ccc58d3016af40f4444b752ab664a0fc334a7839032b9448f969e47d3b
Opcode Fuzzy Hash: bb428952186a70cf942b435a4c1a74b05a1e492f90addf483508cac92592a09d
Instruction Fuzzy Hash: E0512F71E00605AFDF19DF68CD89AAE7BB6FB48710F148229F515E7294D774AE00CB60

Function 00F88BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F88F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F88BE8,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00F88FC5

DestroyWindow.USER32(?), ref: 00F88C81
KillTimer.USER32(00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00F88D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00FC6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00FC69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F88BBA,00000000,?), ref: 00FC69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F88BBA,00000000), ref: 00FC69D4
DeleteObject.GDI32(00000000), ref: 00FC69E6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 5e8466b673aa760c6ec00d21442e4a4ba45fe15792322b405403d9898924b043
Instruction ID: 64901c6d5a3774b3faa8e6a7b8ddcffedb8b3e1ad572b3a72e1ecaf13f0b1d2c
Opcode Fuzzy Hash: 5e8466b673aa760c6ec00d21442e4a4ba45fe15792322b405403d9898924b043
Instruction Fuzzy Hash: 2561BD75901601EFEB36AF14DB89BA577B1FB41362F50451CE08296998CB3ABC82EB50

Function 00F89838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00F89944: GetWindowLongW.USER32(?,000000EB), ref: 00F89952

GetSysColor.USER32(0000000F), ref: 00F89862

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0d38bc1e92591be96767fab967cb4afde3c61a4c5955b11a9e3a13f6a9656095
Instruction ID: 53717fdb22396c96bdf66b2b7df9e7e694899d6a06b811dcf37d3deba6bb6d1b
Opcode Fuzzy Hash: 0d38bc1e92591be96767fab967cb4afde3c61a4c5955b11a9e3a13f6a9656095
Instruction Fuzzy Hash: 9A41C131508641AFEB316F389988BF93BA5AB06331F5C4649F9E2871D5C7769C42EB10

Function 00FD96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00FBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00FD9717
LoadStringW.USER32(00000000,?,00FBF7F8,00000001), ref: 00FD9720

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00FBF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00FD9742
LoadStringW.USER32(00000000,?,00FBF7F8,00000001), ref: 00FD9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00FD9866

Strings

^ ERROR, xrefs: 00FD97FB
Line %d:, xrefs: 00FD97A0
Error: , xrefs: 00FD981D
Line %d (File "%s"):, xrefs: 00FD978F
%s (%d) : ==> %s: %s %s, xrefs: 00FD984A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1af28d2559143384209d171c9a74b2b01384e345f8825fd84ef9ceca8f6646d6
Instruction ID: e5c85986f37a6ec3baa28e4df0dd0e69f5adb465fa5e7abe8f1b0ab50bb661b4
Opcode Fuzzy Hash: 1af28d2559143384209d171c9a74b2b01384e345f8825fd84ef9ceca8f6646d6
Instruction Fuzzy Hash: 45417072804209BACF15FBE0CE42DEE7379AF55300F544066F20972192EB796F48EB62

Function 00FD06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FD07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FD07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FD07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FD0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FD082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FD0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FD083C

Strings

SOFTWARE\Classes\, xrefs: 00FD070E
\CLSID, xrefs: 00FD0724
\IPC$, xrefs: 00FD0784

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 370d914434e5e9735bcca5cf2996586788d2ac3cea301431bde265fdda767a76
Instruction ID: 075f0a40ff4c38c1895d282c98277d740fd91021edbff621157a3330a89134a7
Opcode Fuzzy Hash: 370d914434e5e9735bcca5cf2996586788d2ac3cea301431bde265fdda767a76
Instruction Fuzzy Hash: E9414972C10228ABDF21EBA4DC85DEDB779FF44350F08816AF905A7161EB349E04EB91

Function 01003F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0100403B
CreateCompatibleDC.GDI32(00000000), ref: 01004042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01004055
SelectObject.GDI32(00000000,00000000), ref: 0100405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01004068
DeleteDC.GDI32(00000000), ref: 01004072
GetWindowLongW.USER32(?,000000EC), ref: 0100407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01004092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0100409E

Strings

static, xrefs: 01003FD3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 038e87d678c2230efb6a7e1f8dc603a4b642d96dd2a3984c5bb7131270fa23fa
Instruction ID: a38d653640f7bbf81a3c61c9375b72cd74bbc09b09ea2c406149d26da49f4fc7
Opcode Fuzzy Hash: 038e87d678c2230efb6a7e1f8dc603a4b642d96dd2a3984c5bb7131270fa23fa
Instruction Fuzzy Hash: 55312A31501215ABEB239F68DD04FDA3BA8EF0D320F110355FA98E61D0C776D8619B54

Function 00FF3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF3C5C
CoInitialize.OLE32(00000000), ref: 00FF3C8A
CoUninitialize.OLE32 ref: 00FF3C94
_wcslen.LIBCMT ref: 00FF3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00FF3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FF3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FF3F0E
CoGetObject.OLE32(?,00000000,0100FB98,?), ref: 00FF3F2D
SetErrorMode.KERNEL32(00000000), ref: 00FF3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FF3FC4
VariantClear.OLEAUT32(?), ref: 00FF3FD8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d8a8246f663751d31aaed187af7ea88c69660f1113fcbd7d4a85b6cd1faa1704
Instruction ID: e22b94e7e01a0327829b88b165c54a2bccbd650cea70d48055827c74ba1970ce
Opcode Fuzzy Hash: d8a8246f663751d31aaed187af7ea88c69660f1113fcbd7d4a85b6cd1faa1704
Instruction Fuzzy Hash: A1C178716083099FD700DF28C88492BB7E9FF89758F14495DFA8A9B260DB31EE05DB52

Function 00FE7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FE7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FE7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00FE7BA3
CoCreateInstance.OLE32(0100FD08,00000000,00000001,01036E6C,?), ref: 00FE7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FE7C74
CoTaskMemFree.OLE32(?,?), ref: 00FE7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00FE7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FE7D7A
CoTaskMemFree.OLE32(00000000), ref: 00FE7D81
CoTaskMemFree.OLE32(00000000), ref: 00FE7DD6
CoUninitialize.OLE32 ref: 00FE7DDC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 010c16248bf85c1845bf53513c7fed54ba21d925c9882e981a909e82934cdf7f
Instruction ID: 4730c19904e0993a70d6ef89da67642d1b4b18330a442ce84943d34e0d122276
Opcode Fuzzy Hash: 010c16248bf85c1845bf53513c7fed54ba21d925c9882e981a909e82934cdf7f
Instruction Fuzzy Hash: C8C16A74A04249AFDB14DFA5C884DAEBBF9FF48314B148199E819DB261CB31EE41DB90

Function 0100541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01005504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01005515
CharNextW.USER32(00000158), ref: 01005544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01005585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0100559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010055AC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 376eee25492959c27c00bd2b663799e0c590252d8623f92cee7635c37ff42a8b
Instruction ID: ba3b0dc33ed22fa89d5ce26b5b769bc52da95a3e8e4bfdfae0d764c659f2b5ca
Opcode Fuzzy Hash: 376eee25492959c27c00bd2b663799e0c590252d8623f92cee7635c37ff42a8b
Instruction Fuzzy Hash: 41617F75A00209ABFF228F54CC84DFE7BB9EB0A725F004185F6A5A72D0DB759A41CF60

Function 00FCFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FCFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00FCFB08
VariantInit.OLEAUT32(?), ref: 00FCFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FCFB3A
VariantCopy.OLEAUT32(?,?), ref: 00FCFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FCFBA1
VariantClear.OLEAUT32(?), ref: 00FCFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FCFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FCFBCC
VariantClear.OLEAUT32(?), ref: 00FCFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FCFBE9

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 905977286eff648be361fea5e86e22ca78442b488019de6f1bc146d814e4ed74
Instruction ID: d8dde1c5f78ab6a2fe430ea0a714ee1f88c123d1813a7fc6325efa92465e4e72
Opcode Fuzzy Hash: 905977286eff648be361fea5e86e22ca78442b488019de6f1bc146d814e4ed74
Instruction Fuzzy Hash: 6041C231A0021A9FDB10DF64C945EEDBBB9FF48300F018069F846A7251CB39AD49DFA0

Function 00FD9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FD9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00FD9D22
GetKeyState.USER32(000000A0), ref: 00FD9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00FD9D57
GetKeyState.USER32(000000A1), ref: 00FD9D6C
GetAsyncKeyState.USER32(00000011), ref: 00FD9D84
GetKeyState.USER32(00000011), ref: 00FD9D96
GetAsyncKeyState.USER32(00000012), ref: 00FD9DAE
GetKeyState.USER32(00000012), ref: 00FD9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00FD9DD8
GetKeyState.USER32(0000005B), ref: 00FD9DEA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a0d9f7776f602643ba383543b0a38026286839427507981f6aaa501278db3b7a
Instruction ID: 9a8d502887ebb6e6fc2cf398793521cbbc8ee3331f962152b22aa3144f3f32dc
Opcode Fuzzy Hash: a0d9f7776f602643ba383543b0a38026286839427507981f6aaa501278db3b7a
Instruction Fuzzy Hash: 0D41B534D087CA69FF3197A084043A5BEA36B11364F0C815BDAC6567C2DBE599C4E7A2

Function 00FF055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FF05BC
inet_addr.WSOCK32(?), ref: 00FF061C
gethostbyname.WSOCK32(?), ref: 00FF0628
IcmpCreateFile.IPHLPAPI ref: 00FF0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FF06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FF06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00FF07B9
WSACleanup.WSOCK32 ref: 00FF07BF

Strings

Ping, xrefs: 00FF0676

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 10bec5c8ebdeea61e7ddbb6091f707d5fb6f506c18eefd8504d69f39b3900813
Instruction ID: 8de95c10fa20c9fd603474b7052906a897ff9794f572150105cd2e916bdc3e66
Opcode Fuzzy Hash: 10bec5c8ebdeea61e7ddbb6091f707d5fb6f506c18eefd8504d69f39b3900813
Instruction Fuzzy Hash: EB91C0369082019FD720DF15C588F2ABBE0AF44328F1885A9F5698B6B2CB75EC41DF91

Function 00FF8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00FF8CF3

Part of subcall function 00FD8E54: _wcslen.LIBCMT ref: 00FD8E77

_wcslen.LIBCMT ref: 00FF8D4E
_wcslen.LIBCMT ref: 00FF8D9C
_wcslen.LIBCMT ref: 00FF8DDC
_wcslen.LIBCMT ref: 00FF8E6E

Strings

winapi, xrefs: 00FF8D96, 00FF8D9B
cdecl, xrefs: 00FF8D48, 00FF8D4D
none, xrefs: 00FF8E65, 00FF8E6A
stdcall, xrefs: 00FF8DD6, 00FF8DDB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 7b7f6d5ecf3f02e6dec432c7f5a362ebd552d4a97c3b8722d1a0d16fe869987f
Instruction ID: 751ce2a1ec0be60f4c707c8200589ae9afe4160e5eb9e12f2c3bfe9b5d4a368d
Opcode Fuzzy Hash: 7b7f6d5ecf3f02e6dec432c7f5a362ebd552d4a97c3b8722d1a0d16fe869987f
Instruction Fuzzy Hash: 7B51D432E0011A9BCF14DFA8CD419BEB7A5BF643A0B204219E656E72D4DB35DD42E790

Function 00FF372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00FF3774
CoUninitialize.OLE32 ref: 00FF377F
CoCreateInstance.OLE32(?,00000000,00000017,0100FB78,?), ref: 00FF37D9
IIDFromString.OLE32(?,?), ref: 00FF384C
VariantInit.OLEAUT32(?), ref: 00FF38E4
VariantClear.OLEAUT32(?), ref: 00FF3936

Strings

Failed to create object, xrefs: 00FF37E4, 00FF389A
NULL Pointer assignment, xrefs: 00FF381E
Invalid parameter, xrefs: 00FF3865

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 3e052fc6f9037fc9142be15a2c9e69d1e522acfa086dd385c6b2126877ac7318
Instruction ID: 3f07b7c695687184b9cd3ea52e8994d78ba3858ff55bc6308fd61cb1528acf03
Opcode Fuzzy Hash: 3e052fc6f9037fc9142be15a2c9e69d1e522acfa086dd385c6b2126877ac7318
Instruction Fuzzy Hash: 1561D472608305AFD311EF54C848F6AB7E8EF44750F10494DF6859B2A1D778EE48EB92

Function 00FE3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FE33CF

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FE33F0

Strings

Incorrect parameters to object property !, xrefs: 00FE34AB
Error: , xrefs: 00FE34D1
Line %d (File "%s"):, xrefs: 00FE3443, 00FE345C
^ ERROR , xrefs: 00FE349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00FE3504
"%s" (%d) : ==> %s:, xrefs: 00FE3522

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6858ac5c59234d02147f51bc8a10be36ec9414e4ecef202f2597a6dd184f39a5
Instruction ID: 6485a1d62212a0af0ebc51373dcb3ea06b79f7aa591e6c8ea8be97e5f2833a50
Opcode Fuzzy Hash: 6858ac5c59234d02147f51bc8a10be36ec9414e4ecef202f2597a6dd184f39a5
Instruction Fuzzy Hash: AE518F7180020ABADF15EBA1CD46EEEB379AF14340F148166F50972152EB792F58EB62

Function 00FDB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FDB5FC
_wcslen.LIBCMT ref: 00FDB608
_wcslen.LIBCMT ref: 00FDB64D
_wcslen.LIBCMT ref: 00FDB68C
_wcslen.LIBCMT ref: 00FDB6C7

Strings

KEYS, xrefs: 00FDB647, 00FDB64C
REMOVE, xrefs: 00FDB602, 00FDB607
APPEND, xrefs: 00FDB6C1, 00FDB6C6
EXISTS, xrefs: 00FDB686, 00FDB68B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 077090573611d4fb4d68a3dd88dd9b69a9cd4e705fc026e85ea36f5700f47b07
Instruction ID: 41531e6afd400501e890162708735096aeef3fd47dba6f5f608fc1db24a86cee
Opcode Fuzzy Hash: 077090573611d4fb4d68a3dd88dd9b69a9cd4e705fc026e85ea36f5700f47b07
Instruction Fuzzy Hash: 9441C632E00026DBCB105F7DCC905BE77A6ABA5764B2A426BE461D7384E735CD81E790

Function 00FE5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FE5416
GetLastError.KERNEL32 ref: 00FE5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00FE54A7

Strings

NOTREADY, xrefs: 00FE544B
READY, xrefs: 00FE5460, 00FE5468
INVALID, xrefs: 00FE5459
UNKNOWN, xrefs: 00FE5444
READONLY, xrefs: 00FE5452

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 968649f969b294ca7b00c82e2ae909eb0f5d1cc2d0abf5c55d688b6f5203d104
Instruction ID: 4dba11ea384d58a9f86908e46a04f89b3c027743727d2610e0eca143917eac35
Opcode Fuzzy Hash: 968649f969b294ca7b00c82e2ae909eb0f5d1cc2d0abf5c55d688b6f5203d104
Instruction Fuzzy Hash: FC311035E002449FC711DF69C894BAABBF8FF44719F148056E405CB292D776EE82DBA1

Function 01003C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01003C79
SetMenu.USER32(?,00000000), ref: 01003C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01003D10
IsMenu.USER32(?), ref: 01003D24
CreatePopupMenu.USER32 ref: 01003D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01003D5B
DrawMenuBar.USER32 ref: 01003D63

Strings

0, xrefs: 01003C54
F, xrefs: 01003D4E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 768b9ca589e66bd0acadbef6268e1ac8a23cb0080a4a71190c16f020cc549316
Instruction ID: 705319423b2b1e1afcc2d0c5d38bf5e1c7e7d1d0e72d42c135835a7221d7f3fc
Opcode Fuzzy Hash: 768b9ca589e66bd0acadbef6268e1ac8a23cb0080a4a71190c16f020cc549316
Instruction Fuzzy Hash: 9C419F79605209EFEB26DF54E984E9A7BF5FF49300F040169FA869B390D735A910CF50

Function 00FD1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FD1F64
GetDlgCtrlID.USER32 ref: 00FD1F6F
GetParent.USER32 ref: 00FD1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD1F8E
GetDlgCtrlID.USER32(?), ref: 00FD1F97
GetParent.USER32(?), ref: 00FD1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD1FAE

Strings

ComboBox, xrefs: 00FD1EEC
ListBox, xrefs: 00FD1F21

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 39bfabb48522adede1eec8903f8b301a24ed8975148c2a49a63427460efa3f01
Instruction ID: 9bcb438bb3eb9e2ab2dae2d5acc6bf5983da8271b896b40ff6971fddfce0f530
Opcode Fuzzy Hash: 39bfabb48522adede1eec8903f8b301a24ed8975148c2a49a63427460efa3f01
Instruction Fuzzy Hash: 22210771E00114BBDF25AFA0CC45DEEBBB9FF09310F044246F99567291CB795914EB61

Function 00FD1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FD2043
GetDlgCtrlID.USER32 ref: 00FD204E
GetParent.USER32 ref: 00FD206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD206D
GetDlgCtrlID.USER32(?), ref: 00FD2076
GetParent.USER32(?), ref: 00FD208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FD208D

Strings

ComboBox, xrefs: 00FD1FCD
ListBox, xrefs: 00FD2002

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 2eb324d12c417ca7933d05ef53c515327e6398f2d098f3cb06901fe73de08f2f
Instruction ID: 438e823b6ed703cdb7b5aa69b4d8486c0db21c4e220ee0f99345272c3c8b49f5
Opcode Fuzzy Hash: 2eb324d12c417ca7933d05ef53c515327e6398f2d098f3cb06901fe73de08f2f
Instruction Fuzzy Hash: B7213571E00214BBDF21AFA0CC89EFEBBB9EF18300F044046F995A7291CB795914EB61

Function 01003A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01003A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01003AA0
GetWindowLongW.USER32(?,000000F0), ref: 01003AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01003AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01003B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01003BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01003BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01003BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01003BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01003C13

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 2c50d15b668bfe2527691c4083e35d2c30ad5d6ec4aefccae57167c42b5d5a6b
Instruction ID: 8e0dc1587eb4acbe25512789cd36aa2553d6cc9747f8facc6b7c72f44672d044
Opcode Fuzzy Hash: 2c50d15b668bfe2527691c4083e35d2c30ad5d6ec4aefccae57167c42b5d5a6b
Instruction Fuzzy Hash: F8617975900208AFEB22DF68CC81EEE77F8BB49304F100199FA55EB291D774A981DB50

Function 00FDB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FDB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB165
GetWindowThreadProcessId.USER32(00000000), ref: 00FDB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FDB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FDA1E1,?,00000001), ref: 00FDB21D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 44b1574c7f75fb26e2015f8e082aefc3e07f6f240795185e3c65dab2cd2b34b0
Instruction ID: 53ed481c2615a9dc5f251f180c83b86ef90b0923cb8704f94f56666068d55582
Opcode Fuzzy Hash: 44b1574c7f75fb26e2015f8e082aefc3e07f6f240795185e3c65dab2cd2b34b0
Instruction Fuzzy Hash: 9C31F7B6900204FFEB369F24ED98B6D7B7ABB15366F154206F940CA244C7799C009F20

Function 00FA2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA2C94

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FA2CA0
_free.LIBCMT ref: 00FA2CAB
_free.LIBCMT ref: 00FA2CB6
_free.LIBCMT ref: 00FA2CC1
_free.LIBCMT ref: 00FA2CCC
_free.LIBCMT ref: 00FA2CD7
_free.LIBCMT ref: 00FA2CE2
_free.LIBCMT ref: 00FA2CED
_free.LIBCMT ref: 00FA2CFB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2f7da763b34ac6b090d6df175e90438a07c33d12e00f92d6ac32a6d52c43203c
Instruction ID: 29ca72d9a52389bca7038eaca1d4a6a3c9cb23729255794fae39fb831136d7c1
Opcode Fuzzy Hash: 2f7da763b34ac6b090d6df175e90438a07c33d12e00f92d6ac32a6d52c43203c
Instruction Fuzzy Hash: CF1196B6600108AFCB82EF5CDC42CDE3BB5FF0A750F414495FA485B222D635EA50BB91

Function 00F71410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F71459
OleUninitialize.OLE32(?,00000000), ref: 00F714F8
UnregisterHotKey.USER32(?), ref: 00F716DD
DestroyWindow.USER32(?), ref: 00FB24B9
FreeLibrary.KERNEL32(?), ref: 00FB251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FB254B

Strings

close all, xrefs: 00F71454

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a9099e2abf9b39328a8f370af158f90339c389e91b384e37501c8c1ea16cac68
Instruction ID: 54781c335c58ecffa2b5662838af1027340f3d925b134ed9d9e8d6d49315d524
Opcode Fuzzy Hash: a9099e2abf9b39328a8f370af158f90339c389e91b384e37501c8c1ea16cac68
Instruction Fuzzy Hash: 32D1A031701212CFDB29EF19C899B69F7A0BF05710F1482AEE44A6B251CB30ED16EF52

Function 00FE7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FE7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE7FC1
GetFileAttributesW.KERNEL32(?), ref: 00FE7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FE8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00FE8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FE80B0

Strings

*.*, xrefs: 00FE8066

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: fd8a2be14dbb7378c90998b4a5a239a95d3ccd4162fe86f1a2541e66ec02b33f
Instruction ID: f14be8dbd58890e65af17cadfb306117d45957319c3f25c39578bd7e8fb9b84f
Opcode Fuzzy Hash: fd8a2be14dbb7378c90998b4a5a239a95d3ccd4162fe86f1a2541e66ec02b33f
Instruction Fuzzy Hash: F181C2729083819BCB24FF16C840AAEB3D8BF84320F14486EF589D7250EB75DD45AB92

Function 00F75BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F75C7A

Part of subcall function 00F75D0A: GetClientRect.USER32(?,?), ref: 00F75D30
Part of subcall function 00F75D0A: GetWindowRect.USER32(?,?), ref: 00F75D71
Part of subcall function 00F75D0A: ScreenToClient.USER32(?,?), ref: 00F75D99

GetDC.USER32 ref: 00FB46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FB4708
SelectObject.GDI32(00000000,00000000), ref: 00FB4716
SelectObject.GDI32(00000000,00000000), ref: 00FB472B
ReleaseDC.USER32(?,00000000), ref: 00FB4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FB47C4

Strings

U, xrefs: 00FB4693

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e58e6df69d394c34578f3ee3eef627856f60df1cf72da4ed56f94d23bef50f04
Instruction ID: 72da52f01d60f87e65c4b278a7d20fd6f5c15293a343b6366923028e5a55edeb
Opcode Fuzzy Hash: e58e6df69d394c34578f3ee3eef627856f60df1cf72da4ed56f94d23bef50f04
Instruction Fuzzy Hash: 72712635800205DFDF22CF64CA84AFA7BB6FF4A320F24426AED955A196C735AC41EF51

Function 00FE359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00FE35E4

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

LoadStringW.USER32(01042390,?,00000FFF,?), ref: 00FE360A

Strings

^ ERROR, xrefs: 00FE36C9
Error: , xrefs: 00FE36EF
Line %d (File "%s"):, xrefs: 00FE366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00FE3724
"%s" (%d) : ==> %s:, xrefs: 00FE3742

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f8810fe469bce1a6c6236f7dc56985142a77afb150894cadfc6543205cbe048b
Instruction ID: 8ac103318ccb3eab7da73861ce375dc9388cf7ddce5e6dce2cc414be2049b0ce
Opcode Fuzzy Hash: f8810fe469bce1a6c6236f7dc56985142a77afb150894cadfc6543205cbe048b
Instruction Fuzzy Hash: 50518071C04259BBDF15EBA1CD46EEDBB79AF14300F048126F10972191EB792B98EF62

Function 01008B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

Part of subcall function 00F8912D: GetCursorPos.USER32(?), ref: 00F89141
Part of subcall function 00F8912D: ScreenToClient.USER32(00000000,?), ref: 00F8915E
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000001), ref: 00F89183
Part of subcall function 00F8912D: GetAsyncKeyState.USER32(00000002), ref: 00F8919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01008B6B
ImageList_EndDrag.COMCTL32 ref: 01008B71
ReleaseCapture.USER32 ref: 01008B77
SetWindowTextW.USER32(?,00000000), ref: 01008C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01008C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01008CFF

Strings

@GUI_DRAGFILE, xrefs: 01008C9A
@GUI_DROPID, xrefs: 01008C51

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: aa20afa86e9580952cd50658cdfb9fc0bf87070ebe346242a0db0287c60d05ba
Instruction ID: 940875e15ef9159be178d3e3d5d1ae4a6938cee31431827ccc46416463cb5588
Opcode Fuzzy Hash: aa20afa86e9580952cd50658cdfb9fc0bf87070ebe346242a0db0287c60d05ba
Instruction Fuzzy Hash: EC51BC74508304AFE711EF24CD85FAA77E4FB88710F000A6EF996972D1CB75A944CB62

Function 00FEC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FEC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FEC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FEC2CA
GetLastError.KERNEL32 ref: 00FEC322
SetEvent.KERNEL32(?), ref: 00FEC336
InternetCloseHandle.WININET(00000000), ref: 00FEC341

Strings

, xrefs: 00FEC2BB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c85e34ffc5952e495529b8857e2e61a92108f59b314f765f06628042d38e6179
Instruction ID: fe65f4618f835cab85486f0b3aeba50bf2f52dfc4ed8c6dbcfe65c801df6426f
Opcode Fuzzy Hash: c85e34ffc5952e495529b8857e2e61a92108f59b314f765f06628042d38e6179
Instruction Fuzzy Hash: 34318271500284AFE7319F668D84A6B7BFCFB49754F14851EF48AD3200DB35DD06ABA1

Function 00FD989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FB3AAF,?,?,Bad directive syntax error,0100CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FD98BC
LoadStringW.USER32(00000000,?,00FB3AAF,?), ref: 00FD98C3

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FD9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00FD98F1
Line %d:, xrefs: 00FD9912
Line %d (File "%s"):, xrefs: 00FD992D
Error: , xrefs: 00FD9955
., xrefs: 00FD996D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: da86493a267b958935013a0f4e5b10ed709cec5e7894042dca83d662ab3501a5
Instruction ID: 825c1260237dbdce7768607e240a50e0050a3a0dfc0a6ee97804dbc4b263e5ba
Opcode Fuzzy Hash: da86493a267b958935013a0f4e5b10ed709cec5e7894042dca83d662ab3501a5
Instruction Fuzzy Hash: B1217431C0421AFBDF26AF90CC16EED7779FF18300F04845AF51966091DB759658EB52

Function 00FD209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FD20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00FD20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FD214D

Strings

SHELLDLL_DefView, xrefs: 00FD20CC
smallicons, xrefs: 00FD2115
details, xrefs: 00FD20FB
largeicons, xrefs: 00FD20E1
list, xrefs: 00FD212F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: c6b6beacad8c1bbb99ecc1728e5ca0688f860daf6798d42cc48a1a9a9bc915ed
Instruction ID: c45d3f6a675959100fa4a44128032943f7088b92cfd8acd729e7cdb090dc8831
Opcode Fuzzy Hash: c6b6beacad8c1bbb99ecc1728e5ca0688f860daf6798d42cc48a1a9a9bc915ed
Instruction Fuzzy Hash: 24115C77688306B9FA162621DC07DA6339DCF24734F20425BF744A91E1FE6978037A54

Function 00FA8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb171f071d8c3044b073b5e12bbf0b3194e76c24bf7f1cb751be8d219b055805
Instruction ID: 8e2b9af5e07538e0409309ad6e03a9813cbf9a2a0801e96a1e72a995ad876b61
Opcode Fuzzy Hash: eb171f071d8c3044b073b5e12bbf0b3194e76c24bf7f1cb751be8d219b055805
Instruction Fuzzy Hash: 5CC109F5D082499FDF11DFA8C881BADBFB0AF0A360F0440A5F954A7392C7B59941EB61

Function 00FACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FACEB7
_free.LIBCMT ref: 00FACF22
_free.LIBCMT ref: 00FACF48
_free.LIBCMT ref: 00FACF71
_free.LIBCMT ref: 00FACFA9
_free.LIBCMT ref: 00FACFDA
_free.LIBCMT ref: 00FAD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FAD09C
_free.LIBCMT ref: 00FAD0B5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 2f9084b2c38dbbf375c4bb42ecab3d1f416c95d05ae639046e24c7b30b6a6265
Instruction ID: b0d559979e3b34a3c15fcfeb5039990e470fb340746c57130f52f2cdfe9a5b79
Opcode Fuzzy Hash: 2f9084b2c38dbbf375c4bb42ecab3d1f416c95d05ae639046e24c7b30b6a6265
Instruction Fuzzy Hash: 21615BF2E042006FDF21BF789C8166E7BA5AF07720F04416DFA91A7249D73A9D00B7A0

Function 00F88B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00FC6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00FC68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FC68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00FC68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FC68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F88874,00000000,00000000,00000000,000000FF,00000000), ref: 00FC6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FC691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F88874,00000000,00000000,00000000,000000FF,00000000), ref: 00FC692D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5cc1923285ab587c37c908ced9d13f567ccca2475129650104cf949999f46163
Instruction ID: 3195d82538d749e814f2c91142f1bec962d6813c334d0cbfacd5035d75ddd7ff
Opcode Fuzzy Hash: 5cc1923285ab587c37c908ced9d13f567ccca2475129650104cf949999f46163
Instruction Fuzzy Hash: FC517B74A00206AFEB20DF24CD85FAA7BB5FF88760F104618F946D7290DB75E991EB50

Function 00FEC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FEC182
GetLastError.KERNEL32 ref: 00FEC195
SetEvent.KERNEL32(?), ref: 00FEC1A9

Part of subcall function 00FEC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FEC272
Part of subcall function 00FEC253: GetLastError.KERNEL32 ref: 00FEC322
Part of subcall function 00FEC253: SetEvent.KERNEL32(?), ref: 00FEC336
Part of subcall function 00FEC253: InternetCloseHandle.WININET(00000000), ref: 00FEC341

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bda2e0dea6446a904bc1005bd8fd980f8b58d4eccce16513ab9cc270b8b0fee4
Instruction ID: 639f6c1ee13e2147848a6cee9f5c3ee0ad830f421633cf75d6142081e586c493
Opcode Fuzzy Hash: bda2e0dea6446a904bc1005bd8fd980f8b58d4eccce16513ab9cc270b8b0fee4
Instruction Fuzzy Hash: 6B31B071600781AFEB219FA6DD04A67BBF8FF58310F00451DFA9A83600D735E812EBA0

Function 00FD25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD3A57
Part of subcall function 00FD3A3D: GetCurrentThreadId.KERNEL32 ref: 00FD3A5E
Part of subcall function 00FD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FD25B3), ref: 00FD3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FD25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FD25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FD2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FD2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FD260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FD2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FD2627

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9e9e209a98781f2e3b2a096ffbcc5b0af6d242433a3a8a53b3255b90db2141b4
Instruction ID: 6aa680cec74c331ed0b92c82e0f5bec288cec7261b6e7e1e594a5004c28b560a
Opcode Fuzzy Hash: 9e9e209a98781f2e3b2a096ffbcc5b0af6d242433a3a8a53b3255b90db2141b4
Instruction Fuzzy Hash: 3801D831394210BBFB2167689C8AF593F59DB5EB11F100142F354AF1C4C9F764449AAA

Function 00FD1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00FD1449,?,?,00000000), ref: 00FD180C
HeapAlloc.KERNEL32(00000000,?,00FD1449,?,?,00000000), ref: 00FD1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FD1449,?,?,00000000), ref: 00FD1828
GetCurrentProcess.KERNEL32(?,00000000,?,00FD1449,?,?,00000000), ref: 00FD1830
DuplicateHandle.KERNEL32(00000000,?,00FD1449,?,?,00000000), ref: 00FD1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FD1449,?,?,00000000), ref: 00FD1843
GetCurrentProcess.KERNEL32(00FD1449,00000000,?,00FD1449,?,?,00000000), ref: 00FD184B
DuplicateHandle.KERNEL32(00000000,?,00FD1449,?,?,00000000), ref: 00FD184E
CreateThread.KERNEL32(00000000,00000000,00FD1874,00000000,00000000,00000000), ref: 00FD1868

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b70eba85f4a61950bf8f8715da74a0fdbe6093e0bdce4704331872b6e39b09c3
Instruction ID: a15f71d4f45974fb9fb346b5b649b3d132ef8955da17354ab8c553b49def4e71
Opcode Fuzzy Hash: b70eba85f4a61950bf8f8715da74a0fdbe6093e0bdce4704331872b6e39b09c3
Instruction Fuzzy Hash: 8B01BF75240304BFF721AB65DD4DF973B6CEB89B11F004551FA45DB195C6759800CB20

Function 00FFA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00FDD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00FDD501
Part of subcall function 00FDD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00FDD50F
Part of subcall function 00FDD4DC: CloseHandle.KERNEL32(00000000), ref: 00FDD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FFA16D
GetLastError.KERNEL32 ref: 00FFA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FFA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FFA268
GetLastError.KERNEL32(00000000), ref: 00FFA273
CloseHandle.KERNEL32(00000000), ref: 00FFA2C4

Strings

SeDebugPrivilege, xrefs: 00FFA18F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6b441b1aa3072a0f2e164ad8325b9665b9e3270035d224d495969ba881bd3d95
Instruction ID: 59341f6a230f150cb6d37d029af7226cbf57e358fa3e5d76b05d94365d70309e
Opcode Fuzzy Hash: 6b441b1aa3072a0f2e164ad8325b9665b9e3270035d224d495969ba881bd3d95
Instruction Fuzzy Hash: 9261C171604242AFD320DF18C894F29BBE1AF44318F18C48DE56A8B7A3C776ED45DB92

Function 01003886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01003925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0100393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01003954
_wcslen.LIBCMT ref: 01003999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010039F4

Strings

SysListView32, xrefs: 010038F7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 0e32352119a972717ab4603bd0dde06fb53aff303240a6b2a272a2ee78c82ad5
Instruction ID: bd189f9c9bdd15fa94278fc7fe8705f60e12777dad6bdb245647602e34646fdb
Opcode Fuzzy Hash: 0e32352119a972717ab4603bd0dde06fb53aff303240a6b2a272a2ee78c82ad5
Instruction Fuzzy Hash: FC416371900219AFFB239F64CC45BEA7BA9FF48350F10056AF594EB1C1D7759990CB90

Function 00FDBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FDBCFD
IsMenu.USER32(00000000), ref: 00FDBD1D
CreatePopupMenu.USER32 ref: 00FDBD53
GetMenuItemCount.USER32(011A6128), ref: 00FDBDA4
InsertMenuItemW.USER32(011A6128,?,00000001,00000030), ref: 00FDBDCC

Strings

2, xrefs: 00FDBD37
0, xrefs: 00FDBCA8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2b32684eb93679f98d6ebafa285eaf0ca57ebb2d0f35e0df6e6a547dfae933f5
Instruction ID: 6106edc22f8e22d8565e86e05dbada07689775f6af2ef2f77987d3e8f89845a4
Opcode Fuzzy Hash: 2b32684eb93679f98d6ebafa285eaf0ca57ebb2d0f35e0df6e6a547dfae933f5
Instruction Fuzzy Hash: E051BC70A00209EBDB21CFA8D888BAEBBF7BF49324F19425AE44197390D7759941DB61

Function 00FDC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FDC913

Strings

question, xrefs: 00FDC8CC
info, xrefs: 00FDC8B4
stop, xrefs: 00FDC8E4
warning, xrefs: 00FDC8FC
blank, xrefs: 00FDC895

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a6c28aa042d0981f726e6ef16db48f00d8f622e2821f045aeb738c78592ecf44
Instruction ID: a790446602b451c00c9f46baf56609592332f1e3be9b19b9423e06eda1cae83a
Opcode Fuzzy Hash: a6c28aa042d0981f726e6ef16db48f00d8f622e2821f045aeb738c78592ecf44
Instruction Fuzzy Hash: 24112E33A89307BAFB025B549C83D9E379DDF15730B54002FF500A6381E7796E00B2A5

Function 00FDDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FDDE42
gethostname.WSOCK32(?,00000100), ref: 00FDDE5C
gethostbyname.WSOCK32(?), ref: 00FDDE69
inet_ntoa.WSOCK32(?), ref: 00FDDEAB
_strcat.LIBCMT ref: 00FDDEB9
WSACleanup.WSOCK32 ref: 00FDDEDE

Strings

0.0.0.0, xrefs: 00FDDE87

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: be93465afab6bb96d3e1638ac6a1c9ff70c1eef7463bd89356043c03ff4a856d
Instruction ID: 019238335231f72bbfbd5cef68e623cd86cd9f05d8f6bff7dcad45784d5f91a3
Opcode Fuzzy Hash: be93465afab6bb96d3e1638ac6a1c9ff70c1eef7463bd89356043c03ff4a856d
Instruction Fuzzy Hash: 03113A31800104AFEB347B20DC0AEDE376DDF10320F0402AAF4459A181EF7A9A81A750

Function 01009F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

GetSystemMetrics.USER32(0000000F), ref: 01009FC7
GetSystemMetrics.USER32(0000000F), ref: 01009FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0100A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0100A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0100A263
ShowWindow.USER32(00000003,00000000), ref: 0100A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0100A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0100A2CA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 94b402548b22ef6958b1520236c6c67d5afef7663ff2ada829f51563457904f6
Instruction ID: 4ac5bdd8fdb6f298c0712ede168d5797163eaabaee630579842490e685faf34c
Opcode Fuzzy Hash: 94b402548b22ef6958b1520236c6c67d5afef7663ff2ada829f51563457904f6
Instruction Fuzzy Hash: 99B18C35600215DBEF16CF6CC9857AE7BF2BF48741F0881A9ED899B289DB35A940CB50

Function 00FDED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FDED2A
_wcslen.LIBCMT ref: 00FDED3B
_wcslen.LIBCMT ref: 00FDED79
_wcslen.LIBCMT ref: 00FDEDAF
_wcslen.LIBCMT ref: 00FDEDDF
_wcslen.LIBCMT ref: 00FDEDEF
_wcslen.LIBCMT ref: 00FDEE2B
_wcslen.LIBCMT ref: 00FDEE5A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 9cd6da929521200242b89db2ba63aa8151c528416badddaab0714d77ef0e3763
Instruction ID: c7c1a1c41ecb3994fabf6f0f86766cd94b14ecac55b4d85998fff303440c8b59
Opcode Fuzzy Hash: 9cd6da929521200242b89db2ba63aa8151c528416badddaab0714d77ef0e3763
Instruction Fuzzy Hash: 7441B265C1021875EF11FBF48C8A9CFB7A9AF45710F508466E518E3222FB38E245D3A5

Function 00F8F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 00F8F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 00FCF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 00FCF454

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: eef2a6a298da17783c8ad32e652185f494748c55ea8b3cffe6be0b6361c56681
Instruction ID: ab807845c0ba1be2792003ebd0448f26a58ee614a13ccf919becea8a861074ad
Opcode Fuzzy Hash: eef2a6a298da17783c8ad32e652185f494748c55ea8b3cffe6be0b6361c56681
Instruction Fuzzy Hash: 67412031A18680FFD739AB2DCE89BA67B927B55330F14453CE0C756554C63AA88CF711

Function 01002D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01002D1B
GetDC.USER32(00000000), ref: 01002D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01002D2E
ReleaseDC.USER32(00000000,00000000), ref: 01002D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01002D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01002D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01005A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01002DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01002DE1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ef8f83d9aca511749607eab8affa78d162681305073c46bfc253f40f14fa521a
Instruction ID: 6a86748a52ff80095c6a8dc3a13a36fc30d45cbd73f726093ab46c97c2aa924d
Opcode Fuzzy Hash: ef8f83d9aca511749607eab8affa78d162681305073c46bfc253f40f14fa521a
Instruction Fuzzy Hash: D2318B72201214BBFB229F548C89FEB3FADEB09711F044195FE889A2C1C67A9C41C7A0

Function 00FD5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FD5637
_memcmp.LIBVCRUNTIME ref: 00FD5659
_memcmp.LIBVCRUNTIME ref: 00FD5671
_memcmp.LIBVCRUNTIME ref: 00FD5684
_memcmp.LIBVCRUNTIME ref: 00FD569E
_memcmp.LIBVCRUNTIME ref: 00FD56B1
_memcmp.LIBVCRUNTIME ref: 00FD56C9
_memcmp.LIBVCRUNTIME ref: 00FD56E4

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a1d5e628a70e3ce9221d33ea3299d5c6da75727772a5cd089b3884608d8b59c
Instruction ID: 4a0b68714b775a7e2e73c725da758550dba626f67a705f1b8e88059d610ee529
Opcode Fuzzy Hash: 9a1d5e628a70e3ce9221d33ea3299d5c6da75727772a5cd089b3884608d8b59c
Instruction Fuzzy Hash: A621CC62E44A0AB7F61655114E83FFA336EBF10B94F5C0026FE049E741F764ED10B5A5

Function 00FF4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FF5007
NULL Pointer assignment, xrefs: 00FF502E, 00FF5383

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 63afb7c3012332047c15446a2bf407d06544f798a4c8d8435228f0a72f56b260
Instruction ID: e5241c087a48f0a7b8aeacf14a06dfb95dc6c1edce845c079e0179768ddb8357
Opcode Fuzzy Hash: 63afb7c3012332047c15446a2bf407d06544f798a4c8d8435228f0a72f56b260
Instruction Fuzzy Hash: 28D1C071A0060EAFDF10CF98C880BBEB7B5BF48754F148169EA15AB291E770ED45DB90

Function 00FB1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00FB15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00FB17FB,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB16FB

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00FB17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00FB1777
__freea.LIBCMT ref: 00FB17A2
__freea.LIBCMT ref: 00FB17AE

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 5d81eacd690e6f8449aa970342beae761e16435c62f6d32aad99d9d4ebc6bc03
Instruction ID: cf31b7a1b1ece4ca7f016ed322857d71b2a1a228f1ec52f439dbd0c2f1f1c22f
Opcode Fuzzy Hash: 5d81eacd690e6f8449aa970342beae761e16435c62f6d32aad99d9d4ebc6bc03
Instruction Fuzzy Hash: 6B91C672E102169ADF318E76CCA1AEE7BB5BF49320FA84659E801E7140DB35DD44EF60

Function 00FF4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF4648
VariantInit.OLEAUT32(?), ref: 00FF4749
VariantClear.OLEAUT32(?), ref: 00FF4753
VariantClear.OLEAUT32(?), ref: 00FF47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00FF472C
Null Object assignment in FOR..IN loop, xrefs: 00FF45D8, 00FF4706, 00FF47BE

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8987e5e8e9304b45aee9e4ed7312f6a607ca4804ef9445d7050b98c10f0db634
Instruction ID: 870d26d323999478da91a9101b86ed77cea6ec1e2f500cfa43eb39e4e5f209d9
Opcode Fuzzy Hash: 8987e5e8e9304b45aee9e4ed7312f6a607ca4804ef9445d7050b98c10f0db634
Instruction Fuzzy Hash: 2E918272E00219ABDF20DFA5C884FAFB7B8EF45724F108559F605AB290D774A941DFA0

Function 00FE1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FE125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FE1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FE12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FE1430

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 20d33c3cdda2fe94a5e1a6248e7a12a1936aa1626068b45676049d99ba74f3dc
Instruction ID: 5aa53fbf52b365a4d6f235f78100bdf3e27b340f01fe0caf6d4e71910f334481
Opcode Fuzzy Hash: 20d33c3cdda2fe94a5e1a6248e7a12a1936aa1626068b45676049d99ba74f3dc
Instruction Fuzzy Hash: 9991F572E002499FEB01DF9AC884BFE77B5FF45324F114129EA40E7291D779A941EB90

Function 00F8948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 93ab3fd5512b15c9691c3894361b907430f93c9ea3894882162b6fea6598e3e0
Instruction ID: 29699c8ee4b113ace4b4068b5ec827483f21869afed8494094e39006c55c66a9
Opcode Fuzzy Hash: 93ab3fd5512b15c9691c3894361b907430f93c9ea3894882162b6fea6598e3e0
Instruction Fuzzy Hash: 4F915671D04209AFCB10DFA9CD84AEEBBB8FF49320F188149E511B7251D378AA41DF60

Function 00FF3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FF396B
CharUpperBuffW.USER32(?,?), ref: 00FF3A7A
_wcslen.LIBCMT ref: 00FF3A8A
VariantClear.OLEAUT32(?), ref: 00FF3C1F

Part of subcall function 00FE0CDF: VariantInit.OLEAUT32(00000000), ref: 00FE0D1F
Part of subcall function 00FE0CDF: VariantCopy.OLEAUT32(?,?), ref: 00FE0D28
Part of subcall function 00FE0CDF: VariantClear.OLEAUT32(?), ref: 00FE0D34

Strings

Incorrect Parameter format, xrefs: 00FF39A6, 00FF3BA1
AUTOIT.ERROR, xrefs: 00FF3A80, 00FF3A85

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 8192e218c65f7c7f3f2ec0c83c1ba88237a2305f58cef0bc7ccb556439b3547e
Instruction ID: 5298f62f1d07e23a73b6d0470fa58cf2e0c240f6b33002d56e8d61e479ec80d0
Opcode Fuzzy Hash: 8192e218c65f7c7f3f2ec0c83c1ba88237a2305f58cef0bc7ccb556439b3547e
Instruction Fuzzy Hash: 2B91AC75A083059FC700EF24C88096AB7E5FF88314F14896EF9899B361DB35EE45DB92

Function 00FF4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00FD000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?,?,00FD035E), ref: 00FD002B
Part of subcall function 00FD000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0046
Part of subcall function 00FD000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0054
Part of subcall function 00FD000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?), ref: 00FD0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FF4C51
_wcslen.LIBCMT ref: 00FF4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FF4DCF
CoTaskMemFree.OLE32(?), ref: 00FF4DDA

Strings

NULL Pointer assignment, xrefs: 00FF4E23, 00FF4E52

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: a54500af83607e3714d561dc6ad71112568fe1df6fdb9e8088dbec7fa6564929
Instruction ID: ff417c5d720a7cbfe9768bb0d511fb310146ecd94412b73a8abca09679bdd7cc
Opcode Fuzzy Hash: a54500af83607e3714d561dc6ad71112568fe1df6fdb9e8088dbec7fa6564929
Instruction Fuzzy Hash: E6912871D0021DAFDF14DFA4CC81AEEB7B9BF48310F10816AE519A7251DB746A449F61

Function 010020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01002183
GetMenuItemCount.USER32(00000000), ref: 010021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010021DD
_wcslen.LIBCMT ref: 01002213
GetMenuItemID.USER32(?,?), ref: 0100224D
GetSubMenu.USER32(?,?), ref: 0100225B

Part of subcall function 00FD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD3A57
Part of subcall function 00FD3A3D: GetCurrentThreadId.KERNEL32 ref: 00FD3A5E
Part of subcall function 00FD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FD25B3), ref: 00FD3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010022E3

Part of subcall function 00FDE97B: Sleep.KERNELBASE ref: 00FDE9F3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 849f422bee4f0ece3ae67416eae72b4107a3e57b71298c5700fa3860d73f3357
Instruction ID: e5e16b28e838de5bde83f4f62e42c14d60c50a9e0bfa8c8b23b1faae1eb6e4e3
Opcode Fuzzy Hash: 849f422bee4f0ece3ae67416eae72b4107a3e57b71298c5700fa3860d73f3357
Instruction Fuzzy Hash: A671C535E00205AFDB12EFA8C844AAEB7F1FF48310F148499E956EB381D739E9418F90

Function 01007E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(011A6290), ref: 01007F37
IsWindowEnabled.USER32(011A6290), ref: 01007F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0100801E
SendMessageW.USER32(011A6290,000000B0,?,?), ref: 01008051
IsDlgButtonChecked.USER32(?,?), ref: 01008089
GetWindowLongW.USER32(011A6290,000000EC), ref: 010080AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010080C3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5134a0f96e78c0108e614a99b410f21bd3a8e707b5254e74a0c60e9947be0d35
Instruction ID: 6d32ffa945af8c3b80d170ea91cdc41e17201eb9ea6c2a138a2550893251d2f7
Opcode Fuzzy Hash: 5134a0f96e78c0108e614a99b410f21bd3a8e707b5254e74a0c60e9947be0d35
Instruction Fuzzy Hash: 99713E74504204AFFB62DF58C884FBA7BF5EF09300F14449AE9C597291C739B841CB10

Function 00FDAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FDAEF9
GetKeyboardState.USER32(?), ref: 00FDAF0E
SetKeyboardState.USER32(?), ref: 00FDAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FDAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FDAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FDAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FDB020

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: eccce7d7f153125936a0b824399f7f978b2d6a2be9249c7fdf3de6a03e0476ae
Instruction ID: ef24d8ac99688cc27d8bab492643f7809ef34dc8dfe97ca58122ea7ee6622184
Opcode Fuzzy Hash: eccce7d7f153125936a0b824399f7f978b2d6a2be9249c7fdf3de6a03e0476ae
Instruction Fuzzy Hash: 835101A1A043D17DFB3347348C09BBBBFAA5B06314F0C858AE1D9459C2C3D9A8C8E351

Function 00FDACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FDAD19
GetKeyboardState.USER32(?), ref: 00FDAD2E
SetKeyboardState.USER32(?), ref: 00FDAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FDADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FDADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FDAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FDAE38

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c8cd29ef439ccc51c7f9c09bee7680362c2717b5e83126b94b6cd042da0d4848
Instruction ID: 83abe9f230fceb9798fe33bcb9e4ff6caf69fa7ae96520894efabf4df3f75871
Opcode Fuzzy Hash: c8cd29ef439ccc51c7f9c09bee7680362c2717b5e83126b94b6cd042da0d4848
Instruction Fuzzy Hash: 1C5115A19047D13DFB3383348C45B7A7FAB5B06311F0C858AE0D546AC2D298EC98F36A

Function 00FA542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00FB3CD6,?,?,?,?,?,?,?,?,00FA5BA3,?,?,00FB3CD6,?,?), ref: 00FA5470
__fassign.LIBCMT ref: 00FA54EB
__fassign.LIBCMT ref: 00FA5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00FB3CD6,00000005,00000000,00000000), ref: 00FA552C
WriteFile.KERNEL32(?,00FB3CD6,00000000,00FA5BA3,00000000,?,?,?,?,?,?,?,?,?,00FA5BA3,?), ref: 00FA554B
WriteFile.KERNEL32(?,?,00000001,00FA5BA3,00000000,?,?,?,?,?,?,?,?,?,00FA5BA3,?), ref: 00FA5584

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: be71d07ee7ea4997fa6895f6782e86546370998d2802300e2a6875209ced20fe
Instruction ID: 42af1ab16781ec3058c0cd1451106f54625d1b8a23c7c6193c4af600f048dd58
Opcode Fuzzy Hash: be71d07ee7ea4997fa6895f6782e86546370998d2802300e2a6875209ced20fe
Instruction Fuzzy Hash: 0251D3F1E006489FDB11CFA8D885AEEBBF9EF0A710F18415AF955E7281D7309A41CB60

Function 00F92D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F92D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00F92D53
_ValidateLocalCookies.LIBCMT ref: 00F92DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00F92E0C
_ValidateLocalCookies.LIBCMT ref: 00F92E61

Strings

csm, xrefs: 00F92DF6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 560f9ee7f4b9c2f1ff615afd606bcfd85608b94fd09ab1651ab43ed579cf03d5
Instruction ID: ee8e7073b90ee3b4044de8232879ee428f52dc52e1c45202be8d90c1138cc5f2
Opcode Fuzzy Hash: 560f9ee7f4b9c2f1ff615afd606bcfd85608b94fd09ab1651ab43ed579cf03d5
Instruction Fuzzy Hash: 3F41EE34E00208ABEF10EF68CC85A9EBBB4BF44324F148156F814AB392D7359E05EBD0

Function 00FF10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FF307A
Part of subcall function 00FF304E: _wcslen.LIBCMT ref: 00FF309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FF1112
WSAGetLastError.WSOCK32 ref: 00FF1121
WSAGetLastError.WSOCK32 ref: 00FF11C9
closesocket.WSOCK32(00000000), ref: 00FF11F9

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4f8cba3d0fbc31666b1688da72e644b4689b42214cf6117b94f4fa26851159f5
Instruction ID: b7d0f9bb63d0969505410820fa49631619e077cd36566c34cad0da9a965acfc0
Opcode Fuzzy Hash: 4f8cba3d0fbc31666b1688da72e644b4689b42214cf6117b94f4fa26851159f5
Instruction Fuzzy Hash: F441F431600208EFEB209F24C884BBAB7E9FF45324F148159FA499B295C775AE41DBE1

Function 00FDCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FDCF22,?), ref: 00FDDDFD

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FDCF22,?), ref: 00FDDE16

lstrcmpiW.KERNEL32(?,?), ref: 00FDCF45
MoveFileW.KERNEL32(?,?), ref: 00FDCF7F
_wcslen.LIBCMT ref: 00FDD005
_wcslen.LIBCMT ref: 00FDD01B
SHFileOperationW.SHELL32(?), ref: 00FDD061

Strings

\*.*, xrefs: 00FDCFF3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a54f0ec467c0d5faba008e3b4c769dba311d938a65093bf11c23574348061fe4
Instruction ID: 0dfb43124197488ef2f45b332e8b6e5e16636bc8b165a77f78793c96c24483c0
Opcode Fuzzy Hash: a54f0ec467c0d5faba008e3b4c769dba311d938a65093bf11c23574348061fe4
Instruction Fuzzy Hash: EA417471D452195FDF12EBA4CD81EDEB7BAAF08380F0400E7E549EB241EA35A748DB50

Function 01002DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01002E1C
GetWindowLongW.USER32(?,000000F0), ref: 01002E4F
GetWindowLongW.USER32(?,000000F0), ref: 01002E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01002EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01002EE0
GetWindowLongW.USER32(?,000000F0), ref: 01002EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01002F0B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 0f90d5bf89350f575b62727e915e341987cefb0cda05dc36e10a6ceb2fa4a4a4
Instruction ID: 17dea173d853bbd1ff8825af84bb14f4970afd6894bd7bb4891516829d31a955
Opcode Fuzzy Hash: 0f90d5bf89350f575b62727e915e341987cefb0cda05dc36e10a6ceb2fa4a4a4
Instruction Fuzzy Hash: F0310934644190AFEB32CF58DD88F6537E5EB59750F1501A4FA848B2E6CB76BC80DB41

Function 00FD7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD778F
SysAllocString.OLEAUT32(00000000), ref: 00FD7792
SysAllocString.OLEAUT32(?), ref: 00FD77B0
SysFreeString.OLEAUT32(?), ref: 00FD77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00FD77DE
SysAllocString.OLEAUT32(?), ref: 00FD77EC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: cfc459576c4c51c2b9aadd05c86927effc8bbf0d1fb576fbd71febca99e0f402
Instruction ID: ce953d752ef1278d72e55716178997975f20c32692896cc66b37390e39536f1d
Opcode Fuzzy Hash: cfc459576c4c51c2b9aadd05c86927effc8bbf0d1fb576fbd71febca99e0f402
Instruction Fuzzy Hash: 9621C776604219AFDF10EFA8CC84DBB73ADFB09364B048566F904DF290E674DC459760

Function 00FD77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FD7868
SysAllocString.OLEAUT32(00000000), ref: 00FD786B
SysAllocString.OLEAUT32 ref: 00FD788C
SysFreeString.OLEAUT32 ref: 00FD7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00FD78AF
SysAllocString.OLEAUT32(?), ref: 00FD78BD

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 70d5186c2e431864b2e3255e3c55203f32f5d24422468b7e2a68247bc22aa454
Instruction ID: dc7f400e627318513f417243f1d98f69d6fa732f27382ff30e420bd069cf6450
Opcode Fuzzy Hash: 70d5186c2e431864b2e3255e3c55203f32f5d24422468b7e2a68247bc22aa454
Instruction Fuzzy Hash: 5A217931A04204AFDB10AFA8DC89DAA77EDFB09760B148125F915CF295EA74DC41EB64

Function 00FE04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FE04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE052E

Strings

nul, xrefs: 00FE0567

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: dcb0c5b5fdea74dc84cbc8255caee90d2e703a16dd1fa75e881e55e04d1268e6
Instruction ID: 1dfa1a26e78eafbffde50ded7d40f4258f150c7c98583fac4b46337d4fd2e428
Opcode Fuzzy Hash: dcb0c5b5fdea74dc84cbc8255caee90d2e703a16dd1fa75e881e55e04d1268e6
Instruction Fuzzy Hash: 1F217F75900345AFDB209F2AD844A9A77B4AF45734F684A19F8E1D72E0DBB1D980EF20

Function 00FE05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FE05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FE0601

Strings

nul, xrefs: 00FE0639

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 87f1bdc670141ac253fba4ca9b7267cc0113b3544053089d064b3b4e9b25c3b6
Instruction ID: 93a3e9c9c25978ec4d437f196a98bc6806d40aa54797f663e755f73825b0bbb6
Opcode Fuzzy Hash: 87f1bdc670141ac253fba4ca9b7267cc0113b3544053089d064b3b4e9b25c3b6
Instruction Fuzzy Hash: 55217F75900345ABDB209F6A9804B9A77A8AF95730F240B19F8A1E72D0DBB199A0DB10

Function 010040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7604C
Part of subcall function 00F7600E: GetStockObject.GDI32(00000011), ref: 00F76060
Part of subcall function 00F7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01004112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0100411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0100412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01004139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01004145

Strings

Msctls_Progress32, xrefs: 010040E3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 24bb0f733d86cccb0fea96637661f19471d49541486779d9f7c057873dfd57f0
Instruction ID: 22fa392db801fb3e31aa2b948ce5dfbf24684fdabe754b534e288ab22cb7239d
Opcode Fuzzy Hash: 24bb0f733d86cccb0fea96637661f19471d49541486779d9f7c057873dfd57f0
Instruction Fuzzy Hash: 401163B215011DBEFF219E64CC85EE77F9DEF08798F014111B758E6190C6769C21DBA4

Function 00FAD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FAD7A3: _free.LIBCMT ref: 00FAD7CC

_free.LIBCMT ref: 00FAD82D

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FAD838
_free.LIBCMT ref: 00FAD843
_free.LIBCMT ref: 00FAD897
_free.LIBCMT ref: 00FAD8A2
_free.LIBCMT ref: 00FAD8AD
_free.LIBCMT ref: 00FAD8B8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: face4f0b9c2a7331b0bc2139d5726cdae5f7e6d3148ac01587aa06b6b15a2ad6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 251181B1650B04AAD569BFB4CC07FCB7BEC6F06700F400825B29AA68A2DA2CB5057651

Function 00FDDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FDDA74
LoadStringW.USER32(00000000), ref: 00FDDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FDDA91
LoadStringW.USER32(00000000), ref: 00FDDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FDDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FDDAB9

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c19ef07ed528b9f486d305a55d0d633cdca0807eef1ee821e9431bc54a0e577a
Instruction ID: 950fa0b0d05637f7a7e56c91cf8b4b605a1f8b879fff37a01d449a23fe602cf3
Opcode Fuzzy Hash: c19ef07ed528b9f486d305a55d0d633cdca0807eef1ee821e9431bc54a0e577a
Instruction Fuzzy Hash: 7F0167F69002087FF72197A4DE89EE7326CE708301F444596B746E6041E6799E844B74

Function 00FE096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0119CBA0,0119CBA0), ref: 00FE097B
EnterCriticalSection.KERNEL32(0119CB80,00000000), ref: 00FE098D
TerminateThread.KERNEL32(?,000001F6), ref: 00FE099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00FE09A9
CloseHandle.KERNEL32(?), ref: 00FE09B8
InterlockedExchange.KERNEL32(0119CBA0,000001F6), ref: 00FE09C8
LeaveCriticalSection.KERNEL32(0119CB80), ref: 00FE09CF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 76a4ca00a1d2ea3db5ca538204f4d63f468130460fb198cbcfa920bcbcc89c5d
Instruction ID: 2cfe3fcd5dd98faeced790f0244c9cd9712807f89f8f218289ee931e80f8291a
Opcode Fuzzy Hash: 76a4ca00a1d2ea3db5ca538204f4d63f468130460fb198cbcfa920bcbcc89c5d
Instruction Fuzzy Hash: F2F03131446502BBE7625F94EF8CBDA7B35FF01712F401255F14150C95CB7A9465DF90

Function 00FF1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FF1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FF1DE1
WSAGetLastError.WSOCK32 ref: 00FF1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00FF1EDB
inet_ntoa.WSOCK32(?), ref: 00FF1E8C

Part of subcall function 00FD39E8: _strlen.LIBCMT ref: 00FD39F2

Part of subcall function 00FF3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FEEC0C), ref: 00FF3240

_strlen.LIBCMT ref: 00FF1F35

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4b65e054cb35c7f9d34a10fecef4a4a778e729b2716c745826cd952d2e62a103
Instruction ID: 69d2db3a39f5d7709ff675c7c52dbd097d68adbf98bfdb6bc5d2afe29d3d3912
Opcode Fuzzy Hash: 4b65e054cb35c7f9d34a10fecef4a4a778e729b2716c745826cd952d2e62a103
Instruction Fuzzy Hash: 5BB1EF31604304AFD324DF24C881E3A77A5BF84328F54854CF55A5B2E2DB75ED46DB92

Function 00F75D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00F75D30
GetWindowRect.USER32(?,?), ref: 00F75D71
ScreenToClient.USER32(?,?), ref: 00F75D99
GetClientRect.USER32(?,?), ref: 00F75ED7
GetWindowRect.USER32(?,?), ref: 00F75EF8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 3080e7ba8c444949fd7ca1c1f241e5297e51b3224c63125705980edd5f51fd15
Instruction ID: f5b810dd65c00a520567ec039d4a98b4284ed59a00684961ca35b94bb01802e4
Opcode Fuzzy Hash: 3080e7ba8c444949fd7ca1c1f241e5297e51b3224c63125705980edd5f51fd15
Instruction Fuzzy Hash: 20B17735A00A4ADBDB24CFA9C5807EEB7F1FF48310F14851AE8A9D7240DB34EA50EB51

Function 00FA01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FA00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA00D6
__allrem.LIBCMT ref: 00FA00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA010B
__allrem.LIBCMT ref: 00FA0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FA0140

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 875f00bd53fbac653162221a050f72e10fb6e9d5395a3fbb0fc2787f8dbe9ead
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 1381F8B2E007069BEB249F69DC41BAB73E9AF42334F24463AF551D7281EB74D904AB50

Function 00FA61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F982D9,00F982D9,?,?,?,00FA644F,00000001,00000001,8BE85006), ref: 00FA6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FA644F,00000001,00000001,8BE85006,?,?,?), ref: 00FA62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FA63D8
__freea.LIBCMT ref: 00FA63E5

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

__freea.LIBCMT ref: 00FA63EE
__freea.LIBCMT ref: 00FA6413

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 0cab3d5464e35ccd64e8e1dca7f8dfa069193a21fb623a40e9f1da16efca66f9
Instruction ID: 9d39bf5a3580d015dced1cf6f531a1bb74506b00e5dab236e3a1b6f9a74b6dc4
Opcode Fuzzy Hash: 0cab3d5464e35ccd64e8e1dca7f8dfa069193a21fb623a40e9f1da16efca66f9
Instruction Fuzzy Hash: F151B1F2A10216AFEF258E64CC81FAF77A9EF46760F194629FC05D6240DB39DC41E660

Function 00FFBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FFBD25
RegCloseKey.ADVAPI32(00000000), ref: 00FFBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FFBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FFBDF3
RegCloseKey.ADVAPI32(?), ref: 00FFBDFF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 31257d8d6359912871e2a68e490650f2879bd2f11c0da9e520201ccfcea061ea
Instruction ID: 1013f33e08e34651d00a65867f5cf4b7d3f38ada482d82e1f3843768f6c73ebd
Opcode Fuzzy Hash: 31257d8d6359912871e2a68e490650f2879bd2f11c0da9e520201ccfcea061ea
Instruction Fuzzy Hash: C381DF30208245EFD714DF24C881E2ABBE5FF84318F14895DF6994B2A2CB36ED05DB92

Function 00FCF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00FCF7B9
SysAllocString.OLEAUT32(00000001), ref: 00FCF860
VariantCopy.OLEAUT32(00FCFA64,00000000), ref: 00FCF889
VariantClear.OLEAUT32(00FCFA64), ref: 00FCF8AD
VariantCopy.OLEAUT32(00FCFA64,00000000), ref: 00FCF8B1
VariantClear.OLEAUT32(?), ref: 00FCF8BB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 918309126233ed5811ce2761f16859a6aad2a550711e6390120ed0c7f265ad2a
Instruction ID: 6f1255263067b942af0263bce9715e5308feb94b41400dadef26a24f0e0e2eef
Opcode Fuzzy Hash: 918309126233ed5811ce2761f16859a6aad2a550711e6390120ed0c7f265ad2a
Instruction Fuzzy Hash: E251E732600302ABDF24AB65DD86F29F3A6EF45310F24846BE905DF295DB788C48E757

Function 00FE910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00FE94E5
_wcslen.LIBCMT ref: 00FE9506
_wcslen.LIBCMT ref: 00FE952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00FE9585

Strings

X, xrefs: 00FE9412

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 401b8da60c1fded2406618fca02125f2420208a4c5e44e8178d528333ed9a746
Instruction ID: 27b96c5239ff3ca6dd397ff0d04e835a3e9e8dde0bd34dce7ebd6bb527551260
Opcode Fuzzy Hash: 401b8da60c1fded2406618fca02125f2420208a4c5e44e8178d528333ed9a746
Instruction Fuzzy Hash: 3FE1E231908340DFD724EF25C881A6EB7E4BF85314F04896DF8899B2A2DB75DD05DBA2

Function 00F8920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

BeginPaint.USER32(?,?,?), ref: 00F89241
GetWindowRect.USER32(?,?), ref: 00F892A5
ScreenToClient.USER32(?,?), ref: 00F892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F892D3
EndPaint.USER32(?,?,?,?,?), ref: 00F89321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00FC71EA

Part of subcall function 00F89339: BeginPath.GDI32(00000000), ref: 00F89357

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 291e3c42142696a6a7537c3fc3ae52ca19c5a4e7d794d450ab423c4727861299
Instruction ID: 6b9e1cb9acb2ed05129c335a91bd06b22aecf8f27f8235276b455b4be3e013f5
Opcode Fuzzy Hash: 291e3c42142696a6a7537c3fc3ae52ca19c5a4e7d794d450ab423c4727861299
Instruction Fuzzy Hash: 3341D275508301AFE721EF24C9C5FBA7BA8EB45320F18026DF9A4871E1C775A845EB61

Function 00FE07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FE080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FE0847
EnterCriticalSection.KERNEL32(?), ref: 00FE0863
LeaveCriticalSection.KERNEL32(?), ref: 00FE08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FE08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FE0921

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b6ecb6b34b5ee53731fcc07cb78c5443efda9e1efff383dd5f324e9f62b1e721
Instruction ID: b657968f03bf87b4faaa0aefc96d61578f0e560e3c50451c452a698bd5b3166d
Opcode Fuzzy Hash: b6ecb6b34b5ee53731fcc07cb78c5443efda9e1efff383dd5f324e9f62b1e721
Instruction Fuzzy Hash: 2141AB31900205EFEF15AF54DC85AAA77B8FF44310F1080A5ED049E28BDB75DEA4EBA0

Function 010081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00FCF3AB,00000000,?,?,00000000,?,00FC682C,00000004,00000000,00000000), ref: 0100824C
EnableWindow.USER32(?,00000000), ref: 01008272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010082D1
ShowWindow.USER32(?,00000004), ref: 010082E5
EnableWindow.USER32(?,00000001), ref: 0100830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0100832F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f7bc8c589ce81397dd8e9f318079809843394b1e51b0ec4fa62a87ea84878c31
Instruction ID: 15f46d218684dde439395d7b9e1590d81b735dc62b62cd3ba532b8475fccb400
Opcode Fuzzy Hash: f7bc8c589ce81397dd8e9f318079809843394b1e51b0ec4fa62a87ea84878c31
Instruction Fuzzy Hash: B0417874A01644AFFF63CF19C989BE47BE1BB49714F1482E6E6984B1E2C7366441CB50

Function 00FD4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FD4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FD4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FD4CEA
_wcslen.LIBCMT ref: 00FD4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FD4D10
_wcsstr.LIBVCRUNTIME ref: 00FD4D1A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: e6477949216ab70db483e735116c71e815a93a920bcda236dc1ec55dd0cc2d0c
Instruction ID: 6567a3c8132b8b310c1dc613fdb66cffbb7c40e49e3b8bb9c6b787dd6816dd20
Opcode Fuzzy Hash: e6477949216ab70db483e735116c71e815a93a920bcda236dc1ec55dd0cc2d0c
Instruction Fuzzy Hash: 66212932604200BBFB255B39EC49E7B7B9EDF49760F14406AF805CA291DE75EC41A7A0

Function 00FE581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F73AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F73A97,?,?,00F72E7F,?,?,?,00000000), ref: 00F73AC2

_wcslen.LIBCMT ref: 00FE587B
CoInitialize.OLE32(00000000), ref: 00FE5995
CoCreateInstance.OLE32(0100FCF8,00000000,00000001,0100FB68,?), ref: 00FE59AE
CoUninitialize.OLE32 ref: 00FE59CC

Strings

.lnk, xrefs: 00FE5876, 00FE58C1, 00FE5985

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: adbf36234dd88e0c6e9e61ee9c57757441ce90e1cfa75a3423725de01c0f8f17
Instruction ID: e8265d7001a978237f3f62a8b3af83113432d21ca76925dba1e0031a8221de91
Opcode Fuzzy Hash: adbf36234dd88e0c6e9e61ee9c57757441ce90e1cfa75a3423725de01c0f8f17
Instruction Fuzzy Hash: C8D16671A047019FC714DF26C880A6EBBE1EF89B28F14885DF8899B361D735ED05DB92

Function 00FD175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FD0FCA
Part of subcall function 00FD0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FD0FD6
Part of subcall function 00FD0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FD0FE5
Part of subcall function 00FD0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FD0FEC
Part of subcall function 00FD0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FD1002

GetLengthSid.ADVAPI32(?,00000000,00FD1335), ref: 00FD17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FD17BA
HeapAlloc.KERNEL32(00000000), ref: 00FD17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FD17DA
GetProcessHeap.KERNEL32(00000000,00000000,00FD1335), ref: 00FD17EE
HeapFree.KERNEL32(00000000), ref: 00FD17F5

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8ed9546e7745cc46cb4d3bc2d063e90b057f259cd5d36e340a2c7b1616c250a0
Instruction ID: 0aec23af78cf032b1899dce6e6e8e7b79ca7202041b66032662f1686ce62fdaf
Opcode Fuzzy Hash: 8ed9546e7745cc46cb4d3bc2d063e90b057f259cd5d36e340a2c7b1616c250a0
Instruction Fuzzy Hash: 0E11B131904205FFEB219FA4CD49BAF7BBAFB46365F184259F48197210C73A9940DB60

Function 00FD14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FD14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00FD1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FD1515
CloseHandle.KERNEL32(00000004), ref: 00FD1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FD154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FD1563

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: ead7f58096509ca616de8cb8f422039374500e253fd91189e2838e663fe7de9d
Instruction ID: 59fb18adcd4c8f95362f78dcb9af948e9275e8526352d1d1d3caadb3e098e792
Opcode Fuzzy Hash: ead7f58096509ca616de8cb8f422039374500e253fd91189e2838e663fe7de9d
Instruction Fuzzy Hash: AB112E72500209BBEF12CF94DE49BDE7BAAFF45754F084155FA45A2150C3768E60EB60

Function 00F93382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F93379,00F92FE5), ref: 00F93390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F9339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F933B7
SetLastError.KERNEL32(00000000,?,00F93379,00F92FE5), ref: 00F93409

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 055a04d9adf5b2ff5510432957bb520e7a4d42177497237d0a550bd57087bdc4
Instruction ID: f9e774cacd6e9e0a7c83e75b5981941be0037001fe851c121973d7dcc95b824c
Opcode Fuzzy Hash: 055a04d9adf5b2ff5510432957bb520e7a4d42177497237d0a550bd57087bdc4
Instruction Fuzzy Hash: D701D433A4D3117EFF3526797E89E677A98EB16779720032AF410D11E4EF1A4E017644

Function 00FA2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FA5686,00FB3CD6,?,00000000,?,00FA5B6A,?,?,?,?,?,00F9E6D1,?,01038A48), ref: 00FA2D78
_free.LIBCMT ref: 00FA2DAB
_free.LIBCMT ref: 00FA2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00F9E6D1,?,01038A48,00000010,00F74F4A,?,?,00000000,00FB3CD6), ref: 00FA2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00F9E6D1,?,01038A48,00000010,00F74F4A,?,?,00000000,00FB3CD6), ref: 00FA2DEC
_abort.LIBCMT ref: 00FA2DF2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2059b86a23c0b06681fd1d78a4b059819fd4b606a8a936f9591a0fc30b0d6170
Instruction ID: da1b6d8fac54bfc62405de4a0e98281147d1ab7448819801c113d090a29280c3
Opcode Fuzzy Hash: 2059b86a23c0b06681fd1d78a4b059819fd4b606a8a936f9591a0fc30b0d6170
Instruction Fuzzy Hash: 4AF0A9F6B0550027D2B2273DBD06B5F3669AFC37B1F250519F564D2186EE2D89017261

Function 01008A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F89693
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896A2
Part of subcall function 00F89639: BeginPath.GDI32(?), ref: 00F896B9
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01008A4E
LineTo.GDI32(?,00000003,00000000), ref: 01008A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01008A70
LineTo.GDI32(?,00000000,00000003), ref: 01008A80
EndPath.GDI32(?), ref: 01008A90
StrokePath.GDI32(?), ref: 01008AA0

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5328cb981fa3007a482c21710aeac79fab5be840671fbc08e7802085f6ccd4d2
Instruction ID: 785f7bdee3c03923f8301d044d1672bf4f00ab1e9fca52b83fa8f3e6c082b58d
Opcode Fuzzy Hash: 5328cb981fa3007a482c21710aeac79fab5be840671fbc08e7802085f6ccd4d2
Instruction Fuzzy Hash: B5110C76000108BFFB129F94DD88EAA7F6CEB05350F048151FA55951A4C7769D95DBA0

Function 00FD51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FD5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FD5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD5230
ReleaseDC.USER32(00000000,00000000), ref: 00FD5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FD524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FD5261

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: eb55254bc24553139b041549014c0ac1a39dd73b6469a88d39b72f37c4fb7da9
Instruction ID: cdb0ebd0e1a59a47bc785edf8e878d0c6e659deb3b58591c10beaa74dabf97e8
Opcode Fuzzy Hash: eb55254bc24553139b041549014c0ac1a39dd73b6469a88d39b72f37c4fb7da9
Instruction Fuzzy Hash: A401DF71E00708BBEB209BA58D49F4EBFB8EB48711F0441A6FA04A7280DA309804CBA0

Function 00F71BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F71BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F71BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F71C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F71C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F71C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F71C22

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 44dc974655a418a357fba09ed8523d66d38ba368d7523fa81f88f61f7b7b9156
Instruction ID: 0f00d610485aa39952ad29d63bc61a67e0eedbe187f2364b5261fc2687962739
Opcode Fuzzy Hash: 44dc974655a418a357fba09ed8523d66d38ba368d7523fa81f88f61f7b7b9156
Instruction Fuzzy Hash: AF016CB09027597DE3008F5A8C85B52FFA8FF19354F00415B915C47941C7F5A864CBE5

Function 00FDEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FDEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FDEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00FDEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FDEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FDEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FDEB75

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 64da21794c95c72087e831dd8fb354f69afe297be3302da42b070f6ff873853c
Instruction ID: eca31499da074591c5142e1f983178de999fe4633dae929ad4f556055d711980
Opcode Fuzzy Hash: 64da21794c95c72087e831dd8fb354f69afe297be3302da42b070f6ff873853c
Instruction Fuzzy Hash: A4F06D72140118BBE63257529D0DEEB3A7CEBCAB11F000299F641D108096A52A0187B4

Function 00FC7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00FC7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00FC7469
GetWindowDC.USER32(?), ref: 00FC7475
GetPixel.GDI32(00000000,?,?), ref: 00FC7484
ReleaseDC.USER32(?,00000000), ref: 00FC7496
GetSysColor.USER32(00000005), ref: 00FC74B0

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 328a9120461832e2da7a8da8f037b059e25a410510ff7f684b7a9502654c934b
Instruction ID: beacb0c784e7fe70a02d2a2fcf01ff969f89a697f4a966b39f28b0941b8cc5f4
Opcode Fuzzy Hash: 328a9120461832e2da7a8da8f037b059e25a410510ff7f684b7a9502654c934b
Instruction Fuzzy Hash: 8401A231400205EFEB22AF64DE09FE97BB5FF08322F5402A4F955A2090CB361E41EF10

Function 00FD1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FD187F
UnloadUserProfile.USERENV(?,?), ref: 00FD188B
CloseHandle.KERNEL32(?), ref: 00FD1894
CloseHandle.KERNEL32(?), ref: 00FD189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00FD18A5
HeapFree.KERNEL32(00000000), ref: 00FD18AC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9f113b4a1108a3b178b8fa6a247f339e2894e6358eeaa1abd0d3202f7581da31
Instruction ID: 16ccf76d72c1008f6a39655d43eaf39f68dc81fe0a4a823ce80bba11c4784f7f
Opcode Fuzzy Hash: 9f113b4a1108a3b178b8fa6a247f339e2894e6358eeaa1abd0d3202f7581da31
Instruction Fuzzy Hash: 83E0E536004501BBEB125FA1EE0C94ABF39FF4AB22F108360F2A5810A8CB379420DB90

Function 00FDC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FDC6EE
_wcslen.LIBCMT ref: 00FDC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FDC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FDC7CA

Strings

0, xrefs: 00FDC6AF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8092ac3a4295571c73be0b7be6f3703d513b017900ca33c9e0435aae74955dc2
Instruction ID: 346751c48a697b5b6d53c306e9bfda94af187c991600f56da8be1a196949fadf
Opcode Fuzzy Hash: 8092ac3a4295571c73be0b7be6f3703d513b017900ca33c9e0435aae74955dc2
Instruction Fuzzy Hash: CD51D171A043029BD715AF28C885B6B77E5AF89320F080A2EF995D33D1DB74DD44EB92

Function 00FFAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00FFAEA3

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

GetProcessId.KERNEL32(00000000), ref: 00FFAF38
CloseHandle.KERNEL32(00000000), ref: 00FFAF67

Strings

<, xrefs: 00FFAE6B
@, xrefs: 00FFAE72

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 05802c849a28d9abb98c5dfca33396282c52e86f594f1185f112c291ff17594c
Instruction ID: 5d667503ee84ccda88359161d2dfa06a3debe136c4b0b00398beb72e4fb15146
Opcode Fuzzy Hash: 05802c849a28d9abb98c5dfca33396282c52e86f594f1185f112c291ff17594c
Instruction Fuzzy Hash: 4D719171A00619DFCB14EF54C884AAEBBF4FF08310F048499E81AAB3A1C774ED41DB91

Function 00FD719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FD7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FD723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FD724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FD72CF

Strings

DllGetClassObject, xrefs: 00FD7242

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 93d940f8c17bbda69ea0023af19256c141a7326300ac554c8ca40493b1c32904
Instruction ID: c4f651ed7029844875a57ea84cb76ff22c1d9d55f65986c8d7485fc3d3359fb5
Opcode Fuzzy Hash: 93d940f8c17bbda69ea0023af19256c141a7326300ac554c8ca40493b1c32904
Instruction Fuzzy Hash: EF418271A04304EFDB15DF54C884A9A7BAAEF45321F18809EBD059F349E7B5D940EFA0

Function 01003D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01003E35
IsMenu.USER32(?), ref: 01003E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01003E92
DrawMenuBar.USER32 ref: 01003EA5

Strings

0, xrefs: 01003D89

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 48152ffa1f61bf193d4b049a0bf176707a04d55d2f54c3d84d6e163f3e41f836
Instruction ID: 0dfec17e23ab5291b8d21c0efdc2cc363269dcf58fd0cabbe560a3a4dc10fc05
Opcode Fuzzy Hash: 48152ffa1f61bf193d4b049a0bf176707a04d55d2f54c3d84d6e163f3e41f836
Instruction Fuzzy Hash: 21416A79A00249EFEB22DF54D884EAABBF5FF48350F0442A9E9859B2C0D735AD40CF51

Function 00FD1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FD1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FD1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FD1EA9

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Strings

ComboBox, xrefs: 00FD1DF0
ListBox, xrefs: 00FD1E25

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4665feba097ba3a79acb5c08be71b0c127beb5cdc60800692995b094bb80d487
Instruction ID: 1726533a7fcfef8eeb7e262d6ea8bdeeb0b0d4992162ca7ba3d58fe2d3858b05
Opcode Fuzzy Hash: 4665feba097ba3a79acb5c08be71b0c127beb5cdc60800692995b094bb80d487
Instruction Fuzzy Hash: 32212971A00108BEEB15AB64DC46CFFB7BEEF45360F18411AF815A72D1DB78590AA720

Function 01002F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01002F8D
LoadLibraryW.KERNEL32(?), ref: 01002F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01002FA9
DestroyWindow.USER32(?), ref: 01002FB1

Strings

SysAnimate32, xrefs: 01002F68

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 144635c41d18fe54172a1f9ea79ae90556aedbff63716c0ffc37cbcb6857b4f9
Instruction ID: 6c65d5bc78d5bd9c721d61b682757be1d144fa84bc06d9b511b631f48d2fd430
Opcode Fuzzy Hash: 144635c41d18fe54172a1f9ea79ae90556aedbff63716c0ffc37cbcb6857b4f9
Instruction Fuzzy Hash: 5E219A71200209ABFB235F68DC88EBB77ADEB893A4F10426CFA90D61D5D771DC919760

Function 00F94D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F94D1E,00FA28E9,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002), ref: 00F94D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F94DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00F94D1E,00FA28E9,?,00F94CBE,00FA28E9,010388B8,0000000C,00F94E15,00FA28E9,00000002,00000000), ref: 00F94DC3

Strings

mscoree.dll, xrefs: 00F94D86
CorExitProcess, xrefs: 00F94D98

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5142de51ebc26cb50c5a203db350c3c1677f363e8ffa3b3c82e2137a3d6202d2
Instruction ID: 5760b7d646245f2fdfde217eccf199daadb970bbbb8d2739a68825012f4c4675
Opcode Fuzzy Hash: 5142de51ebc26cb50c5a203db350c3c1677f363e8ffa3b3c82e2137a3d6202d2
Instruction Fuzzy Hash: AFF0A434900208BBFB219F90D909FEDBBB4EF05711F040199F845A2144DB395A41DB90

Function 00FCD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00FCD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FCD3BF
FreeLibrary.KERNEL32(00000000), ref: 00FCD3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00FCD3B9
X64, xrefs: 00FCD2A8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 3189b83c3905572d2f1a2de5d900d36ff9e3a7c9ce7364b1d1fc1a7c0cdb59d5
Instruction ID: 9e629583555510deb76f65dbc07922f025d93d4fa2240fdcf1a6a8fff2f8eba6
Opcode Fuzzy Hash: 3189b83c3905572d2f1a2de5d900d36ff9e3a7c9ce7364b1d1fc1a7c0cdb59d5
Instruction Fuzzy Hash: F6F05C72C066139BE73213108F65FDE7714AF52711F6482ADF486E1088D730CD44B782

Function 00F74E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F74EAE
FreeLibrary.KERNEL32(00000000,?,?,00F74EDD,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F74EA8
kernel32.dll, xrefs: 00F74E94

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0f03aaab8be4ffd0851d85251e001ac44bdbcae557ad28fed6ae892011def0b8
Instruction ID: 8d55afc07fd65f03b95b9297cbc8baf1a688d10d28ee6b4aae71c4dfcd040f94
Opcode Fuzzy Hash: 0f03aaab8be4ffd0851d85251e001ac44bdbcae557ad28fed6ae892011def0b8
Instruction Fuzzy Hash: F2E08636E025225BE23317256818AAB6558AF82B72F054256FC44D6144DB68DC0191A2

Function 00F74E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F74E74
FreeLibrary.KERNEL32(00000000,?,?,00FB3CDE,?,01041418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F74E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F74E6E
kernel32.dll, xrefs: 00F74E5B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 7ef386abdb9ce6082eeccb1831ff25552bc1e78a67f0859260947cafb9009d2a
Instruction ID: 63fb50b8ed130bb886fcc428902f6c3177d559823339765a023f8b38b7c58f7a
Opcode Fuzzy Hash: 7ef386abdb9ce6082eeccb1831ff25552bc1e78a67f0859260947cafb9009d2a
Instruction Fuzzy Hash: 96D0C232902A215766331B256818ECB2A1CEF86B317054356B848E6108CF79CD1193D1

Function 00FE2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE2C05
DeleteFileW.KERNEL32(?), ref: 00FE2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FE2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FE2CC0

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: bc3ee67082c2e38d01c744cc4f955d9c1c4068aefd3ba807b6f9166c50a2cb8e
Instruction ID: c22d77f191d9bf6f190edce2fecdb3a6b1b4fd22be0951d15f4c67a94851ac26
Opcode Fuzzy Hash: bc3ee67082c2e38d01c744cc4f955d9c1c4068aefd3ba807b6f9166c50a2cb8e
Instruction Fuzzy Hash: A1B17D72D00129ABDF21EFA5CC85EDEB7BDEF48310F1040A6F609E6141EB799A449F61

Function 00FFA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00FFA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FFA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FFA468
CloseHandle.KERNEL32(?), ref: 00FFA63D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 06e6dc98b71220d43c65a6af44616d1ddabfe395331e656b51006816d8df76ce
Instruction ID: d8b0bd46985a0bafd76069df1eb9993e77f6b3f19ddbd81e03b8af2617b9329d
Opcode Fuzzy Hash: 06e6dc98b71220d43c65a6af44616d1ddabfe395331e656b51006816d8df76ce
Instruction Fuzzy Hash: DAA192B16043009FD720DF24C886F2AB7E5AF44714F14885DF599DB392DBB5EC419B92

Function 00FABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01013700), ref: 00FABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0104121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01041270,000000FF,?,0000003F,00000000,?), ref: 00FABC36
_free.LIBCMT ref: 00FABB7F

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FABD4B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 871242678393f10658927c1da720cc756a999d996b222ccad55aacb1f3ae7fbb
Instruction ID: 0ee69ff96f2a5c7282025fa0b1c05ec8dca676d5e5ed285ca1e24441aa6bf6fb
Opcode Fuzzy Hash: 871242678393f10658927c1da720cc756a999d996b222ccad55aacb1f3ae7fbb
Instruction Fuzzy Hash: 95510BF1D00209AFDB20DF65DD819AEB7BCEF46370F10026AE450D7196EB355E40AB50

Function 00FDE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FDCF22,?), ref: 00FDDDFD

Part of subcall function 00FDDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FDCF22,?), ref: 00FDDE16

Part of subcall function 00FDE199: GetFileAttributesW.KERNEL32(?,00FDCF95), ref: 00FDE19A

lstrcmpiW.KERNEL32(?,?), ref: 00FDE473
MoveFileW.KERNEL32(?,?), ref: 00FDE4AC
_wcslen.LIBCMT ref: 00FDE5EB
_wcslen.LIBCMT ref: 00FDE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FDE650

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 94c699a6597018d3e269ee007bb93a9fae8d8e6240c28e3bfea554ed061b4016
Instruction ID: 819c68b4c5538ce4ede4a14cc4a31c067833a785b7bc92aa3f55788ed3ebadfc
Opcode Fuzzy Hash: 94c699a6597018d3e269ee007bb93a9fae8d8e6240c28e3bfea554ed061b4016
Instruction Fuzzy Hash: DC51C3B24083455BDB24EBA0CC819DF73EDAF85350F04491FF589C7281EF78A2889766

Function 00FFB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FFC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FFB6AE,?,?), ref: 00FFC9B5
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFC9F1
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA68
Part of subcall function 00FFC998: _wcslen.LIBCMT ref: 00FFCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FFBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FFBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FFBB63
RegCloseKey.ADVAPI32(?,?), ref: 00FFBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00FFBBB3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 51f00933ca8494390fbefbed88af9b660f80c81cc0b32a0d3b052b6525be6551
Instruction ID: 9e67faf64a2240072b90b1fc7e22429298573acfc4f438d2613062764dedd4ea
Opcode Fuzzy Hash: 51f00933ca8494390fbefbed88af9b660f80c81cc0b32a0d3b052b6525be6551
Instruction Fuzzy Hash: 9061D131208205AFD314DF14C890E3ABBE5FF84318F14899DF6998B2A2DB35ED45DB92

Function 00FD8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD8BCD
VariantClear.OLEAUT32 ref: 00FD8C3E
VariantClear.OLEAUT32 ref: 00FD8C9D
VariantClear.OLEAUT32(?), ref: 00FD8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FD8D3B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ace8d101f8475d68ad4874fadc0f4a94948f83ff5a105e878a5bda041d03ae5c
Instruction ID: 8756dc8c2f114f5a0e31a83ed2eca672bde1a767ba5011977ea44a75143357e8
Opcode Fuzzy Hash: ace8d101f8475d68ad4874fadc0f4a94948f83ff5a105e878a5bda041d03ae5c
Instruction Fuzzy Hash: A7518CB1A00219EFDB14CF18C884AAAB7F5FF89310F15855AE905DB354EB34E912CF90

Function 00FE8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FE8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FE8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FE8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FE8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FE8C5F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 29652a627afead5c01329a30f6f5118ac58f39cab2feff99d55eeb514c12f872
Instruction ID: 10cd4b5f52936add5e66d85492f325ce95bf11df653d5ee3380c52c3b4007c45
Opcode Fuzzy Hash: 29652a627afead5c01329a30f6f5118ac58f39cab2feff99d55eeb514c12f872
Instruction Fuzzy Hash: 7B515935A002149FCB11EF65C881AA9BBF1FF49314F18C099E84DAB362CB35ED51DB91

Function 00FF8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FF8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00FF8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FF8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00FF9032
FreeLibrary.KERNEL32(00000000), ref: 00FF9052

Part of subcall function 00F8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FE1043,?,7529E610), ref: 00F8F6E6
Part of subcall function 00F8F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FCFA64,00000000,00000000,?,?,00FE1043,?,7529E610,?,00FCFA64), ref: 00F8F70D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 87c8d574fbb089c2adca7abea3b27f98f5fd16bfc8f53d4afe083fc8fddeb569
Instruction ID: 480ea236194b6d225a1abb7fd93d38f87217ca36efce291ae7b22535f0d113d7
Opcode Fuzzy Hash: 87c8d574fbb089c2adca7abea3b27f98f5fd16bfc8f53d4afe083fc8fddeb569
Instruction Fuzzy Hash: 4D516D35A04209DFC711DF64C4849ADBBF1FF49324F0881A9E90A9B362DB35ED86DB81

Function 01006B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01006C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01006C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01006C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FEAB79,00000000,00000000), ref: 01006C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01006CC7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 114656c0fa900c8b04bfd07f15ccd690d8b0db91fb51a99e60e47f999aaf6d8d
Instruction ID: a730fcab719cb3277bc3aa733bf02a0e2f96df9f78dfbf203de31c7ca4a2a115
Opcode Fuzzy Hash: 114656c0fa900c8b04bfd07f15ccd690d8b0db91fb51a99e60e47f999aaf6d8d
Instruction Fuzzy Hash: 1841A175A04108AFF7268F6CCD54FB97FE6EB09350F0502A8E999A72D0C773AD61CA40

Function 00FA2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA20C3
_free.LIBCMT ref: 00FA20E3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0a53be6e3f17bab4be6e4d41622121f756c301a2faf1d4b4f67d08b1576d2e6e
Instruction ID: abb810ea5a626a259721faf8d6d7cc9ffb03d8e61f641f0846364081773b9223
Opcode Fuzzy Hash: 0a53be6e3f17bab4be6e4d41622121f756c301a2faf1d4b4f67d08b1576d2e6e
Instruction Fuzzy Hash: 7841D1B2F002009FDB24DF7CC880A5EB7B5EF8A324B158569E615EB351DB31AD01EB80

Function 00F8912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F89141
ScreenToClient.USER32(00000000,?), ref: 00F8915E
GetAsyncKeyState.USER32(00000001), ref: 00F89183
GetAsyncKeyState.USER32(00000002), ref: 00F8919D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ad9736e6c471fe5c97b5dcc8fb0acf53566ca1280db7400d2cca25a96edf3253
Instruction ID: 578a40af35938d357fd00968ee5f3877192fd5218f12fc12eb5c51d9ef752ada
Opcode Fuzzy Hash: ad9736e6c471fe5c97b5dcc8fb0acf53566ca1280db7400d2cca25a96edf3253
Instruction Fuzzy Hash: AF416C31A0C60BBBDF15AF64C848BFEB774FB05324F248259E469A22D0C7756990EF91

Function 00FE3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FE38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00FE3922
TranslateMessage.USER32(?), ref: 00FE394B
DispatchMessageW.USER32(?), ref: 00FE3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE3966

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: da9af2a497077070327769a4086e2d7a3e14b1ddf27ec37797d774879eb16b4c
Instruction ID: fa5576550b5182cb136be8cae316efe348824c0dd2f081b5e620e3af19a64eb1
Opcode Fuzzy Hash: da9af2a497077070327769a4086e2d7a3e14b1ddf27ec37797d774879eb16b4c
Instruction Fuzzy Hash: F331D9B5D043C5AFFB35CB36D54CBBA37A9AB05310F04055DE49283085D7BAAAC4EB21

Function 00FECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00FECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00FECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00FEC21E,00000000), ref: 00FECFF2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ce6acfafd40bd5e06b546306d9853f6b9efa97c2110a62bd545d85acb02e10b1
Instruction ID: d0ac822bb0b8a410e3c24ed59747134bf603bd1670289c92561b5eb40b1563b1
Opcode Fuzzy Hash: ce6acfafd40bd5e06b546306d9853f6b9efa97c2110a62bd545d85acb02e10b1
Instruction Fuzzy Hash: AC314171900285EFDB20DFA6C984AABBBF9EF14351B10446EF556D2140D734AE42ABA0

Function 00FD1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FD1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00FD19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00FD19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00FD19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00FD19E2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a0f09ca1cee4af09b90c260a5946213894b9544ab26d4d2254c5246a906895c4
Instruction ID: 04c69e8cf1f5153da6ef342f1b733fdc492b33a5e86f3b33609893e8fbc81f98
Opcode Fuzzy Hash: a0f09ca1cee4af09b90c260a5946213894b9544ab26d4d2254c5246a906895c4
Instruction Fuzzy Hash: 0231B172900219EFDB10CFA8C9A9ADE3BB6FB05325F144366F961A72C0C770AD54DB91

Function 01005706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01005745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0100579D
_wcslen.LIBCMT ref: 010057AF
_wcslen.LIBCMT ref: 010057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01005816

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9f7acd3a03c1bf2dedc13ee0ccf58b3417bea1eefc5cde4b441a1a04ffdbcfa1
Instruction ID: aeb87e4781478c1c60aada179fa18995999934ac2ed2fe869456cf120f81be52
Opcode Fuzzy Hash: 9f7acd3a03c1bf2dedc13ee0ccf58b3417bea1eefc5cde4b441a1a04ffdbcfa1
Instruction Fuzzy Hash: 1921A775900218AAFF228F64DC84EEE7BBCFF44324F004256EA99EA1C4D7749585CF50

Function 00FF0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FF0951
GetForegroundWindow.USER32 ref: 00FF0968
GetDC.USER32(00000000), ref: 00FF09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00FF09B0
ReleaseDC.USER32(00000000,00000003), ref: 00FF09E8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: fb116aea55f270c6ea0a51ec3610d1f11b19f5c9f596e5c4d8265ed0c8895ec2
Instruction ID: b6602bb597ba6c1f10930401e80ad5ef8b02ff77976ff63b6202f202e2315074
Opcode Fuzzy Hash: fb116aea55f270c6ea0a51ec3610d1f11b19f5c9f596e5c4d8265ed0c8895ec2
Instruction Fuzzy Hash: 6A21A135600204AFE724EF65CD85EAEBBE5FF49700F048169F98A97352DB74AC04DB50

Function 00FACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FACDE9

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FACE0F
_free.LIBCMT ref: 00FACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FACE31

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: efa26ace971df03afdf0cc234ca61284b61307ae58458c8bf3b479a4e61e02e0
Instruction ID: 57ccc0b4b48e5235751ce993ce2eb181dbb60796395ec964da338378f45934b9
Opcode Fuzzy Hash: efa26ace971df03afdf0cc234ca61284b61307ae58458c8bf3b479a4e61e02e0
Instruction Fuzzy Hash: F501D4F2A022157F372217BA6CC8D7B7A6DDEC7FA17150229F905D7200EA658D01A2F0

Function 00F89639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F89693
SelectObject.GDI32(?,00000000), ref: 00F896A2
BeginPath.GDI32(?), ref: 00F896B9
SelectObject.GDI32(?,00000000), ref: 00F896E2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ebfe6c86b04d8b990a987496287d87ddbed308456ba31ff16907484e18a30fd5
Instruction ID: 7d3bcdf7276fcdf07d41149335b6068ce6cb021af80d4ca1eb276e0e1bd356df
Opcode Fuzzy Hash: ebfe6c86b04d8b990a987496287d87ddbed308456ba31ff16907484e18a30fd5
Instruction Fuzzy Hash: AE2183B9815305EFDB21AF64DA447F93B64BB01325F140216F4A0A61D8E3BA6CD1DF90

Function 00FD5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00FD5726
_memcmp.LIBVCRUNTIME ref: 00FD5744
_memcmp.LIBVCRUNTIME ref: 00FD5757
_memcmp.LIBVCRUNTIME ref: 00FD576F
_memcmp.LIBVCRUNTIME ref: 00FD5787

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: aac60b59deba3aafaeb201e41a867cb4a37dbf3569d6010d10e0c109b81ed89d
Instruction ID: d9f401148042b637385c846895a502dfbe6513aa2d16459bf2cfa6f3c8a131de
Opcode Fuzzy Hash: aac60b59deba3aafaeb201e41a867cb4a37dbf3569d6010d10e0c109b81ed89d
Instruction Fuzzy Hash: 8101D662641A0EFBB71961115E42FBA735EAB21BA4F280026FE049E341F660ED10B6A0

Function 00FA2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F9F2DE,00FA3863,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6), ref: 00FA2DFD
_free.LIBCMT ref: 00FA2E32
_free.LIBCMT ref: 00FA2E59
SetLastError.KERNEL32(00000000,00F71129), ref: 00FA2E66
SetLastError.KERNEL32(00000000,00F71129), ref: 00FA2E6F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9c3e3c26ea454c4fc6fce032d260a259b15e50c0d162dc3a200a1ed9f294e988
Instruction ID: 9289e7cfdece77d2096e12155da0048788492d570bc826ffd1a49e7fd5e49e18
Opcode Fuzzy Hash: 9c3e3c26ea454c4fc6fce032d260a259b15e50c0d162dc3a200a1ed9f294e988
Instruction Fuzzy Hash: 000144F27046002BE663223D6CC6E2B366DABC33B0B240128F460E2186EB2DCC407220

Function 00FD000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?,?,00FD035E), ref: 00FD002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?), ref: 00FD0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FCFF41,80070057,?,?), ref: 00FD0070

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 62f8c398666820fb165e46b0b27b46deb5d6219056dbcd95c39c0312066fd5f0
Instruction ID: be21078af6a8cf38f4a05942ceafa9718f81b686653ac35795dc66238873d5f5
Opcode Fuzzy Hash: 62f8c398666820fb165e46b0b27b46deb5d6219056dbcd95c39c0312066fd5f0
Instruction Fuzzy Hash: 6D01A772600205BFEB214F64DD08BAA7BEEEF44762F184155F945D2304DB75DE409760

Function 00FD10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FD1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FD0B9B,?,?,?), ref: 00FD1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FD114D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6c56f8f8e2a68aeed4958d578cce54bdb8f45f3fb24ba489d878a194f97c1c65
Instruction ID: d48a4474b947c9fb004f1c229a2c5d355f737a1f06f4b2f2ba99464d9d882276
Opcode Fuzzy Hash: 6c56f8f8e2a68aeed4958d578cce54bdb8f45f3fb24ba489d878a194f97c1c65
Instruction Fuzzy Hash: EB016D75500205BFEB224F64DD49A6A3B7EFF89360F240555FA85C3350DA36DD009B60

Function 00FD0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FD0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FD0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FD0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FD0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FD1002

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e9d5aaa0aed2c39a044c00c5de77be117eccaf78e1081e44b84ec546fd10060c
Instruction ID: a2c98fd7e6a98cb8bc559c161e96ab8624390fcefad9a6c2d719a859fa558140
Opcode Fuzzy Hash: e9d5aaa0aed2c39a044c00c5de77be117eccaf78e1081e44b84ec546fd10060c
Instruction Fuzzy Hash: 7AF0A935200301BBEB225FA4AD4DF963BAEFF8A762F100555FA85C6284CA36DC409B60

Function 00FD1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FD102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1062

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c18fa4a00e5540720f3fb2e2c91be919606a15b6bb61898ad9ac6bc00f3998c2
Instruction ID: 4d5793ddbf8f8cbf23b6a1c420095c89c4e4bc225410be014c3179047e2a5c69
Opcode Fuzzy Hash: c18fa4a00e5540720f3fb2e2c91be919606a15b6bb61898ad9ac6bc00f3998c2
Instruction Fuzzy Hash: 2EF06D35200301BBEB226FA4ED4DF963BAEFF8A761F140555FA85C7240CA76D950CB60

Function 00FE030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0324
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0331
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE033E
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE034B
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0358
CloseHandle.KERNEL32(?,?,?,?,00FE017D,?,00FE32FC,?,00000001,00FB2592,?), ref: 00FE0365

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 97a2b4c54bbe0de1772615a62b572e54c1dc20e6799e3b760cd8a78078904c6e
Instruction ID: 6b035ac674c66866fea60d133ed2ad4c38e085d3a36d7c178bfd8b8cd60f16a6
Opcode Fuzzy Hash: 97a2b4c54bbe0de1772615a62b572e54c1dc20e6799e3b760cd8a78078904c6e
Instruction Fuzzy Hash: 7101A272800B559FC7309F66D880412F7F5BF503253158A3FD19652931C7B1A994DF80

Function 00FAD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FAD752

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FAD764
_free.LIBCMT ref: 00FAD776
_free.LIBCMT ref: 00FAD788
_free.LIBCMT ref: 00FAD79A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98658c967f0d1d8cbfcf64643ad29bb9faed1dffa6a9a459ce17ea4a56c962e7
Instruction ID: ea6a1a60340a4781085dcf1aa51d994fa8e3b8beb23a3a5ff8a91e9e1dd236f7
Opcode Fuzzy Hash: 98658c967f0d1d8cbfcf64643ad29bb9faed1dffa6a9a459ce17ea4a56c962e7
Instruction Fuzzy Hash: CCF068B2A04208AF86A9EB5CF9C5C1777EDBB0A7307950C0AF045E7905C739FC806761

Function 00FD5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FD5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FD5C6F
MessageBeep.USER32(00000000), ref: 00FD5C87
KillTimer.USER32(?,0000040A), ref: 00FD5CA3
EndDialog.USER32(?,00000001), ref: 00FD5CBD

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 76d35c84711cb792f1618d148083a6abb2fafd9d279fc45fb47ab349510b2c2d
Instruction ID: 86f2e48ca7073fcac537571b454bbcf1bc40ac1c3fb2990928a1783ade93aca4
Opcode Fuzzy Hash: 76d35c84711cb792f1618d148083a6abb2fafd9d279fc45fb47ab349510b2c2d
Instruction Fuzzy Hash: 7D01D630500B04ABFB315B20DE4EFA67BB9BB04B05F08029AA583A11D1DBF5A9849B90

Function 00FA22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FA22BE

Part of subcall function 00FA29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000), ref: 00FA29DE
Part of subcall function 00FA29C8: GetLastError.KERNEL32(00000000,?,00FAD7D1,00000000,00000000,00000000,00000000,?,00FAD7F8,00000000,00000007,00000000,?,00FADBF5,00000000,00000000), ref: 00FA29F0

_free.LIBCMT ref: 00FA22D0
_free.LIBCMT ref: 00FA22E3
_free.LIBCMT ref: 00FA22F4
_free.LIBCMT ref: 00FA2305

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a804bdbc041a07db44c8504927db21d2376b9822d263b3f175a6f8e9a0534186
Instruction ID: f68ff30760bfe0341dd3c0b53a449ebbfb7064e8177acfac7421f53fd99bb1ec
Opcode Fuzzy Hash: a804bdbc041a07db44c8504927db21d2376b9822d263b3f175a6f8e9a0534186
Instruction Fuzzy Hash: F5F030F89002108F97A2AF6CFB818493BB8B71DB617000517F590E226DC73E1551BBE5

Function 00F895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F895D4
StrokeAndFillPath.GDI32(?,?,00FC71F7,00000000,?,?,?), ref: 00F895F0
SelectObject.GDI32(?,00000000), ref: 00F89603
DeleteObject.GDI32 ref: 00F89616
StrokePath.GDI32(?), ref: 00F89631

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3a527d19fbcad74ec723138f736b64c6beb37e81d43405d603f1c54d1e91e1d9
Instruction ID: 409f4298a4c5d5ef15f4887288fd97fb143b66307e2cc43d0dc2c282b1dc3638
Opcode Fuzzy Hash: 3a527d19fbcad74ec723138f736b64c6beb37e81d43405d603f1c54d1e91e1d9
Instruction Fuzzy Hash: 9AF03179409204DBD7369F55EA8C7B43B61A701332F088354F4A5550E8D77A5991DF20

Function 00FA0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FA10F9
__freea.LIBCMT ref: 00FA1117

Part of subcall function 00FA1537: _free.LIBCMT ref: 00FA154F

Strings

a/p, xrefs: 00FA11DE
am/pm, xrefs: 00FA117A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2ceb16fbce89444fe00da1d7f64b4bbe6f4a5648c5524373e8d2b4e70cc219ce
Instruction ID: 0e94a7fba2d51745b47ab6fcc3945a3395bebc7225e8c060936e6979abef67b3
Opcode Fuzzy Hash: 2ceb16fbce89444fe00da1d7f64b4bbe6f4a5648c5524373e8d2b4e70cc219ce
Instruction Fuzzy Hash: 51D103B6D00306DADF249F68C855BFAB7B5FF07320F2A4159E901AB650D3359D80EBA1

Function 00FF7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00F90242: EnterCriticalSection.KERNEL32(0104070C,01041884,?,?,00F8198B,01042518,?,?,?,00F712F9,00000000), ref: 00F9024D
Part of subcall function 00F90242: LeaveCriticalSection.KERNEL32(0104070C,?,00F8198B,01042518,?,?,?,00F712F9,00000000), ref: 00F9028A

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00F900A3: __onexit.LIBCMT ref: 00F900A9

__Init_thread_footer.LIBCMT ref: 00FF7BFB

Part of subcall function 00F901F8: EnterCriticalSection.KERNEL32(0104070C,?,?,00F88747,01042514), ref: 00F90202
Part of subcall function 00F901F8: LeaveCriticalSection.KERNEL32(0104070C,?,00F88747,01042514), ref: 00F90235

Strings

5, xrefs: 00FF7C78
G, xrefs: 00FF7C7F
Variable must be of type 'Object'., xrefs: 00FF7C3A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: e7cc19caa40a92e9218332c04099d56c28a529cbf8239a00da5f3d3fe6487496
Instruction ID: 0b98bba330d4e16885ed71f64e2115da8e2e9e1244bd8a693beba60eaab8b289
Opcode Fuzzy Hash: e7cc19caa40a92e9218332c04099d56c28a529cbf8239a00da5f3d3fe6487496
Instruction Fuzzy Hash: BA919971A04209EFCB04EF54D891DBDB7B1FF48310F548099FA46AB2A2DB35AE41EB51

Function 00FD2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FDB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FD21D0,?,?,00000034,00000800,?,00000034), ref: 00FDB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FD2760

Part of subcall function 00FDB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FD21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00FDB3F8

Part of subcall function 00FDB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00FDB355
Part of subcall function 00FDB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FD2194,00000034,?,?,00001004,00000000,00000000), ref: 00FDB365
Part of subcall function 00FDB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FD2194,00000034,?,?,00001004,00000000,00000000), ref: 00FDB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FD27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FD281A

Strings

@, xrefs: 00FD2832

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a0e303100630ead9f1042d03c338d9eaabe2dfc77581d69af472e813d7df963c
Instruction ID: b29a60b84002531a418d933098b958f8c3318a1dc2f5f3e5794c679a71824e14
Opcode Fuzzy Hash: a0e303100630ead9f1042d03c338d9eaabe2dfc77581d69af472e813d7df963c
Instruction Fuzzy Hash: 7E414D72D00218AFDB21DFA4CD45ADEBBB9EF09300F044096FA55B7281DB746E45EBA1

Function 00FA172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FA1769
_free.LIBCMT ref: 00FA1834
_free.LIBCMT ref: 00FA183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FA1760, 00FA1767, 00FA1796, 00FA17CE

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 6a5873d51385ae64d45f50bc5972e35f1425d8ccfa9b5757acd861fef193188f
Instruction ID: e990fc65fdabeba8272a572ac98ba61b28293e00eedf3bf07b36a5dedcba1812
Opcode Fuzzy Hash: 6a5873d51385ae64d45f50bc5972e35f1425d8ccfa9b5757acd861fef193188f
Instruction Fuzzy Hash: CC3181F5E00218AFDB21DB99D981D9EBBBCFB86320F154166F404D7201D6749A40EB90

Function 00FDC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FDC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00FDC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01041990,011A6128), ref: 00FDC395

Strings

0, xrefs: 00FDC2DF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c224ba3dd41f34d1cb69664de53a5b0d092a5fd51e53d621cff3bf54c47df992
Instruction ID: 9b7c37c5cededcf53078d46c1329360702125211243da1fd43f5cf55008faaf7
Opcode Fuzzy Hash: c224ba3dd41f34d1cb69664de53a5b0d092a5fd51e53d621cff3bf54c47df992
Instruction Fuzzy Hash: 4841C3316043429FDB20DF29DC84B1ABBE5AF85320F08865EF9A5973C1C774E904DB92

Function 01004416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0100CC08,00000000,?,?,?,?), ref: 010044AA
GetWindowLongW.USER32 ref: 010044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010044D7

Strings

SysTreeView32, xrefs: 0100447C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 56e4f76d36b78ad8e6858296577335389d0d7594ea61c4d468940b3fb3d74816
Instruction ID: 8c0330e0328891f9e68f579a6c77c17fcbb9fadee2de2bef7f804d6a26a314da
Opcode Fuzzy Hash: 56e4f76d36b78ad8e6858296577335389d0d7594ea61c4d468940b3fb3d74816
Instruction Fuzzy Hash: E931DE31200205AFEB629E38DC45BEA7BA9EB08334F214315FAB5D21D1DB75E8509750

Function 00FF304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FF3077,?,?), ref: 00FF3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FF307A
_wcslen.LIBCMT ref: 00FF309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00FF3106

Strings

255.255.255.255, xrefs: 00FF3095, 00FF309A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fa837f3ae910f7329771ba9920da8a77fc7b7f4e6e309c4a35fc4fe2f87057a6
Instruction ID: eb76a87a586cee724f3727b6059a042498fa01795992b3873e7aa7125fca98bf
Opcode Fuzzy Hash: fa837f3ae910f7329771ba9920da8a77fc7b7f4e6e309c4a35fc4fe2f87057a6
Instruction Fuzzy Hash: 82310735A042099FDB20CF28C585E7A77E0EF14328F24805AEA158B3A2DB76EF45D761

Function 01003EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01003F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01003F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01003F78

Strings

SysMonthCal32, xrefs: 01003F0B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 847faafba3bddafa8d3352d6a446e422d73533c250687a556d2548efb5ab52ad
Instruction ID: 3a61e5c5cb1c7ccc7d5dad732a6e7e7a274c6aece2049d0856f529ae004bcbc1
Opcode Fuzzy Hash: 847faafba3bddafa8d3352d6a446e422d73533c250687a556d2548efb5ab52ad
Instruction Fuzzy Hash: A0218032600219BFEF239F54CC46FEA3BB9FB48714F110259FA95AB1C0D6B5A8508B90

Function 01004653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01004705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01004713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0100471A

Strings

msctls_updown32, xrefs: 01004684

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 728a2678d7c35ec9bb4b60921516aa36582bc25bd92545d05978928fbe117480
Instruction ID: 44a9bcc7e2efd8d74344bffef564d1c2d5cf18305014a6e6cd8e8b48715fa6e6
Opcode Fuzzy Hash: 728a2678d7c35ec9bb4b60921516aa36582bc25bd92545d05978928fbe117480
Instruction Fuzzy Hash: 05217FB5600209AFEB12DF68DCC1DA637EDEB4A394F000099F644DB291CA75EC51DB60

Function 00FD95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FD961D

Strings

#OnAutoItStartRegister, xrefs: 00FD95F3
#requireadmin, xrefs: 00FD95D9
#notrayicon, xrefs: 00FD95B7

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 3b1dbb0026fa12e5bda838f2695fb14af2dfe2ad9c100a23d70502fe6704cafe
Instruction ID: 4bd62043e99e375feeed7ce4bf39c4d11414823092d90ab1ceb2e669cc088c06
Opcode Fuzzy Hash: 3b1dbb0026fa12e5bda838f2695fb14af2dfe2ad9c100a23d70502fe6704cafe
Instruction Fuzzy Hash: 4E21493250C61166D732BAA4DC02FAB73D99F51320F08402BF94997241EBD8ED52F391

Function 010037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01003840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01003850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01003876

Strings

Listbox, xrefs: 0100380F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0c4e6dc41a2e8067314e674677b6248af417b8833f60bd106582fd735da181a2
Instruction ID: f5a4cb5976d6f49e95bc1568e12104c55a70202e567cc3217b59274c211b718c
Opcode Fuzzy Hash: 0c4e6dc41a2e8067314e674677b6248af417b8833f60bd106582fd735da181a2
Instruction Fuzzy Hash: 38218372610218BFFB238F58CC45EAB37AEFF89750F108154F9849B190C675DC5187A0

Function 00FE49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FE4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FE4A5C
SetErrorMode.KERNEL32(00000000,?,?,0100CC08), ref: 00FE4AD0

Strings

%lu, xrefs: 00FE4A6F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: aefd9950770a92c873ecaf1a9cc270a4c2feeaf52c613107eb3d1ac2b8450c8e
Instruction ID: 3fe8953729b0c0a5d170f0c17760e0b2b37390e1193f9a37c0aa83945d81ab81
Opcode Fuzzy Hash: aefd9950770a92c873ecaf1a9cc270a4c2feeaf52c613107eb3d1ac2b8450c8e
Instruction Fuzzy Hash: BB317171A00109AFDB11DF54C985EAA7BF8EF08318F1480A9F809DB252D775EE45DB62

Function 010041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0100424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01004264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01004271

Strings

msctls_trackbar32, xrefs: 01004226

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 293e05be90c267669ac031e78a449b1c6c02117bba22564c3b3c31b118b133b1
Instruction ID: f1cdfcf4a943d8e4b2aaa8f2a71152753095c1bacaad92aaab08748b86947aea
Opcode Fuzzy Hash: 293e05be90c267669ac031e78a449b1c6c02117bba22564c3b3c31b118b133b1
Instruction Fuzzy Hash: CC11E371340208BEFF225E29CC05FAB3BACEF85B54F010128FA95E60D0D671E8619B24

Function 00FD2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F76B57: _wcslen.LIBCMT ref: 00F76B6A

Part of subcall function 00FD2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FD2DC5
Part of subcall function 00FD2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD2DD6
Part of subcall function 00FD2DA7: GetCurrentThreadId.KERNEL32 ref: 00FD2DDD
Part of subcall function 00FD2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FD2DE4

GetFocus.USER32 ref: 00FD2F78

Part of subcall function 00FD2DEE: GetParent.USER32(00000000), ref: 00FD2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00FD2FC3
EnumChildWindows.USER32(?,00FD303B), ref: 00FD2FEB

Strings

%s%d, xrefs: 00FD2FFF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 52de9aa77d74ccba596a245d5d3286db10b98ca7be9d97a077be484c59546e35
Instruction ID: fa2b98aae2dafbeddc2a00a751d14e6a44b5bb5f8e974fe9b29e3e74a3e02e07
Opcode Fuzzy Hash: 52de9aa77d74ccba596a245d5d3286db10b98ca7be9d97a077be484c59546e35
Instruction Fuzzy Hash: E011E7716002056BDF517F748C85EED376BAF94308F088076F909DB243DE359A09AB61

Function 01005882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010058EE
DrawMenuBar.USER32(?), ref: 010058FD

Strings

0, xrefs: 0100588F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: fea0adf3a58254a04c5f79a2263b9ef9ae77b5138d1c898e55d2ed24d9d611e1
Instruction ID: d5928c9ff00e0560823c49cd71a438f434933f593d1e68adf82660b9343923c1
Opcode Fuzzy Hash: fea0adf3a58254a04c5f79a2263b9ef9ae77b5138d1c898e55d2ed24d9d611e1
Instruction Fuzzy Hash: 11016D35500218EFEB629F15DC44BEFBBB4FB45361F0080D9E889D6191DB358A94DF21

Function 00FD007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d9c4f4e415cc846f00f14af734764dffb996f1c262b41f655f9897ebb8b52c
Instruction ID: c5af688bcba64f7ef1eb0b7bc9972f5bd618f558256252d08f3160c0a72b9df2
Opcode Fuzzy Hash: 06d9c4f4e415cc846f00f14af734764dffb996f1c262b41f655f9897ebb8b52c
Instruction Fuzzy Hash: D4C13975A00206EFDB14CFA4C894BAEB7B6FF48314F248599E505EB251DB31EE41DB90

Function 00FA3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FA3F0B
__alldvrm.LIBCMT ref: 00FA410C
__alldvrm.LIBCMT ref: 00FA412E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 98ebe8f85e1d9ea59570bce0ea2e2202dfb843ddbb982c6fb6bb8fa37d3311f6
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EEA18AB2D103869FDB16CF18CC917AEBBE4EFA3360F14416DE5858B281C2B8A941E750

Function 00FF342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FF3459
CoUninitialize.OLE32 ref: 00FF3463
VariantInit.OLEAUT32(?), ref: 00FF346E
VariantClear.OLEAUT32(?), ref: 00FF371B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6c715f62ee1f89a69e4d90b9d5f645afcdbc00db107f2dde368cb85755062e10
Instruction ID: 57457477db76bbd7f928f5a1c8f4fe86b8feaba0a7762c8bb11def222dc8e589
Opcode Fuzzy Hash: 6c715f62ee1f89a69e4d90b9d5f645afcdbc00db107f2dde368cb85755062e10
Instruction Fuzzy Hash: 1EA15D756043049FC710EF24C985A2AB7E5FF88724F18885DF9899B366DB34EE01DB52

Function 00FD0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0100FC08,?), ref: 00FD05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0100FC08,?), ref: 00FD0608
CLSIDFromProgID.OLE32(?,?,00000000,0100CC40,000000FF,?,00000000,00000800,00000000,?,0100FC08,?), ref: 00FD062D
_memcmp.LIBVCRUNTIME ref: 00FD064E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 950b514737d1284f03a982ffefdaa0741ee5673a6fa98fe1af5a7e4ebf5af083
Instruction ID: c1f1aed8d442fb59b1c646fcf24574d4c295a9353bf99e0a5b0353a3408d52cd
Opcode Fuzzy Hash: 950b514737d1284f03a982ffefdaa0741ee5673a6fa98fe1af5a7e4ebf5af083
Instruction Fuzzy Hash: B1812971A00109EFCB04DF94C984EEEB7BAFF89315F244599E506AB250DB71AE06DF60

Function 00FB1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FB14C0

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab3a74a5a0ade93087449daf24ba1432d198c107036bd3913c4fdee4de0b1ffb
Instruction ID: 55241c1c6c82e594617560cc8eb1cfe64c4c81cb318100f3303f8afb718637c5
Opcode Fuzzy Hash: ab3a74a5a0ade93087449daf24ba1432d198c107036bd3913c4fdee4de0b1ffb
Instruction Fuzzy Hash: D6415C71A00100EBEF21EBBE8C557EE3AA4FF47370F644225F418D2181E67849457A71

Function 01006278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010062E2
ScreenToClient.USER32(?,?), ref: 01006315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01006382

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 99c08954493be958d2cff3672a224b657bbd9124e8b53d40df7b9b7c85675225
Instruction ID: 837a10455253fc9db243038a6336216d64555a8c0a0d28691245640179749689
Opcode Fuzzy Hash: 99c08954493be958d2cff3672a224b657bbd9124e8b53d40df7b9b7c85675225
Instruction Fuzzy Hash: 93515F74900209EFEB22CF58D9809AE7BF6FB45360F1081A9F995972D1D732E991CB90

Function 00FF1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FF1AFD
WSAGetLastError.WSOCK32 ref: 00FF1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FF1B8A
WSAGetLastError.WSOCK32 ref: 00FF1B94

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f187f7a41644a07e2aed15e05d4ee989f8e435f0a0f6a0862a5e2b1d9de1412c
Instruction ID: d5196cb3d761ae491a880cde0afe18a176ee51e38e965bd9a9f868c6ab1a9bec
Opcode Fuzzy Hash: f187f7a41644a07e2aed15e05d4ee989f8e435f0a0f6a0862a5e2b1d9de1412c
Instruction Fuzzy Hash: B241CE34640200AFE720AF20C886F6A77E5AF84718F54C488FA1A9F3D3D676ED419B91

Function 00FAB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82533b6c89854f6dc4c21b6722df8c4558eead9e0184b49739dc85c9138ed7fe
Instruction ID: 83eeedbd10384f0e6dc8c1b680114377032b6bb7e3a0e4739d58f632a13fa9ff
Opcode Fuzzy Hash: 82533b6c89854f6dc4c21b6722df8c4558eead9e0184b49739dc85c9138ed7fe
Instruction Fuzzy Hash: A741EAB5E00704AFD724DF78CC41BAA7BA9EB89720F10452EF551DB282D775A901A790

Function 00FE56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FE5783
GetLastError.KERNEL32(?,00000000), ref: 00FE57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FE57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FE57FA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 91084d7e46bcdbba9982cd26c4778b39f96946df4dee5de8146d7c6b1c77559b
Instruction ID: 03da5c9d78cbf9a3fd4633d61a2b2eaa3d22e60e39903e3d913bee9005ed6234
Opcode Fuzzy Hash: 91084d7e46bcdbba9982cd26c4778b39f96946df4dee5de8146d7c6b1c77559b
Instruction Fuzzy Hash: B0412F35600610DFCB11EF15C544A5DBBE2EF89724B19C489E84E9B366CB39FD40EB91

Function 00FAD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F96D71,00000000,00000000,00F982D9,?,00F982D9,?,00000001,00F96D71,8BE85006,00000001,00F982D9,00F982D9), ref: 00FAD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FAD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FAD9AB
__freea.LIBCMT ref: 00FAD9B4

Part of subcall function 00FA3820: RtlAllocateHeap.NTDLL(00000000,?,01041444,?,00F8FDF5,?,?,00F7A976,00000010,01041440,00F713FC,?,00F713C6,?,00F71129), ref: 00FA3852

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bf127f76d38bb785635b1b04abcf2a443d994ef997dc532ee958a5446a7c8553
Instruction ID: 5786e6125cf59fc789c9caa0ddb18875e718b03e516f270aeeb0cdb929614f3c
Opcode Fuzzy Hash: bf127f76d38bb785635b1b04abcf2a443d994ef997dc532ee958a5446a7c8553
Instruction Fuzzy Hash: EC31D2B2A0020AABDF259F64DC45EEF7BA9EB46320F050168FC05D7150EB39CD54DB90

Function 010052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01005352
GetWindowLongW.USER32(?,000000F0), ref: 01005375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01005382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010053A8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 3e52c0b58980e4c56a13b0000ce0c3acd0120f4a72e6fd5910f389740c8af392
Instruction ID: c8b1e3979cd9276bcfdf224e8ea077bffe6ba146dde3643f30e3068cd6df9904
Opcode Fuzzy Hash: 3e52c0b58980e4c56a13b0000ce0c3acd0120f4a72e6fd5910f389740c8af392
Instruction Fuzzy Hash: D331C334A55608FFFB768E18CC46BE87BA5AB04310F48C181FBD0961D1C7B5A980DF42

Function 00FDAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FDABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FDAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FDAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FDACC6

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ac5ba6898cdbe61769adbe401483ff2c998abdd1727639acf9703012b50dde95
Instruction ID: bba5e143b7aa8278764f6ba24374253002cee6fe98d360df11a0952949e5ac31
Opcode Fuzzy Hash: ac5ba6898cdbe61769adbe401483ff2c998abdd1727639acf9703012b50dde95
Instruction Fuzzy Hash: 6131F331E246186FEB358B648C047BA7AA7AB89330F0C431BE481523D0C379D981A75A

Function 01007674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0100769A
GetWindowRect.USER32(?,?), ref: 01007710
PtInRect.USER32(?,?,01008B89), ref: 01007720
MessageBeep.USER32(00000000), ref: 0100778C

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 024b50b7d09f3ba3ba24d8f352fed5fc19289b5c250ad92adf9371f4ffd1a026
Instruction ID: 5d7fcc78e712724448a0bb89ff7621c583859e15dbe8e5b0c85ce8a49cc996bb
Opcode Fuzzy Hash: 024b50b7d09f3ba3ba24d8f352fed5fc19289b5c250ad92adf9371f4ffd1a026
Instruction Fuzzy Hash: A9419F78601215EFEB53CF58C984EA97BF4BB48340F0441E8E9D89B295C779B981CF90

Function 010016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010016EB

Part of subcall function 00FD3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD3A57
Part of subcall function 00FD3A3D: GetCurrentThreadId.KERNEL32 ref: 00FD3A5E
Part of subcall function 00FD3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FD25B3), ref: 00FD3A65

GetCaretPos.USER32(?), ref: 010016FF
ClientToScreen.USER32(00000000,?), ref: 0100174C
GetForegroundWindow.USER32 ref: 01001752

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 14a7eaa7a50f47bdb7653cd4abee933a18024137e48b83ed99cade7ef3ed4c37
Instruction ID: ff958430acfc41ccc2ae1879cf11766e7b8aa1010fb17ed34926957e14c33d3c
Opcode Fuzzy Hash: 14a7eaa7a50f47bdb7653cd4abee933a18024137e48b83ed99cade7ef3ed4c37
Instruction Fuzzy Hash: A7318175D00208AFD700EFA9C881CAEBBF9FF48304B5080AAE459E7251D735DE41CBA1

Function 00FDDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

_wcslen.LIBCMT ref: 00FDDFCB
_wcslen.LIBCMT ref: 00FDDFE2
_wcslen.LIBCMT ref: 00FDE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FDE018

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 84c737751380a7b1d9f508dcdee4bcb03a1ec98ae943a2f06fb28efcfe764fc8
Instruction ID: 55e4ca4ddc42533fc085040560995a6ab72eb44db6fc8beb759951675c02e271
Opcode Fuzzy Hash: 84c737751380a7b1d9f508dcdee4bcb03a1ec98ae943a2f06fb28efcfe764fc8
Instruction Fuzzy Hash: 7621D171D00214AFDB21EFA8DD81BAEB7F8EF45720F144066E804BB345D6749E41DBA1

Function 00FDD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FDD501
Process32FirstW.KERNEL32(00000000,?), ref: 00FDD50F
Process32NextW.KERNEL32(00000000,?), ref: 00FDD52F
CloseHandle.KERNEL32(00000000), ref: 00FDD5DC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2f846e83db279f343ab59bf152cdca1cc171976669d0adcf4ccbe696870e1c8b
Instruction ID: 9f327634f5af947b1efb9cfe441b9ab4e38e275874b8cdb1ec18dfa56441658f
Opcode Fuzzy Hash: 2f846e83db279f343ab59bf152cdca1cc171976669d0adcf4ccbe696870e1c8b
Instruction Fuzzy Hash: 01319E320082009FD301EF64DC81AAFBBF9AF99354F18492EF585862A1EB759945DB93

Function 01008FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

GetCursorPos.USER32(?), ref: 01009001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FC7711,?,?,?,?,?), ref: 01009016
GetCursorPos.USER32(?), ref: 0100905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FC7711,?,?,?), ref: 01009094

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 616e663027f1ed6d243483f767c122c8b40f3d573bbd0b0a6f9f934d3120a656
Instruction ID: 23e1fe7b5b7694c7f9db65177b5daf2e3d5c679cd9e54d8b0ca6fc628781a01c
Opcode Fuzzy Hash: 616e663027f1ed6d243483f767c122c8b40f3d573bbd0b0a6f9f934d3120a656
Instruction Fuzzy Hash: 24219435600114FFEB26CF58C898EFB7BF5EB49354F044195F58947192C7369990DB60

Function 00FDD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0100CB68), ref: 00FDD2FB
GetLastError.KERNEL32 ref: 00FDD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FDD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0100CB68), ref: 00FDD376

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 4a07b6798d9917ba1a123b1bcd7f252657aa07cbb001688a97515ef0d8dcdd8a
Instruction ID: f6f60a8b6a4abf378c65ef38760f2e1b5919f9665b12a25ba054a567bc361992
Opcode Fuzzy Hash: 4a07b6798d9917ba1a123b1bcd7f252657aa07cbb001688a97515ef0d8dcdd8a
Instruction Fuzzy Hash: 1621A1709083019FC310DF28C98186E77E8EE56368F544A5EF499C7391D735D946EB93

Function 00FD1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FD102A
Part of subcall function 00FD1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1036
Part of subcall function 00FD1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1045
Part of subcall function 00FD1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD104C
Part of subcall function 00FD1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FD1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FD15BE
_memcmp.LIBVCRUNTIME ref: 00FD15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FD1617
HeapFree.KERNEL32(00000000), ref: 00FD161E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a5b9b774010b3986d5fe92f7f738e1c7050b12dfcd745c74add591baad4883d4
Instruction ID: a469cb964033ce85e662f27a0d4832116fc4faad5e9413e2524a5e232cb799bd
Opcode Fuzzy Hash: a5b9b774010b3986d5fe92f7f738e1c7050b12dfcd745c74add591baad4883d4
Instruction Fuzzy Hash: C2219C32E00108BFEF10DFA4C944BEEB7B9FF40354F08445AE441A7240D735AA44EB50

Function 01002782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0100280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01002824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01002832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01002840

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b99a8fdee3b8a1ebd3eb1e927aefd2a6ba38d1783f87bbf9164e75df2781ed57
Instruction ID: 36809456e6dc492ef13ad7a3a664b20fc8e804a6806a52a205259f06a9c60f87
Opcode Fuzzy Hash: b99a8fdee3b8a1ebd3eb1e927aefd2a6ba38d1783f87bbf9164e75df2781ed57
Instruction Fuzzy Hash: D1213635205111AFF712DB24C848FAA7B95BF46324F148298F45A8B6D2CB76ED82C7D0

Function 00FD78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00FD790A,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?), ref: 00FD8D8C
Part of subcall function 00FD8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00FD8DB2
Part of subcall function 00FD8D7D: lstrcmpiW.KERNEL32(00000000,?,00FD790A,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?), ref: 00FD8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00FD8754,00000000,?,0000001C,?,?,00000000), ref: 00FD7923
lstrcpyW.KERNEL32(00000000,?), ref: 00FD7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FD8754,00000000,?,0000001C,?,?,00000000), ref: 00FD7984

Strings

cdecl, xrefs: 00FD797B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 081f67f307dadc8405b1dd6066a7664dcf4ca1439b2939e3bebb9e4617b79fd5
Instruction ID: 3601cacaea3486d43c2fecb7192c6125aebc5ebeff82b79e407e24fe0a06e92d
Opcode Fuzzy Hash: 081f67f307dadc8405b1dd6066a7664dcf4ca1439b2939e3bebb9e4617b79fd5
Instruction Fuzzy Hash: 1411D23A200301ABDB256F35C855D7A77AAEF853A0B04402BE942CB394EB369811A761

Function 01007CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01007D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01007D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01007D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FEB7AD,00000000), ref: 01007D6B

Part of subcall function 00F89BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F89BB2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4af714d00c00019011eab8835c453a9fe878a91b7d25f8b3d7a118a7d025bcf2
Instruction ID: cc79852d6b620e634029bff21955efb4860e7068b76ed665d7f512792192e9d3
Opcode Fuzzy Hash: 4af714d00c00019011eab8835c453a9fe878a91b7d25f8b3d7a118a7d025bcf2
Instruction Fuzzy Hash: 0511D536205615AFFB229F2CCC04E663BE4AB45360F154365F9B5C71E0E739E950CB50

Function 01005660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010056BB
_wcslen.LIBCMT ref: 010056CD
_wcslen.LIBCMT ref: 010056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01005816

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 995e3d9081d52e0459344d57ea2b193531d2f0a8d2dd8cfdeabe445309b2d1c0
Instruction ID: 356c442e9b0bbe74d1da2a13a955f870a2f808aa9b9df96d44c31294234b1980
Opcode Fuzzy Hash: 995e3d9081d52e0459344d57ea2b193531d2f0a8d2dd8cfdeabe445309b2d1c0
Instruction Fuzzy Hash: 1B11E175A00208A6FF229F65DC84EEE3BACEF15364F00406AFA85D60C1EB749641CF60

Function 00FA1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07817875500aecd3d34826362d76bc831f6d768159341b275b71887c0a4fec8
Instruction ID: 144b8ef107e0a4d735a664bf62e0e65a152c1f3885afa69abb51c830b929dbe2
Opcode Fuzzy Hash: f07817875500aecd3d34826362d76bc831f6d768159341b275b71887c0a4fec8
Instruction Fuzzy Hash: FE01ADF260A6163EF66126786CC0F67762CEF837B8F320329F521A11C5DB659C047260

Function 00FD1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FD1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FD1A8A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 684e6bf6b66134fbad88c262fca9995d6e2f9c9ac5e8e0694fc64fa82a209c23
Instruction ID: f79ac57be67116058ebffbd0a7fe92c07feac0d6e0b10df3bb09e749dbd416ab
Opcode Fuzzy Hash: 684e6bf6b66134fbad88c262fca9995d6e2f9c9ac5e8e0694fc64fa82a209c23
Instruction Fuzzy Hash: CA11393AD01219FFEB11DBA4CD85FADBB79FB08750F240092EA00B7290D6716E50EB94

Function 00FDE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FDE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00FDE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FDE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FDE24D

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: c5e0ab1a7beb025939680b2b9125979cdc7d34336d3c8f19c6203bd155af1d63
Instruction ID: 22c9394bb3425885ec973f97faffd93af2dc37d7cc1794c1c7a2f3658492a235
Opcode Fuzzy Hash: c5e0ab1a7beb025939680b2b9125979cdc7d34336d3c8f19c6203bd155af1d63
Instruction Fuzzy Hash: A2116BB6D04204BBD712AFA89D05A9F3FADAB45321F04835AF854D3380C2BADE0487A0

Function 00F9D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00F9CFF9,00000000,00000004,00000000), ref: 00F9D218
GetLastError.KERNEL32 ref: 00F9D224
__dosmaperr.LIBCMT ref: 00F9D22B
ResumeThread.KERNEL32(00000000), ref: 00F9D249

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 04815d6c401db8e7b5eb483478efa46f60a074a9b04947785445098355bcbc3d
Instruction ID: 7333ec6f982fca2ec8c4b4d2b1a9dd512fd9dd72fbbc10481817f0b7fb21f48f
Opcode Fuzzy Hash: 04815d6c401db8e7b5eb483478efa46f60a074a9b04947785445098355bcbc3d
Instruction Fuzzy Hash: F201F536805204BBFF215BA5DC09BAE7B69DF82730F300359F925921D0CB75C945E7A1

Function 00F7600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7604C
GetStockObject.GDI32(00000011), ref: 00F76060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7606A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 5a6199dacb8879fb5511180890a32abd7da22d29ac5af64380875826e0827f13
Instruction ID: 93e3c6934efc896630f2503ae1e08e14d33c82b2fbd9116cacb57b7777d01975
Opcode Fuzzy Hash: 5a6199dacb8879fb5511180890a32abd7da22d29ac5af64380875826e0827f13
Instruction Fuzzy Hash: 44116172501949BFEF224F94DD44EEA7B69FF0D364F044216FA1892150D736AC60EB91

Function 00F93B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00F93B56

Part of subcall function 00F93AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F93AD2
Part of subcall function 00F93AA3: ___AdjustPointer.LIBCMT ref: 00F93AED

_UnwindNestedFrames.LIBCMT ref: 00F93B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F93B7C
CallCatchBlock.LIBVCRUNTIME ref: 00F93BA4

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7a068b8dc46bbdc34f6765c8a91d45bf0d80dd1a63a528ec6ec9d8c4b55ebf4c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 3501ED32500149BBEF115E95CC46DEB7B69FF98768F044014FE4896121C736E962EBA0

Function 00FA3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F713C6,00000000,00000000,?,00FA301A,00F713C6,00000000,00000000,00000000,?,00FA328B,00000006,FlsSetValue), ref: 00FA30A5
GetLastError.KERNEL32(?,00FA301A,00F713C6,00000000,00000000,00000000,?,00FA328B,00000006,FlsSetValue,01012290,FlsSetValue,00000000,00000364,?,00FA2E46), ref: 00FA30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FA301A,00F713C6,00000000,00000000,00000000,?,00FA328B,00000006,FlsSetValue,01012290,FlsSetValue,00000000), ref: 00FA30BF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 734ca7b06d919d802ee0fde86585e3b21e253742e84601b15f749e8338ab6f55
Instruction ID: 6e9277ac172a03c24cc240cbbc462c71e8dc95929522c709e1a96d63aa4e2bb3
Opcode Fuzzy Hash: 734ca7b06d919d802ee0fde86585e3b21e253742e84601b15f749e8338ab6f55
Instruction Fuzzy Hash: C5012BB6705222ABDB314A799C44A577B98AF07BB5F208720F945E3184C736DA01D7E0

Function 00FD7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FD747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FD7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FD74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FD74CA

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 73df0c53292355c01b5f9d9fa7b637645191ed2d753cf4ad1abc8cb5ec8c24ce
Instruction ID: ae9b0619df6e2bd10679f0cfd209437e3fa85657667c6fb5377f0db622e91cdc
Opcode Fuzzy Hash: 73df0c53292355c01b5f9d9fa7b637645191ed2d753cf4ad1abc8cb5ec8c24ce
Instruction Fuzzy Hash: 9C11A1B1205310DBF732DF14DD08B92BBFDEB01B00F1486AAA656DA281E775E904EB50

Function 00FDB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FDACD3,?,00008000), ref: 00FDB126

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: ca85e6e6a270b12b2f955ae8a9c33af62bc35985a7b8ae3658adf1aa521afb4e
Instruction ID: 4dfd7ead927cff8416b545fc664ead0e2c811019a4aba90f37dc9a5238d21a4b
Opcode Fuzzy Hash: ca85e6e6a270b12b2f955ae8a9c33af62bc35985a7b8ae3658adf1aa521afb4e
Instruction Fuzzy Hash: CE11AD31C0062CE7DF10AFE4E9597EEBF78FF0A310F064186D981B2284CB348A509B91

Function 01007E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01007E33
ScreenToClient.USER32(?,?), ref: 01007E4B
ScreenToClient.USER32(?,?), ref: 01007E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01007E8A

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3a134869db1c556c63852ccfaf3bb0f7af4705ca480d945e01723243ce07eafe
Instruction ID: e0b36260ec79960292280ab3de4fa6a0d5607fb9b8fe647f43dfaac301ec99c1
Opcode Fuzzy Hash: 3a134869db1c556c63852ccfaf3bb0f7af4705ca480d945e01723243ce07eafe
Instruction Fuzzy Hash: 8111B6B9D0020AAFDB51CF98C5849EEBBF5FF08310F004196E955E3210D735AA54CF50

Function 00FD2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FD2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FD2DD6
GetCurrentThreadId.KERNEL32 ref: 00FD2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FD2DE4

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d995480d56506c075a8f1aaa37ce418d47a111821e8c9980e033f4e28d186943
Instruction ID: 40bcbda87d14c176003c92092e3c7d22bb5f64d146d4bdb3c077c237bab4445e
Opcode Fuzzy Hash: d995480d56506c075a8f1aaa37ce418d47a111821e8c9980e033f4e28d186943
Instruction Fuzzy Hash: 15E06D725052247AE7311B629D0DFEB3E6EEB5ABA1F040256B145D21809AAA9840D7F0

Function 01008863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F89639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F89693
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896A2
Part of subcall function 00F89639: BeginPath.GDI32(?), ref: 00F896B9
Part of subcall function 00F89639: SelectObject.GDI32(?,00000000), ref: 00F896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01008887
LineTo.GDI32(?,?,?), ref: 01008894
EndPath.GDI32(?), ref: 010088A4
StrokePath.GDI32(?), ref: 010088B2

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9895f60754fb9945d838db639f0a3afe117400de1b1e4008e8d04394df6430eb
Instruction ID: 7fce6ae9dbada65ceee151458a5c694590e7c517a8aa639cd289b00e2b7b3755
Opcode Fuzzy Hash: 9895f60754fb9945d838db639f0a3afe117400de1b1e4008e8d04394df6430eb
Instruction Fuzzy Hash: FFF09A3A001218BBFB236F94AD09FCA3E59AF06310F048280FB81610C1C3BA1650DBE5

Function 00F898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F898CC
SetTextColor.GDI32(?,?), ref: 00F898D6
SetBkMode.GDI32(?,00000001), ref: 00F898E9
GetStockObject.GDI32(00000005), ref: 00F898F1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 55941c6eaaba642c2f2e3e4bb2739f0a54ce5e0d27a7e31d479ed843427f6cd5
Instruction ID: 1522ea4e8a278f09fa29a1568a3845ed7f3bcdcea8eb9d6452d7d179e34fab6a
Opcode Fuzzy Hash: 55941c6eaaba642c2f2e3e4bb2739f0a54ce5e0d27a7e31d479ed843427f6cd5
Instruction Fuzzy Hash: A9E06531644280AEEB325B74A909BE83F10AB12336F088359F6F5540D4C37646509F10

Function 00FD162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FD1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FD11D9), ref: 00FD163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FD11D9), ref: 00FD1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FD11D9), ref: 00FD164F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 047fd42617c051aa0b35c24bc640b44959268dd6811867121cd14401e733af7c
Instruction ID: 3085d6c5fc2d487ea1ab859d40186b8068b2f89e5b69f157148e92cb7c035455
Opcode Fuzzy Hash: 047fd42617c051aa0b35c24bc640b44959268dd6811867121cd14401e733af7c
Instruction Fuzzy Hash: FFE08C32A02211ABF7311FA0AF0DB863B7DBF457A2F188989F285C9084E6398540CB60

Function 00FCD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FCD858
GetDC.USER32(00000000), ref: 00FCD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FCD882
ReleaseDC.USER32(?), ref: 00FCD8A3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: cf6c862dc43348d6e22d70d99213306cfecb7666b253490d94382c09449c13b2
Instruction ID: 32dbc81a70fd6738a576e71c734d6a847f84e96c4c834af09ef8127a3b57a4d2
Opcode Fuzzy Hash: cf6c862dc43348d6e22d70d99213306cfecb7666b253490d94382c09449c13b2
Instruction Fuzzy Hash: E2E09275800205DFDF629FA0DA08B6DBBB5FB08311F148559F886E7244C73D5541AF51

Function 00FCD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00FCD86C
GetDC.USER32(00000000), ref: 00FCD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00FCD882
ReleaseDC.USER32(?), ref: 00FCD8A3

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 241a1c9e2f3e2aeaa609da5c01cff23986af955c5bdb4cc1b9f46e632b530290
Instruction ID: 004e28b050793e08ac782b2f3d486b2217b29662681f8ef28eebad4e1bcbff73
Opcode Fuzzy Hash: 241a1c9e2f3e2aeaa609da5c01cff23986af955c5bdb4cc1b9f46e632b530290
Instruction Fuzzy Hash: 02E09A75800204DFDF62AFA0D90866DBBB5BB08311F148589F98AE7244CB3D6A01AF50

Function 00FE4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77620: _wcslen.LIBCMT ref: 00F77625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FE4ED4

Strings

*, xrefs: 00FE4E10
LPT, xrefs: 00FE4DFB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c3bdd7073b3065b35d3cadc509522bdc42345f5fc155d7544974797be139233a
Instruction ID: 37ca9394c35ee3a49d71bf99c3adcde7138054c6a96fa5dd44f7a4a1b521db47
Opcode Fuzzy Hash: c3bdd7073b3065b35d3cadc509522bdc42345f5fc155d7544974797be139233a
Instruction Fuzzy Hash: 95917F75A002849FCB14DF59C884EAABBF1BF44714F19809DE80A9F3A2C735ED85DB91

Function 00F9E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F9E30D

Strings

pow, xrefs: 00F9E2E5, 00F9E302

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 4cddd74adbaae2c8aab69524e10063396ee8fe6f9c893f7a0de00b69d5f9305f
Instruction ID: 9cc57756f13a55ba9ebf622364ace94362c54d28e362074fcd9d038f931e6ffb
Opcode Fuzzy Hash: 4cddd74adbaae2c8aab69524e10063396ee8fe6f9c893f7a0de00b69d5f9305f
Instruction Fuzzy Hash: 1A5139B1E0C30296EF25B718CD41BBA7B94AB41760F344D68E0D582299EB398C95BB46

Function 00F8E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00F8E1B1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e7d31c27b224976123559724dfc5da2e38c7b89f7af49a1e60a1e96e5e1ebc21
Instruction ID: d35b55f4f72c4fb5e1801389593f03cde2840500c1adf0193a5b7fa85ae4bd89
Opcode Fuzzy Hash: e7d31c27b224976123559724dfc5da2e38c7b89f7af49a1e60a1e96e5e1ebc21
Instruction Fuzzy Hash: 4351F375D04247DFDB25EF24C446BFA7BA4EF15320F248059ECA19B2C0D6349D52EB51

Function 00F8F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F8F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F8F2BB

Strings

@, xrefs: 00F8F2AF

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9cc8581f29783b200567a483a2bf99c6e3182e7f9b0fe6f1a5ed239f3985047a
Instruction ID: 8b7a9860776bcf7d913258c8149015e431d0698e787abf0cd170cd7fb5405532
Opcode Fuzzy Hash: 9cc8581f29783b200567a483a2bf99c6e3182e7f9b0fe6f1a5ed239f3985047a
Instruction Fuzzy Hash: 1D5145715187449BD320AF20DC86BAFBBF8FB85300F81885EF1D942195EB798529CB67

Function 00FF5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FF57E0
_wcslen.LIBCMT ref: 00FF57EC

Strings

CALLARGARRAY, xrefs: 00FF57E6, 00FF57EB

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c343846c0743aff5269a369197b5d5d6b58966673ee1644230fe6dfdb87eaaa4
Instruction ID: a5c9a82d193a62156fae1cad128ac9bf6a7ad548e603ec2bbf1d985e77a6ae38
Opcode Fuzzy Hash: c343846c0743aff5269a369197b5d5d6b58966673ee1644230fe6dfdb87eaaa4
Instruction Fuzzy Hash: 6E41A231E002099FCF14EFA9C8819FEBBB5FF59760F14416AE605A72A1E7349D81DB90

Function 00FED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FED13A

Strings

|, xrefs: 00FED10B

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 8bec652e2dac4d2ebdf4966c40fe7e4ed0b1673977bd8945a469faac35649ba5
Instruction ID: 4bcad5d0c73298461f5b47a6aa1709dff056dd02b05e81367fe6593b2beaf85c
Opcode Fuzzy Hash: 8bec652e2dac4d2ebdf4966c40fe7e4ed0b1673977bd8945a469faac35649ba5
Instruction Fuzzy Hash: 38317071D00209ABDF15EFA5CC85EEE7FB9FF04310F00401AF819A6161D739AA16EB65

Function 0100356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01003621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0100365C

Strings

static, xrefs: 010035BC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: df85d051637a3f655831997e653e5c8afec9a7f64fd8c7cfa895d517d1b73fe9
Instruction ID: 4fa93f4a6fa2588d788751673be21985f192f61787dd6c30223c7ac07e5fb2c3
Opcode Fuzzy Hash: df85d051637a3f655831997e653e5c8afec9a7f64fd8c7cfa895d517d1b73fe9
Instruction Fuzzy Hash: A3319071100604AEEB229F78DC80EFB73A9FF88720F10D61DF9A597290DB35A891D760

Function 01004537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0100461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01004634

Strings

', xrefs: 0100458E

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 637b98f32974a0916e8c550854363fe5f05e33914c06e43d7181d300e4f0a86e
Instruction ID: 819d687c4680a67521301343a05ed718b9bec3a96635e39dc266006e4ba490f7
Opcode Fuzzy Hash: 637b98f32974a0916e8c550854363fe5f05e33914c06e43d7181d300e4f0a86e
Instruction Fuzzy Hash: 0E312A74A012099FEB15CFA9C980BDA7BF5FF49300F104169EA44EB382E771A941CF94

Function 010031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0100327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01003287

Strings

Combobox, xrefs: 01003249

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3fa443c59bc3ba231a191af8661823d15e2c4c1ccccf8125b4598ec2bdec90a4
Instruction ID: f50bbf0986af1491a5eb3cc42246d798c76be8b78578934d88bc4e13bc7dfe1c
Opcode Fuzzy Hash: 3fa443c59bc3ba231a191af8661823d15e2c4c1ccccf8125b4598ec2bdec90a4
Instruction Fuzzy Hash: BA1190712002087FFF679E58DC81EBB3BAAFB88364F104129F9989B2D1D635AC51C760

Function 01003710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F7600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F7604C
Part of subcall function 00F7600E: GetStockObject.GDI32(00000011), ref: 00F76060
Part of subcall function 00F7600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F7606A

GetWindowRect.USER32(00000000,?), ref: 0100377A
GetSysColor.USER32(00000012), ref: 01003794

Strings

static, xrefs: 01003757

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d9e97f8e4c6a6a5a173e7962add87e3b21ca7656c508abad699cef4f1d4944ec
Instruction ID: ebab4d635577515a207d2608fa05f173b37bcdaa0c55dbde543f1da25a422bb9
Opcode Fuzzy Hash: d9e97f8e4c6a6a5a173e7962add87e3b21ca7656c508abad699cef4f1d4944ec
Instruction Fuzzy Hash: 43112972610209AFEB12DFA8CD45AEA7BF8FB08314F004A59F995E6280D735E8519B50

Function 00FECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FECDA6

Strings

<local>, xrefs: 00FECD66

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1fba5bcd88a4c715fd672d0762899b5e9074333634294f4495bb0933a69837ad
Instruction ID: 8d5ff31322bca2fd147a7fe9ab31caa66c88de265cd8ee67cd445c9fcf466dae
Opcode Fuzzy Hash: 1fba5bcd88a4c715fd672d0762899b5e9074333634294f4495bb0933a69837ad
Instruction Fuzzy Hash: 7511C672605671BAD7344B678C45FE7BEACEF127B4F00422AB16983180D7769942E6F0

Function 01003429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010034BA

Strings

edit, xrefs: 0100348F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 771254573e772cc2c5f68f862a1f7d2307ded306ae5bc51f1a5f07e7728e4f13
Instruction ID: 08e488d4f4859879fe62c8a51847769adc11af26f2462b1a8e3f7fce7b0ffbab
Opcode Fuzzy Hash: 771254573e772cc2c5f68f862a1f7d2307ded306ae5bc51f1a5f07e7728e4f13
Instruction Fuzzy Hash: C1119D75100108AFFB634E68DC84AEA37AAFB05374F514364F9A09B1D4CB76EC919751

Function 00FD6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

CharUpperBuffW.USER32(?,?,?), ref: 00FD6CB6
_wcslen.LIBCMT ref: 00FD6CC2

Strings

STOP, xrefs: 00FD6CBC, 00FD6CC1

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f2ae4e1000e92087b950ac01d315761531d7e53c53dc0281659f59578fca1de0
Instruction ID: 9d7b422d072c4b757796834f3efea73feae0679439418307615efa1539df18d2
Opcode Fuzzy Hash: f2ae4e1000e92087b950ac01d315761531d7e53c53dc0281659f59578fca1de0
Instruction Fuzzy Hash: F6010432A145278ACB219FBDDC809BF33A6EB607207040526E852D3291EA35D800E750

Function 00FD1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FD1D4C

Strings

ComboBox, xrefs: 00FD1CEB
ListBox, xrefs: 00FD1D16

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6c45ed8380546986b79672626cb988e8ef8b793762e382c4055bf9b659bc65b2
Instruction ID: 32b921ade12281ecdbcfddf23ebef3da3b407847d67376c65cf3cef0dad792e5
Opcode Fuzzy Hash: 6c45ed8380546986b79672626cb988e8ef8b793762e382c4055bf9b659bc65b2
Instruction Fuzzy Hash: D3014C31A00218BBCB18EBA0CC11DFE73AAFF56360B08060BF876573C1EB745908A761

Function 00FD1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FD1C46

Strings

ComboBox, xrefs: 00FD1BE5
ListBox, xrefs: 00FD1C10

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 57329b6da3525ce72f125774ec36afaab5196f409596a0cfb8c4174c13258041
Instruction ID: 5773a5e149bdb4a50068d058281b14abbe00297073d3d18c21767afefb412232
Opcode Fuzzy Hash: 57329b6da3525ce72f125774ec36afaab5196f409596a0cfb8c4174c13258041
Instruction Fuzzy Hash: 8801F771B9010476DF19EB90CE52EFF73ADAB11340F18001BA40667382EA649E08A6B2

Function 00FD1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FD1CC8

Strings

ComboBox, xrefs: 00FD1C69
ListBox, xrefs: 00FD1C94

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 311a6c3f93135a8fa50e3b88ed7e75c71d8c260fb232b974e586620664d4b880
Instruction ID: b543826255a3f20289527fcdce72c4f12afc6d1e8800fdf5cdbbb9655f9dd260
Opcode Fuzzy Hash: 311a6c3f93135a8fa50e3b88ed7e75c71d8c260fb232b974e586620664d4b880
Instruction Fuzzy Hash: AC01A271B9011876CB15EBA0CE02EFE73ADAB11340F58001BB84677381EA659F18A672

Function 00FD1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F79CB3: _wcslen.LIBCMT ref: 00F79CBD

Part of subcall function 00FD3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00FD3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FD1DD3

Strings

ComboBox, xrefs: 00FD1D75
ListBox, xrefs: 00FD1DA0

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2e34f57a46e538ca2de9fafa9d9422da372cb838b8c17b617a213f822ee48ee6
Instruction ID: b4fe6598b57381ef51f3e81484a529064e990df9092568f11bfcb10485df1fe5
Opcode Fuzzy Hash: 2e34f57a46e538ca2de9fafa9d9422da372cb838b8c17b617a213f822ee48ee6
Instruction Fuzzy Hash: A4F0F471B5421876DB18E7A4CC52FFF73AEBB11350F08091BB866673C1DBB85908A662

Function 00FF747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00FF7493
_wcslen.LIBCMT ref: 00FF74B9

Strings

3, 3, 16, 1, xrefs: 00FF7483

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 79cd15365bcacfb37c6cfc4ace4b53505d4e38d98a909c30d5a1b4f03ac6ab55
Instruction ID: 812c056f9b3d3673e251427164915d17d972511780d9e56904d3dcae215d10b2
Opcode Fuzzy Hash: 79cd15365bcacfb37c6cfc4ace4b53505d4e38d98a909c30d5a1b4f03ac6ab55
Instruction Fuzzy Hash: 0FE02B02A0432450A331327A9CC2D7FA689CFD9760710182FFA81C2276EA989D92B3A0

Function 00FD0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FD0B23

Strings

Error allocating memory., xrefs: 00FD0B1C
AutoIt, xrefs: 00FD0B17

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 3037dd47eacd322211c5c750cea1f34131ba99743be93fc9607b5a4edc27a672
Instruction ID: b1c7439045fdbaa3b894385452913a5594b09103065ecb16a0fcfee4c9047e1b
Opcode Fuzzy Hash: 3037dd47eacd322211c5c750cea1f34131ba99743be93fc9607b5a4edc27a672
Instruction Fuzzy Hash: 51E0D8322443083AF2253755BD07FC97B848F05B61F10446BF7D8995C3CED6249027A9

Function 00F90D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F8F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F90D71,?,?,?,00F7100A), ref: 00F8F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00F7100A), ref: 00F90D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F7100A), ref: 00F90D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F90D7F

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 67b3c62c7e0025ae3644f98d44680216cb54a677f9be923f46f03241b2d5fa4e
Instruction ID: ff8a14f2192c2fd5350c26510ae17c29b62b3381a03c5f3f39af66ce979d3735
Opcode Fuzzy Hash: 67b3c62c7e0025ae3644f98d44680216cb54a677f9be923f46f03241b2d5fa4e
Instruction Fuzzy Hash: 0BE06D742007418FF7319FB8D5087467BE4AF00B44F008A6EE8D6C6686DFB9E444AB91

Function 00FE3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FE302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FE3044

Strings

aut, xrefs: 00FE3038

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: c00af5eeaa97bfe73b85c2c3c2fd28b6d26af8807a5333518f6f6db1ced89526
Instruction ID: 728e77f4f0db5f2ad6922830030272358d9f1039a01460832370744303aadb1d
Opcode Fuzzy Hash: c00af5eeaa97bfe73b85c2c3c2fd28b6d26af8807a5333518f6f6db1ced89526
Instruction Fuzzy Hash: 96D05E7250032877EA30A7A5AD0EFCB3A6CDB05650F0002A1B699D6085DAB59A84CBD0

Function 00FCD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FCD220

Strings

%.3d, xrefs: 00FCD22B
X64, xrefs: 00FCD2A8

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: d1e98a4a7ba648848373851a64605c4305c1a4d1bd0d336f49a9cc2999db3197
Instruction ID: 21c792540a449d4b11f08d8348c879fa92408045d5a4255ff4f9d9cf04a5900a
Opcode Fuzzy Hash: d1e98a4a7ba648848373851a64605c4305c1a4d1bd0d336f49a9cc2999db3197
Instruction Fuzzy Hash: 05D012B2C0410AE9CB50A6D0CE47FFEB3BCEB49301F50847AF94AD2040D638C5487B61

Function 01002322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0100233F

Part of subcall function 00FDE97B: Sleep.KERNELBASE ref: 00FDE9F3

Strings

Shell_TrayWnd, xrefs: 01002325

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ade233482d219f94bf8c3da8200658c0a2b5646438c9d6a588d1f794f0b1ca58
Instruction ID: 8e8bbb5822f6de4255a9335bde037d51e18a81a92610a4b6310e1534aeaf9280
Opcode Fuzzy Hash: ade233482d219f94bf8c3da8200658c0a2b5646438c9d6a588d1f794f0b1ca58
Instruction Fuzzy Hash: C0D0223A380300B7F278B330DC0FFC67A08AB00B00F000A067385AE2C4C8FAA800CB50

Function 01002356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0100236C
PostMessageW.USER32(00000000), ref: 01002373

Part of subcall function 00FDE97B: Sleep.KERNELBASE ref: 00FDE9F3

Strings

Shell_TrayWnd, xrefs: 01002365

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b74783e4a17f15517dece5d4d6754690a4d77612b9b4cd73b0385c97a97640c2
Instruction ID: 210f5e3acdf102fbdbd4099b84841834dec11f606f7a7bc5cc654a439fe1c473
Opcode Fuzzy Hash: b74783e4a17f15517dece5d4d6754690a4d77612b9b4cd73b0385c97a97640c2
Instruction Fuzzy Hash: 5CD0A9363813007AF279B3309C0FFC67608AB04B00F000A067281AA2C4C8BAA8008B54

Function 00FABDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FABE93
GetLastError.KERNEL32 ref: 00FABEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FABEFC

Memory Dump Source

Source File: 00000000.00000002.3269337049.0000000000F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F70000, based on PE: true

Associated: 00000000.00000002.3269320180.0000000000F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.000000000100C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269400623.0000000001032000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269444817.000000000103C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3269467067.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f70000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: f3310d70cc0a0eb98fca4f0a06bd86c9d2391cb2428a8937d20033104a20f37e
Instruction ID: 6c35050720114d488dec422ed55270311144d9573ce33b65f4bae85f1c6c0d65
Opcode Fuzzy Hash: f3310d70cc0a0eb98fca4f0a06bd86c9d2391cb2428a8937d20033104a20f37e
Instruction Fuzzy Hash: AD412D75A05246AFDF218FE4CC54BBA7BA9DF43330F184169F95997192DB318D00EB60

Source: Joe Sandbox View	IP Address: 13.107.246.57 13.107.246.57
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 172.64.41.3 172.64.41.3

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9

Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Mx9tg1GeheCSLR1&MD=CBHt6lMH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /clientwebservice/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: fe3cr.delivery.mp.microsoft.com
Source: global traffic	HTTP traffic detected: GET /sls/ping HTTP/1.1Connection: Keep-AliveUser-Agent: DNS resiliency checker/1.0Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Mx9tg1GeheCSLR1&MD=CBHt6lMH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Mx9tg1GeheCSLR1&MD=CBHt6lMH HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: play.google.com

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.165.132
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.165.132
Source: unknown	TCP traffic detected without corresponding DNS query: 172.217.165.132
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\04c6aa56-9f57-419a-9bde-0a0e4627af21.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\14471d28-7bf4-447a-ac19-71acd5b155f7.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\218c33b2-4ad2-4e8f-a430-05a961adea29.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\3fc43106-a348-4b9b-b1ae-5b2e561d126a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5944c7a5-676e-4988-bacc-f5299d32955c.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\627325ba-5c5b-4645-9781-d4df6b42557e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\74095bdd-8b27-4ff4-b9d4-4903cbfc8f59.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\8a0873c2-d80e-47b9-b1be-dd662ff7257a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\28a60655-5da3-442f-b98e-f606dc994f1c.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D1F3C1-1994.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D1F3C1-1BD4.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0655f069-1e85-4c26-9345-976986ac5f0f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\0f6d13c1-7504-478e-96ef-50b53d97040b.tmp

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre