Edit tour

Windows Analysis Report
iexplore.exe

Overview

General Information

Sample Name:	iexplore.exe
Analysis ID:	1315715
MD5:	cfe2e6942ac1b72981b3105e22d3224e
SHA1:	8088e72e4ac09d5677fe4339f7823eeba445fb41
SHA256:	3aa971f794df79ec6e7d22a4d3b4f3eac1dfe8a8192601445baeffdf994e23e2
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	true
Confidence:	100%

Signatures

AV process strings found (often used to terminate AV products)

One or more processes crash

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Potential browser exploit detected (process start blacklist hit)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to search for IE or Outlook window (often done to steal information)

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 7596 cmdline: C:\Users\user\Desktop\iexplore.exe MD5: CFE2E6942AC1B72981B3105E22D3224E)

WerFault.exe (PID: 7684 cmdline: C:\Windows\system32\WerFault.exe -u -p 7596 -s 708 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cleanup

Joe Sandbox Signatures

• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: iexplore.exe

Static PE information: certificate valid

Source: iexplore.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: iexplore.pdbUGP source: iexplore.exe
Source:	Binary string: iexplore.pdb source: iexplore.exe

Source: C:\Users\user\Desktop\iexplore.exe

Process created: C:\Windows\System32\WerFault.exe

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

Source: C:\Users\user\Desktop\iexplore.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 708

Source: C:\Users\user\Desktop\iexplore.exe

Section loaded: ieshims.dll

Jump to behavior

Source: iexplore.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iexplore.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\iexplore.exe C:\Users\user\Desktop\iexplore.exe
Source: C:\Users\user\Desktop\iexplore.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 708

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B22.tmp

Jump to behavior

Source: iexplore.exe	String found in binary or memory: -startmanager
Source: iexplore.exe	String found in binary or memory: kernelbase.dllRaiseFailFastExceptionwilonecore\internal\sdk\inc\wil\opensource\wil\resource.hWilError_03ntdll.dllRtlDisownModuleHeapAllocationRtlRegisterFeatureConfigurationChangeNotificationRtlUnregisterFeatureConfigurationChangeNotificationRtlNotifyFeatureUsageNtQueryWnfStateDataNtUpdateWnfStateDataRtlSubscribeWnfStateChangeNotificationRtlUnsubscribeWnfNotificationWaitForCompletiononecore\internal\sdk\inc\wil\Staging.hWilStaging_02SCODEF:CREDAT:-newtabIEFrame{28fb17e0-d393-439d-9a21-9474a070473a} -eval-new-nowaitkernel32.dllSetSearchPathModeInternet Explorer-ResetDestinationListResetDestinationList-embedding-startmanagerTerminateOnShutdownSoftware\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exeLocal\SM0:%d:%d:%hsm
Source: iexplore.exe	String found in binary or memory: Application-Addon-Event-ProviderOPCOT

Source: classification engine

Classification label: clean5.winEXE@2/6@0/0

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: iexplore.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: iexplore.exe

Static PE information: certificate valid

Source: iexplore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iexplore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iexplore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iexplore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iexplore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iexplore.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iexplore.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: iexplore.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: iexplore.pdbUGP source: iexplore.exe
Source:	Binary string: iexplore.pdb source: iexplore.exe

Source: iexplore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iexplore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iexplore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iexplore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iexplore.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: iexplore.exe

Static PE information: section name: .didat

Source: iexplore.exe

Static PE information: 0x84C9557A [Sun Aug 5 13:45:30 2040 UTC]

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\iexplore.exe

Code function: 0_2_00007FF74F6216B0 InitializeCriticalSection,#798,CoCreateGuid,IsDebuggerPresent,#796,#797,#701,GetModuleHandleW,GetProcAddress,SetDllDirectoryW,SetErrorMode,GetCommandLineW,wcsncmp,LocalAlloc,StrStrIW,StrStrIW,StrStrIW,HeapSetInformation,#791,SetCurrentProcessExplicitAppUserModelID,StrStrIW,StrStrIW,FindWindowExW,GetWindowThreadProcessId,AllowSetForegroundWindow,StrStrIW,wcsncmp,iswspace,iswspace,iswspace,iswspace,wcsncmp,#796,StrStrIW,LocalFree,#650,#650,DeleteCriticalSection,RegGetValueW,GetCurrentProcess,TerminateProcess,

0_2_00007FF74F6216B0

Source: C:\Users\user\Desktop\iexplore.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\iexplore.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\iexplore.exe

Code function: 0_2_00007FF74F626280 memset,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_00007FF74F626280

Source: C:\Users\user\Desktop\iexplore.exe

Code function: 0_2_00007FF74F6221C0 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,

0_2_00007FF74F6221C0

Source: C:\Users\user\Desktop\iexplore.exe	Code function: 0_2_00007FF74F622B90 SetUnhandledExceptionFilter,		0_2_00007FF74F622B90
Source: C:\Users\user\Desktop\iexplore.exe	Code function: 0_2_00007FF74F6228C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF74F6228C4

Source: C:\Users\user\Desktop\iexplore.exe

Code function: 0_2_00007FF74F622D64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,

0_2_00007FF74F622D64

Source: Amcache.hve.3.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: procexp.exe

Source: C:\Users\user\Desktop\iexplore.exe

0_2_00007FF74F6216B0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iexplore.exe	0%	ReversingLabs
iexplore.exe	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1315715
Start date and time:	2023-09-28 11:02:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	iexplore.exe
Detection:	CLEAN
Classification:	clean5.winEXE@2/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 6 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, tse1.mm.bing.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, g.bing.com, watson.telemetry.microsoft.com, arc.msn.com

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iexplore.exe_4ea5210d13788e8dcd35822d64aeb95daa7e6_e4713376_1e60916c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8919208080555563
Encrypted:	false
SSDEEP:	96:C7FvaroopxkEQFrr4kzxDi5azpXIQcQSc6KcEccw3C81+HbHg/8BRTf3sQEShoxQ:cPopRgxHMOGMjB5mao/u7syS274lt5U
MD5:	EEC072583B9492FAA64F26EE74E6C76C
SHA1:	325AAE054F719AD644AC35F2B0831CD7CF770CC0
SHA-256:	745A266D1EC8BDBE40ECF16C6B079AA42F568E270738D1CBAB50C8D7DAF75346
SHA-512:	825C27F275500066D47036816CE3A3D5FF2D5D343CDF6487E1E4277F82F16534704BB1B35C000C69B22F0078E054FF28EE9D5A4629292BF54B7FA45869FB9AEC
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.0.3.6.5.4.2.1.7.8.1.8.7.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.0.3.6.5.4.2.2.1.2.5.6.2.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.9.3.2.c.1.9.0.-.7.5.9.b.-.4.c.9.1.-.a.d.5.e.-.2.4.8.2.0.e.4.5.5.1.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.5.8.f.f.e.0.-.d.d.6.5.-.4.3.4.6.-.9.a.e.8.-.d.5.2.2.f.5.0.a.0.b.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.i.e.x.p.l.o.r.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.E.X.P.L.O.R.E...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.c.-.0.0.0.1.-.0.0.2.8.-.9.1.1.9.-.0.9.a.d.e.a.f.1.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.2.f.f.6.4.b.3.4.3.b.a.3.8.8.f.1.1.e.8.a.f.d.1.7.6.e.e.6.4.a.c.0.0.0.0.0.9.0.4.!.0.0.0.0.8.0.8.8.e.7.2.e.4.a.c.0.9.d.5.6.7.7.f.e.4.3.3.9.f.7.8.2.3.e.e.b.a.4.4.5.f.b.4.1.!.i.e.x.p.l.o.r.e...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B22.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Sep 28 09:03:41 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	112636
Entropy (8bit):	1.435083871928686
Encrypted:	false
SSDEEP:	192:RvhwTTb+tEIDQMOGCzi9P/E/AC50Zf1xtt50wGMpt8rNaKQN0XgqfQUxhNBrPio2:7wTn+uI8lzmP8NwGuGaKPw0QU/Kl
MD5:	D9A62B02EF01FBF192780908FD9A8502
SHA1:	82341FCB16C449A5BB24FD9950AD49460C374A11
SHA-256:	42D88572AD204E4E2B079960428A82B87961462B1AC49247E4953FA8803564C9
SHA-512:	7CAA5012DFA95303FE3428A7E5EACA3F3469D3B6E824B01A7140BE37FF33D178EBF5B12B8548CAA58F722C4FF70F7C7CF73513A60F59E7630CB25E2132B62A67
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......mA.e............T...............\............F..........T.......8...........T...........0..............@...........,....................................................................U...........B..............Lw................&8R...T...........mA.e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BCF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8536
Entropy (8bit):	3.6982154919295027
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNikK9FX6YpYSDdgmfS41Sf+pr/89bFEzff1Xm:RrlsNiZv6YGSDdgmfS41STFwffY
MD5:	BE8E39AA8E654FEC7E3A06938CB74D63
SHA1:	89D2853E890C3ADC3874F6CB48A52782DB80B7C8
SHA-256:	D03FF4452B7E360DF18CA879E5BB52D0F271BAAE58C4FCD4E061EF137053DD88
SHA-512:	C7BA0AA1B7C817BA35920CAB86EA423E374307FC749C674DA00B2EBA80C7BA9807D36A75BD5B7EF855353A34E0067FBD59DEB6875E57A82D0DCBC0656E81A1BE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BEF.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4704
Entropy (8bit):	4.472501618934195
Encrypted:	false
SSDEEP:	48:cvIwSD8zsVJgtBI9asWgc8sqYjz8fm8M4JkGFtyq85Kl52eSd:uITfvcFgrsqY0JJp52eSd
MD5:	CAF1AD2A0EA1EEB8563C1619A148417D
SHA1:	B5730FDC92B2AAF24CFD21DF2E13B3C3F8FA1292
SHA-256:	8124C4A4398BA6C8021A6D0A59E9A1F2C7F4B7D919B4D57280E955B312838171
SHA-512:	3267592D01CF65E436686DC91A7D4E61B09D9C32660EEDEC9D5D66A626E5E59ED373A3FCF39DC49648C517A9C56896624CC17A22AD4DD209CFBB5D1F59D4D06B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2237414" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.402924115779506
Encrypted:	false
SSDEEP:	12288:/91ZG0ubj7ybGLGqoMK0UgAExAjeQGV1n1SYNnvRMkqGHrLTqqPGnu:11ZG0ubj7ybGLGLRu
MD5:	7BE59E75195682C9A0ECA71AD8119B9D
SHA1:	2E19EAB80954A4278B78276E4D3514C9CD4F317F
SHA-256:	D2DE1E947D3745C37F00708FEFEAFD1E9372FD4C2280D2E8FA9E7101A37C2F50
SHA-512:	0B7D4301FD14D182E2DC78C27F23094E72AA7AC22CFDDE0065A8BD8809E3FBAE1F5EB93BEECF88226C205B2E587F7B9DB3B19FB77141F40044DF105728D8D771
Malicious:	false
Reputation:	low
Preview:	regf........p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.2580636198111628
Encrypted:	false
SSDEEP:	768:8XlZza9LRftdgFfiYWzroe0eqniPTDv6AHF7m5DH+su:kDmLJpnokPlm5D
MD5:	091C8A9ED7A24E31FE401F2FB63AFB54
SHA1:	0ACB353424716D54143D65843FBB11150343D744
SHA-256:	D93D8D9529CC8B6C44A6841D51FCB0B4A97F9648C0BD4629798D4DA3677977D9
SHA-512:	A77EB0D8E50BFD9553350184CD721B1C1F7179D59020C4B483BA6D7643C258E1E445FCE3B1628B32B3B47860FFE158E08172F96CBE23E4868AF0C8F3C580191B
Malicious:	false
Reputation:	low
Preview:	regf........p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.......................................................................................................................................................................................................................................................................................................................................................HvLE.^..................y..`!..r..1..............@.......`........... ..hbin................p.\..,..........nk,.\|.9N.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .\|.9N........ ........................... .......Z.......................Root........lf......Root....nk .........................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.499091086326622
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iexplore.exe
File size:	834'512 bytes
MD5:	cfe2e6942ac1b72981b3105e22d3224e
SHA1:	8088e72e4ac09d5677fe4339f7823eeba445fb41
SHA256:	3aa971f794df79ec6e7d22a4d3b4f3eac1dfe8a8192601445baeffdf994e23e2
SHA512:	6685d24b4700c3f8c691412fe0dbbe2fd45067331d82cd5117b12544b94ab0311a2c92e4efc6f86f5e900be925329fffcbee778697d9b8dde7ee35a475a45da2
SSDEEP:	24576:rVe+4lGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUMM+:rVfMMHMMMvMMZMMMlmMMMiMMMYJMMHM7
TLSH:	36056C42F7C8D495E0B706318933C7658672FC659E20866F3199771E2E723C36AB2E1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ea.....L...L...L.xdL...L.k.M...L.k.M...L.k.M...L.k.M...L...L...L.k.M...L.k.L...L.k.M...LRich...L................PE..d...zU.....

File Icon


Icon Hash:	f6e955d375653911

Static PE Info

General

Entrypoint:	0x140002870
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x84C9557A [Sun Aug 5 13:45:30 2040 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	7534c642bdcb1528e25e71d0ce72d8bb

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/2/2021 11:25:59 AM 9/1/2022 11:25:59 AM
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	E73EC761B09149A464F35E6532127D08
Thumbprint SHA-1:	44796EB5BD439B4BFB078E1DC2F8345AE313CBB1
Thumbprint SHA-256:	DE1C6B5E2219ED317E08701A91F86D41BEFA9E055693FDE97BE0B3132DB6A52B
Serial:	330000043A75E52F9E0B29981E00000000043A

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F59207FA4B0h
dec eax
add esp, 28h
jmp 00007F59207F9D43h
int3
int3
int3
int3
int3
int3
jmp dword ptr [00007C22h]
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [0000A821h]
jne 00007F59207F9FD2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F59207F9FC3h
ret
dec eax
ror ecx, 10h
jmp 00007F59207FA007h
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000796Bh]
dec eax
mov ecx, ebx
call dword ptr [0000796Ah]
call dword ptr [00007A0Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00007A10h]
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [0000A8BDh]
call dword ptr [00007947h]
dec eax
mov eax, dword ptr [0000A9A8h]
dec eax
mov dword ptr [esp+48h], eax
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+50h]
dec eax
mov ecx, dword ptr [esp+48h]
call dword ptr [00007920h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc110	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0xbd5a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xe000	0x9fc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc9a00	0x21d0	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0x7c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae80	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa188	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa060	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa1b0	0x3b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc040	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8104	0x8200	False	0.5466646634615384	data	6.060986894286644	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x2da2	0x2e00	False	0.42561141304347827	data	4.847622349387051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0xb0c	0x200	False	0.142578125	data	0.8446069096880334	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xe000	0x9fc	0xa00	False	0.51015625	data	4.496940667812367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0xf000	0x38	0x200	False	0.06640625	data	0.3458273094223054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0xbd5a0	0xbd600	False	0.6214727722772277	data	6.467242944476283	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0x7c	0x200	False	0.23046875	data	1.4440381339328998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EDPENLIGHTENEDAPPINFOID	0x2c4a0	0x2	data	English	United States	5.0
EDPPERMISSIVEAPPINFOID	0x2c4a8	0x2	data	English	United States	5.0
MUI	0xcd448	0x158	data	English	United States	0.5581395348837209
WEVT_TEMPLATE	0x13130	0x1936a	data	English	United States	0.27772721110831383
RT_ICON	0x2c4b0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.30121951219512194
RT_ICON	0x2cb18	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4381720430107527
RT_ICON	0x2ce00	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.5163934426229508
RT_ICON	0x2cfe8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6216216216216216
RT_ICON	0x2d110	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5983475479744137
RT_ICON	0x2dfb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.753158844765343
RT_ICON	0x2e860	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.793778801843318
RT_ICON	0x2ef28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5924855491329479
RT_ICON	0x2f490	0xcbf1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.99860177364056
RT_ICON	0x3c088	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5134854771784232
RT_ICON	0x3e630	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6064727954971857
RT_ICON	0x3f6d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.669672131147541
RT_ICON	0x40060	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8466312056737588
RT_ICON	0x40588	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.24939024390243902
RT_ICON	0x40bf0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.40725806451612906
RT_ICON	0x40ed8	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4979508196721312
RT_ICON	0x410c0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.527027027027027
RT_ICON	0x411e8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5285181236673774
RT_ICON	0x42090	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7138989169675091
RT_ICON	0x42938	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.6405529953917051
RT_ICON	0x43000	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.42846820809248554
RT_ICON	0x43568	0x97d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.99570318530335
RT_ICON	0x4cd40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3183609958506224
RT_ICON	0x4f2e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.46318011257035646
RT_ICON	0x50390	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5254098360655738
RT_ICON	0x50d18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5319148936170213
RT_ICON	0x51240	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.32526881720430106
RT_ICON	0x51528	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.32581227436823107
RT_ICON	0x51dd0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2227954971857411
RT_ICON	0x52ea8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.29973118279569894
RT_ICON	0x531a8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.39919354838709675
RT_ICON	0x53490	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.47635135135135137
RT_ICON	0x535b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7328519855595668
RT_ICON	0x53e60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.45447976878612717
RT_ICON	0x543c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.47303001876172607
RT_ICON	0x55470	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5540780141843972
RT_ICON	0x55938	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5295698924731183
RT_ICON	0x55c20	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5912162162162162
RT_ICON	0x55d48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7644404332129964
RT_ICON	0x565f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4667630057803468
RT_ICON	0x56b58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5771575984990619
RT_ICON	0x57c00	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5629432624113475
RT_ICON	0x580c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3978494623655914
RT_ICON	0x583b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.4187725631768953
RT_ICON	0x58c58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.44606003752345214
RT_ICON	0x59d30	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5
RT_ICON	0x5a018	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6800541516245487
RT_ICON	0x5a8c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.43597560975609756
RT_ICON	0x5b998	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.45161290322580644
RT_ICON	0x5bc80	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5506756756756757
RT_ICON	0x5bda8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6484657039711191
RT_ICON	0x5c650	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4913294797687861
RT_ICON	0x5cbb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.4054878048780488
RT_ICON	0x5dc60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5159574468085106
RT_ICON	0x5e128	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3709677419354839
RT_ICON	0x5e410	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5777027027027027
RT_ICON	0x5e560	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5371621621621622
RT_ICON	0x5e688	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.23916184971098267
RT_ICON	0x5ebf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3271276595744681
RT_ICON	0x5f088	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5033783783783784
RT_ICON	0x5f1b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.2940751445086705
RT_ICON	0x5f718	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.49379432624113473
RT_ICON	0x5fbb0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.527027027027027
RT_ICON	0x5fcd8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.42846820809248554
RT_ICON	0x60240	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5319148936170213
RT_ICON	0x606d8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.24939024390243902
RT_ICON	0x60d40	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.40725806451612906
RT_ICON	0x61028	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.527027027027027
RT_ICON	0x61150	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5285181236673774
RT_ICON	0x61ff8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7138989169675091
RT_ICON	0x628a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.42846820809248554
RT_ICON	0x62e08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3183609958506224
RT_ICON	0x653b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.46318011257035646
RT_ICON	0x66458	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5319148936170213
RT_ICON	0x66948	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.3978494623655914
RT_ICON	0x66c30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5472972972972973
RT_ICON	0x66d58	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.4187725631768953
RT_ICON	0x67600	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3345375722543353
RT_ICON	0x67b68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.44606003752345214
RT_ICON	0x68c10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5700354609929078
RT_ICON	0x690d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.43010752688172044
RT_ICON	0x693c0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5641891891891891
RT_ICON	0x694e8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7328519855595668
RT_ICON	0x69d90	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4819364161849711
RT_ICON	0x6a2f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.49929643527204504
RT_ICON	0x6b3a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5718085106382979
RT_ICON	0x6b868	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.43010752688172044
RT_ICON	0x6bb50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5641891891891891
RT_ICON	0x6bc78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7328519855595668
RT_ICON	0x6c520	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4819364161849711
RT_ICON	0x6ca88	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.49929643527204504
RT_ICON	0x6db30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5718085106382979
RT_ICON	0x6dff8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.43010752688172044
RT_ICON	0x6e2e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5641891891891891
RT_ICON	0x6e408	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7328519855595668
RT_ICON	0x6ecb0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4819364161849711
RT_ICON	0x6f218	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.49929643527204504
RT_ICON	0x702c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5718085106382979
RT_ICON	0x70788	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.6438172043010753
RT_ICON	0x70a70	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6790540540540541
RT_ICON	0x70b98	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7879061371841155
RT_ICON	0x71440	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6604046242774566
RT_ICON	0x719a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6669793621013134
RT_ICON	0x72a50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7703900709219859
RT_ICON	0x72f18	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4825268817204301
RT_ICON	0x73200	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5844594594594594
RT_ICON	0x73328	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5473826714801444
RT_ICON	0x73bd0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.31286127167630057
RT_ICON	0x74138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3949343339587242
RT_ICON	0x751e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.37056737588652483
RT_ICON	0x756a8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4435483870967742
RT_ICON	0x75990	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6827617328519856
RT_ICON	0x76238	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.449577861163227
RT_ICON	0x77310	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.5631720430107527
RT_ICON	0x775f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.5135379061371841
RT_ICON	0x77ea0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.30112570356472795
RT_ICON	0x78f78	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.32439024390243903
RT_ICON	0x795e0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.47580645161290325
RT_ICON	0x798c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5675675675675675
RT_ICON	0x799f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4669509594882729
RT_ICON	0x7a898	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.4444945848375451
RT_ICON	0x7b140	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.4031791907514451
RT_ICON	0x7b6a8	0x414c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9864800191433357
RT_ICON	0x7f7f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.25155601659751037
RT_ICON	0x81da0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.32833020637898686
RT_ICON	0x82e48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5088652482269503
RT_ICON	0x83348	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.30121951219512194
RT_ICON	0x839b0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4381720430107527
RT_ICON	0x83c98	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.5163934426229508
RT_ICON	0x83e80	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6216216216216216
RT_ICON	0x83fa8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5983475479744137
RT_ICON	0x84e50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.753158844765343
RT_ICON	0x856f8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.793778801843318
RT_ICON	0x85dc0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5924855491329479
RT_ICON	0x86328	0xcbf1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.99860177364056
RT_ICON	0x92f20	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5134854771784232
RT_ICON	0x954c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6064727954971857
RT_ICON	0x96570	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.669672131147541
RT_ICON	0x96ef8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8466312056737588
RT_ICON	0x97420	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.24939024390243902
RT_ICON	0x97a88	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.40725806451612906
RT_ICON	0x97d70	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4979508196721312
RT_ICON	0x97f58	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.527027027027027
RT_ICON	0x98080	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5285181236673774
RT_ICON	0x98f28	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7138989169675091
RT_ICON	0x997d0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.6405529953917051
RT_ICON	0x99e98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.42846820809248554
RT_ICON	0x9a400	0x97d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.99570318530335
RT_ICON	0xa3bd8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3183609958506224
RT_ICON	0xa6180	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.46318011257035646
RT_ICON	0xa7228	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5254098360655738
RT_ICON	0xa7bb0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5319148936170213
RT_ICON	0xa80d8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.30121951219512194
RT_ICON	0xa8740	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.4381720430107527
RT_ICON	0xa8a28	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.5163934426229508
RT_ICON	0xa8c10	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6216216216216216
RT_ICON	0xa8d38	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5983475479744137
RT_ICON	0xa9be0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.753158844765343
RT_ICON	0xaa488	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.793778801843318
RT_ICON	0xaab50	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5924855491329479
RT_ICON	0xab0b8	0xcbf1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.99860177364056
RT_ICON	0xb7cb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5134854771784232
RT_ICON	0xba258	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6064727954971857
RT_ICON	0xbb300	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.669672131147541
RT_ICON	0xbbc88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8466312056737588
RT_ICON	0xbc1b0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.24939024390243902
RT_ICON	0xbc818	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.40725806451612906
RT_ICON	0xbcb00	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4979508196721312
RT_ICON	0xbcce8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.527027027027027
RT_ICON	0xbce10	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5285181236673774
RT_ICON	0xbdcb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7138989169675091
RT_ICON	0xbe560	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.6405529953917051
RT_ICON	0xbec28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.42846820809248554
RT_ICON	0xbf190	0x97d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.99570318530335
RT_ICON	0xc8968	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.3183609958506224
RT_ICON	0xcaf10	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.46318011257035646
RT_ICON	0xcbfb8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5254098360655738
RT_ICON	0xcc940	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5319148936170213
RT_GROUP_ICON	0xbc0f0	0xbc	data	English	United States	0.6382978723404256
RT_GROUP_ICON	0x97360	0xbc	data	English	United States	0.6382978723404256
RT_GROUP_ICON	0xccda8	0xbc	data	English	United States	0.6382978723404256
RT_GROUP_ICON	0xa8018	0xbc	data	English	United States	0.6382978723404256
RT_GROUP_ICON	0x404c8	0xbc	data	English	United States	0.6117021276595744
RT_GROUP_ICON	0x51180	0xbc	data	English	United States	0.6276595744680851
RT_GROUP_ICON	0x52e78	0x30	data	English	United States	0.9583333333333334
RT_GROUP_ICON	0x53190	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x58068	0x5a	data	English	United States	0.7444444444444445
RT_GROUP_ICON	0x558d8	0x5a	data	English	United States	0.7444444444444445
RT_GROUP_ICON	0x59d00	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x5b968	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x5e538	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x5e0c8	0x5a	data	English	United States	0.7555555555555555
RT_GROUP_ICON	0x72eb8	0x5a	data	English	United States	0.7444444444444445
RT_GROUP_ICON	0x5f058	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x5fb80	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x606a8	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x75648	0x5a	data	English	United States	0.7444444444444445
RT_GROUP_ICON	0x668c0	0x84	data	English	United States	0.6590909090909091
RT_GROUP_ICON	0x69078	0x5a	data	English	United States	0.7666666666666667
RT_GROUP_ICON	0x6b808	0x5a	data	English	United States	0.7666666666666667
RT_GROUP_ICON	0x6df98	0x5a	data	English	United States	0.7666666666666667
RT_GROUP_ICON	0x70728	0x5a	data	English	United States	0.7555555555555555
RT_GROUP_ICON	0x772e0	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x78f48	0x30	data	English	United States	0.9791666666666666
RT_GROUP_ICON	0x832b0	0x92	data	English	United States	0.678082191780822
RT_VERSION	0xcce68	0x5e0	data	English	United States	0.28523936170212766
RT_MANIFEST	0x12960	0x7c9	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3622679377822378

Imports

DLL	Import
USER32.dll	GetWindowThreadProcessId, AllowSetForegroundWindow, FindWindowExW, SendMessageTimeoutW, IsWindowVisible, SetUserObjectInformationW, IsWindowEnabled
msvcrt.dll	_onexit, __dllonexit, _unlock, _lock, memset, _commode, __C_specific_handler, _vsnwprintf, memcpy_s, iswspace, ?terminate@@YAXXZ, _purecall, memmove_s, _fmode, _wcmdln, _initterm, __setusermatherr, _cexit, _exit, exit, __set_app_type, wcsncmp, free, _XcptFilter, _amsg_exit, __wgetmainargs, memcmp
KERNEL32.dll	CreateThreadpoolTimer, ReleaseSRWLockShared, SetThreadpoolTimer, CloseHandle, HeapSetInformation, WaitForSingleObjectEx, DelayLoadFailureHook, ResolveDelayLoadedAPI, GetProcAddress, HeapAlloc, OpenSemaphoreW, IsDebuggerPresent, AcquireSRWLockExclusive, GetTickCount, GetSystemTimeAsFileTime, QueryPerformanceCounter, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetStartupInfoW, Sleep, CloseThreadpoolTimer, SetDllDirectoryW, DebugBreak, GetModuleHandleW, GetProcessHeap, GetCurrentProcessId, DeleteCriticalSection, AcquireSRWLockShared, LocalFree, GetModuleFileNameA, CreateSemaphoreExW, HeapFree, SetLastError, EnterCriticalSection, GetCommandLineW, GetCurrentProcess, ReleaseSemaphore, GetModuleHandleExW, TerminateProcess, LeaveCriticalSection, InitializeCriticalSection, SetErrorMode, InitializeCriticalSectionEx, WaitForThreadpoolTimerCallbacks, WaitForSingleObject, LocalAlloc, GetCurrentThreadId, ReleaseMutex, FormatMessageW, GetLastError, ReleaseSRWLockExclusive, OutputDebugStringW, CreateMutexExW
api-ms-win-downlevel-advapi32-l1-1-0.dll	RegGetValueW, EventRegister, EventWriteTransfer, EventWriteEx, EventUnregister
api-ms-win-downlevel-shell32-l1-1-0.dll	SetCurrentProcessExplicitAppUserModelID
ADVAPI32.dll	EventSetInformation
iertutil.dll
api-ms-win-downlevel-shlwapi-l1-1-0.dll	StrStrIW
api-ms-win-downlevel-ole32-l1-1-0.dll	CoCreateGuid

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• iexplore.exe
• WerFault.exe

Click to jump to process

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• iexplore.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	11:03:41
Start date:	28/09/2023
Path:	C:\Users\user\Desktop\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\iexplore.exe
Imagebase:	0x7ff74f620000
File size:	834'512 bytes
MD5 hash:	CFE2E6942AC1B72981B3105E22D3224E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:03:41
Start date:	28/09/2023
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7596 -s 708
Imagebase:	0x7ff702890000
File size:	494'488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.8%
Total number of Nodes:	757
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF74F6216B0 Relevance: 103.9, APIs: 41, Strings: 18, Instructions: 629memoryregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF74F626780: EventRegister.API-MS-WIN-DOWNLEVEL-ADVAPI32-L1-1-0(?,?,?,?,00007FF74F6216CF), ref: 00007FF74F6267A7

InitializeCriticalSection.KERNEL32 ref: 00007FF74F6216F4
#798.IERTUTIL ref: 00007FF74F621710
CoCreateGuid.API-MS-WIN-DOWNLEVEL-OLE32-L1-1-0 ref: 00007FF74F621730
IsDebuggerPresent.KERNEL32 ref: 00007FF74F621770
#796.IERTUTIL ref: 00007FF74F6217CE
#797.IERTUTIL ref: 00007FF74F62181F
#701.IERTUTIL ref: 00007FF74F621862
GetModuleHandleW.KERNEL32 ref: 00007FF74F621896
GetProcAddress.KERNEL32 ref: 00007FF74F6218B1
SetDllDirectoryW.KERNEL32 ref: 00007FF74F6218D4
SetErrorMode.KERNELBASE ref: 00007FF74F6218E5
GetCommandLineW.KERNEL32 ref: 00007FF74F6218F1
wcsncmp.MSVCRT ref: 00007FF74F621910
LocalAlloc.KERNEL32 ref: 00007FF74F6219B9
StrStrIW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0 ref: 00007FF74F621A5C
StrStrIW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0 ref: 00007FF74F621ABC
StrStrIW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0 ref: 00007FF74F621B19
HeapSetInformation.KERNEL32 ref: 00007FF74F621B9B
#791.IERTUTIL ref: 00007FF74F621BB1
SetCurrentProcessExplicitAppUserModelID.API-MS-WIN-DOWNLEVEL-SHELL32-L1-1-0 ref: 00007FF74F621BD1
StrStrIW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0 ref: 00007FF74F621BF6
StrStrIW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0 ref: 00007FF74F621CA0
FindWindowExW.USER32 ref: 00007FF74F621CFF
GetWindowThreadProcessId.USER32 ref: 00007FF74F621D1A
AllowSetForegroundWindow.USER32 ref: 00007FF74F621D29
StrStrIW.API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0 ref: 00007FF74F621D67
wcsncmp.MSVCRT ref: 00007FF74F621DE9
iswspace.MSVCRT ref: 00007FF74F621E05
iswspace.MSVCRT ref: 00007FF74F621E23
iswspace.MSVCRT ref: 00007FF74F621E36
iswspace.MSVCRT ref: 00007FF74F621E4E
wcsncmp.MSVCRT ref: 00007FF74F621E6E
#796.IERTUTIL ref: 00007FF74F621EBE
LocalFree.KERNEL32 ref: 00007FF74F621FC9
#650.IERTUTIL ref: 00007FF74F62202D
#650.IERTUTIL ref: 00007FF74F62205E
DeleteCriticalSection.KERNEL32 ref: 00007FF74F622097
RegGetValueW.API-MS-WIN-DOWNLEVEL-ADVAPI32-L1-1-0 ref: 00007FF74F6220EA
GetCurrentProcess.KERNEL32 ref: 00007FF74F62210C
TerminateProcess.KERNEL32 ref: 00007FF74F62211E

Strings

Microsoft.InternetExplorer.Default, xrefs: 00007FF74F621BBF
kernel32.dll, xrefs: 00007FF74F62188F
TerminateOnShutdown, xrefs: 00007FF74F6220BA
{28fb17e0-d393-439d-9a21-9474a070473a} , xrefs: 00007FF74F621903
Internet Explorer, xrefs: 00007FF74F621814
-startmanager, xrefs: 00007FF74F621F73
-nowait, xrefs: 00007FF74F621B0F
-newtab, xrefs: 00007FF74F621C96, 00007FF74F621D5A
SCODEF:, xrefs: 00007FF74F621DDF
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe, xrefs: 00007FF74F6220D1
IEFrame, xrefs: 00007FF74F621CF3
CREDAT:, xrefs: 00007FF74F621E64
-eval, xrefs: 00007FF74F621A52
-new, xrefs: 00007FF74F621AB2
-embedding, xrefs: 00007FF74F621F35
Microsoft.InternetExplorer.Preview, xrefs: 00007FF74F621BC6
-ResetDestinationList, xrefs: 00007FF74F621BEA
SetSearchPathMode, xrefs: 00007FF74F6218A7

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: Processiswspace$Windowwcsncmp$#650#796CriticalCurrentLocalSection$#701#791#797#798AddressAllocAllowCommandCreateDebuggerDeleteDirectoryErrorEventExplicitFindForegroundFreeGuidHandleHeapInformationInitializeLineModeModelModulePresentProcRegisterTerminateThreadUserValue
String ID: -ResetDestinationList$-embedding$-eval$-new$-newtab$-nowait$-startmanager$CREDAT:$IEFrame$Internet Explorer$Microsoft.InternetExplorer.Default$Microsoft.InternetExplorer.Preview$SCODEF:$SetSearchPathMode$Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe$TerminateOnShutdown$kernel32.dll${28fb17e0-d393-439d-9a21-9474a070473a}
API String ID: 1949848870-2116736064
Opcode ID: 762590f9113d3af421c02a10faf9599919a5ec7930af5be852b4aeee5980121c
Instruction ID: 94140104a543353fea46c356f9e2b5040c00417408bcffc181b365c2945d7b33
Opcode Fuzzy Hash: 762590f9113d3af421c02a10faf9599919a5ec7930af5be852b4aeee5980121c
Instruction Fuzzy Hash: 3C523E25A0C6C2C6EB20BB50E8102F9B6AAFF45B85F869135CA4E43794DF7DA445C723

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F6221C0 Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrResolveDelayLoadedAPI.NTDLL ref: 00007FF74F6221EB

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: DelayLoadedResolve
String ID:
API String ID: 841769287-0
Opcode ID: fd89166e9313d2547a46168cd6d01029742f4c44403c20cb216b718d438abc21
Instruction ID: 3075aa67631a49bd79260b9bbd45517179730e2dbf0cb724763070900d787cc2
Opcode Fuzzy Hash: fd89166e9313d2547a46168cd6d01029742f4c44403c20cb216b718d438abc21
Instruction Fuzzy Hash: 14E0BD7490CAC2C6E610BB00EC041A9BBAAFB49798FC24136DD4C83324DF3CA1548B13

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F622B90 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNELBASE ref: 00007FF74F622B9B

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f287afc6fd8ae868f8f6214d16c592652df8966cb88c41ca673cac106e70ef23
Instruction ID: fc0b9898f326470458bf98d89f1a638386f0d92b5566a30a46824fa660e38fe8
Opcode Fuzzy Hash: f287afc6fd8ae868f8f6214d16c592652df8966cb88c41ca673cac106e70ef23
Instruction Fuzzy Hash: 67B09214E2E482C1E604BB21DC950A452A5BB5C305FC20830C00D86120EE6C91AB8713

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F622600 Relevance: 10.6, APIs: 7, Instructions: 143
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF74F622628
Sleep.KERNEL32 ref: 00007FF74F62265F
_amsg_exit.MSVCRT ref: 00007FF74F62267D
_initterm.MSVCRT ref: 00007FF74F622708
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF74F622735
exit.MSVCRT ref: 00007FF74F6227DA
_cexit.MSVCRT ref: 00007FF74F6227E9

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_cexit_inittermexit
String ID:
API String ID: 642454821-0
Opcode ID: e734e849fc222a78f7db0f43c1a720059c7842eede69e40175245adcea5765f7
Instruction ID: eae9a2aecc826a2c321581f337d3f2d92be324933bc91e8ed2c27b71d016cea4
Opcode Fuzzy Hash: e734e849fc222a78f7db0f43c1a720059c7842eede69e40175245adcea5765f7
Instruction Fuzzy Hash: FD611A22A0D683C2FB60BF10ED406B9B2AAFB54780F964435D94D576A8DF3CE8419723

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F622150 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#701.IERTUTIL ref: 00007FF74F62216A

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: #701
String ID:
API String ID: 1014962704-0
Opcode ID: 7a5347c738d304c9b440640a1c2f359192b4627c723dab30d68333a853e82a82
Instruction ID: df82007257e8bafb1e71603a9359543227e0489b79c8f2e7ff11933e30121404
Opcode Fuzzy Hash: 7a5347c738d304c9b440640a1c2f359192b4627c723dab30d68333a853e82a82
Instruction Fuzzy Hash: 88011E31A0C682C7F720BF15AC445B8EAAAFB49744F864538DB4DC3264DB3CE5048663

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F6225B0 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00007FF74F6225E8

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: ac8620aa60852997f68d015af7cd2ee7313d39221b728e796da7eb808a66c23c
Instruction ID: f963af2d0ebe3082be3836515206d2e117115ed7f48d89b70ab4cf22e127bc5c
Opcode Fuzzy Hash: ac8620aa60852997f68d015af7cd2ee7313d39221b728e796da7eb808a66c23c
Instruction Fuzzy Hash: 62E07574E0C6D3D6EA00BB10EC494E0B7AABB25348FC24032C84C53AB0DE3CA159CB63

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF74F622D64 Relevance: 9.0, APIs: 6, Instructions: 49
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF74F622D94
GetCurrentProcessId.KERNEL32 ref: 00007FF74F622DA2
GetCurrentThreadId.KERNEL32 ref: 00007FF74F622DAE
GetTickCount.KERNEL32 ref: 00007FF74F622DBA
GetTickCount.KERNEL32 ref: 00007FF74F622DCA
QueryPerformanceCounter.KERNEL32 ref: 00007FF74F622DE5

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: 8e8f9e4056e2bbebc1ed311f54f3e1c5b6b820bcf261d82402f450724497577d
Instruction ID: eb4c5720d32554e2b3cdc7d21f3d0686063387928ed97b4b7a3575b217011a52
Opcode Fuzzy Hash: 8e8f9e4056e2bbebc1ed311f54f3e1c5b6b820bcf261d82402f450724497577d
Instruction Fuzzy Hash: 3C112421609B81CAEB00FF60EC441A473A9FB09758F850A35EA5D47794DF7CD5A48752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F626280 Relevance: 9.0, APIs: 7, Instructions: 208
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF74F6262BE

Part of subcall function 00007FF74F625E40: GetProcAddress.KERNEL32 ref: 00007FF74F625E6B

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74F625DEC), ref: 00007FF74F62635D
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74F625DEC), ref: 00007FF74F626371
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74F625DEC), ref: 00007FF74F62637D
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74F625DEC), ref: 00007FF74F626391
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74F625DEC), ref: 00007FF74F626545
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF74F625DEC), ref: 00007FF74F626559

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: Heap$Process$Free$AddressAllocProcmemset
String ID:
API String ID: 2515388404-0
Opcode ID: 428b59a5c627357b6c47cd94d171436bf6ea1c0a8a756d576f1fb126026135ba
Instruction ID: bf362cc50aa43f12d1fbea9936e2c423b058ffa64d0112f6f7977a91e267e0cb
Opcode Fuzzy Hash: 428b59a5c627357b6c47cd94d171436bf6ea1c0a8a756d576f1fb126026135ba
Instruction Fuzzy Hash: 85916D32A08B91CAEB20FF65E8404A9B7A5FB48B48B898535DE8E53754DF39D054C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F6275E0 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 153
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FormatMessageW.KERNEL32 ref: 00007FF74F6276C7
GetCurrentThreadId.KERNEL32 ref: 00007FF74F62774B

Strings

[%hs(%hs)], xrefs: 00007FF74F627806
LogHr, xrefs: 00007FF74F627681
Exception, xrefs: 00007FF74F627693
FailFast, xrefs: 00007FF74F627678
Msg:[%ws] , xrefs: 00007FF74F6277C4
[%hs], xrefs: 00007FF74F62781F
(caller: %p) , xrefs: 00007FF74F627736
%hs!%p: , xrefs: 00007FF74F627713
%hs(%d) tid(%x) %08X %ws, xrefs: 00007FF74F627764
%hs(%u)\%hs!%p: , xrefs: 00007FF74F6276F3
CallContext:[%hs] , xrefs: 00007FF74F6277DF
ReturnHr, xrefs: 00007FF74F62768A
, xrefs: 00007FF74F6277A9

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-3173542853
Opcode ID: c305d1960df873b23188e55ad2329bcf09f9214f711e6ebf8f7b75fb575bf485
Instruction ID: 822198fd8a8387c54b9fe23fe7436a314f605b02aba5ccf86b68e276f87ad970
Opcode Fuzzy Hash: c305d1960df873b23188e55ad2329bcf09f9214f711e6ebf8f7b75fb575bf485
Instruction Fuzzy Hash: 55613761A0CAC2C1EA64FF51AC54AE5A3AAFB44B88F864136DE4D13794DF3CE405C623

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F627CB0 Relevance: 12.1, APIs: 8, Instructions: 102
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00007FF74F628D3C), ref: 00007FF74F627CC2

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 311056b2069fe22c9f6a453dd4702220405004c7f4f79dbab0d936f72ecc0ab7
Instruction ID: c8996e6f9a68eaf386787a09116a663a427c3ffdec00a42ede0b5ea26af8f91a
Opcode Fuzzy Hash: 311056b2069fe22c9f6a453dd4702220405004c7f4f79dbab0d936f72ecc0ab7
Instruction Fuzzy Hash: 27414531A0C6C2C6E7607B25DC406F9E667EF85750F969235DA4E83794DF3CD8448A23

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F6240E4 Relevance: 9.1, APIs: 6, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AcquireSRWLockShared.KERNEL32(?,?,?,?,?,00007FF74F62421E,?,?,?,?,00007FF74F622FEC), ref: 00007FF74F624105
ReleaseSRWLockShared.KERNEL32(?,?,?,?,?,00007FF74F62421E,?,?,?,?,00007FF74F622FEC), ref: 00007FF74F624125
EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF74F62421E,?,?,?,?,00007FF74F622FEC), ref: 00007FF74F624145
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF74F62421E,?,?,?,?,00007FF74F622FEC), ref: 00007FF74F624154
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00007FF74F62421E,?,?,?,?,00007FF74F622FEC), ref: 00007FF74F6241AC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF74F62421E,?,?,?,?,00007FF74F622FEC), ref: 00007FF74F6241D1

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: Lock$AcquireCriticalExclusiveReleaseSectionShared$EnterLeave
String ID:
API String ID: 3221859647-0
Opcode ID: ac8a0eec957fd3451228aa59b364505a3a3f261b1bede1026a51b482b7202545
Instruction ID: 32fa785449a28a27b488d39c39b5742190d2207b52237c1ec12c5ae5dfb9bdcc
Opcode Fuzzy Hash: ac8a0eec957fd3451228aa59b364505a3a3f261b1bede1026a51b482b7202545
Instruction Fuzzy Hash: 27315E22A0CA91C6EA11BF11A9041BAFB66FB99F90B8A9130DE0E17B05CF3CD4458713

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F628C10 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

OpenSemaphoreW.KERNEL32 ref: 00007FF74F628CE3
GetLastError.KERNEL32 ref: 00007FF74F628CF9
OpenSemaphoreW.KERNEL32 ref: 00007FF74F628DE9

Strings

_p0, xrefs: 00007FF74F628C94

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: OpenSemaphore$ErrorLast
String ID: _p0
API String ID: 3042991519-2437413317
Opcode ID: 06f6d63e7a808263af5b1a45eb0c5cd3e88966f292146e1fdad6c838f392df62
Instruction ID: de796c60b7e3b8bf7cc7844c940a78355bcda69ce481720f9c54380b891c7d41
Opcode Fuzzy Hash: 06f6d63e7a808263af5b1a45eb0c5cd3e88966f292146e1fdad6c838f392df62
Instruction Fuzzy Hash: 5D617122B0C7C2C6EA20BB659C501FAA2AAEF95780FD64532DA4D43B95DF3CD905C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F626F18 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF74F626F44
CreateMutexExW.KERNEL32 ref: 00007FF74F626F8F

Part of subcall function 00007FF74F625C68: GetLastError.KERNEL32 ref: 00007FF74F625C8A

Strings

Local\SM0:%d:%d:%hs, xrefs: 00007FF74F626F55
x, xrefs: 00007FF74F626F5F

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexProcess
String ID: Local\SM0:%d:%d:%hs$x
API String ID: 3298007088-4178846994
Opcode ID: ef2503423aa31f09ab1b4e4e6865b8e5012a9e4eeae409d4bfa19e10f7428300
Instruction ID: a4794e63ae78da90ce32877dc39ff642bf73b663c62c008476da00d6e656c262
Opcode Fuzzy Hash: ef2503423aa31f09ab1b4e4e6865b8e5012a9e4eeae409d4bfa19e10f7428300
Instruction Fuzzy Hash: 7531403261C6C2C2EB50BB24E8947EAE366EB88784F815035EA4E87695DF7CD544C713

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F625740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF74F62575F
GetProcAddress.KERNEL32 ref: 00007FF74F625775

Strings

kernelbase.dll, xrefs: 00007FF74F625755
RaiseFailFastException, xrefs: 00007FF74F62576E

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RaiseFailFastException$kernelbase.dll
API String ID: 1646373207-919018592
Opcode ID: 90237418f5489c81e568102f06743583406f8a2b20e5fed18a6678c408f941af
Instruction ID: d6769c9e18ca376a5a16f984f57ac291bf168580c4cf07838161dc440da3329f
Opcode Fuzzy Hash: 90237418f5489c81e568102f06743583406f8a2b20e5fed18a6678c408f941af
Instruction Fuzzy Hash: E4F01721A1DA91C2EA00BB02F9400A9EB66FB49FC0B899035DA0E07B14CF7CD4458712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F6228A0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF74F622913
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF74F622932
RtlVirtualUnwind.KERNEL32 ref: 00007FF74F62297F
__raise_securityfailure.LIBCMT ref: 00007FF74F622A64

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: b5a2cf00e08f24f35519b55053e37a0498c6299b266642f78a809fcaf47f59d5
Instruction ID: d6eab7f804b652e12f79621e5e2e9a697a8bb19922172536615a01333a446884
Opcode Fuzzy Hash: b5a2cf00e08f24f35519b55053e37a0498c6299b266642f78a809fcaf47f59d5
Instruction Fuzzy Hash: C6419425A0DB82C1EA50BB05EC443A5A369FB84744F924136DA8D437A4DF7DD444C722

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F625424 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FF74F6254E8,?,?,?,?,?,?,?,?,00007FF74F6224B5), ref: 00007FF74F625445
AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF74F6254E8,?,?,?,?,?,?,?,?,00007FF74F6224B5), ref: 00007FF74F625454
ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF74F6254E8,?,?,?,?,?,?,?,?,00007FF74F6224B5), ref: 00007FF74F62548B
LeaveCriticalSection.KERNEL32(?,?,?,00007FF74F6254E8,?,?,?,?,?,?,?,?,00007FF74F6224B5), ref: 00007FF74F62549F

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 1115728412-0
Opcode ID: 0f7df9b6096091a0eda25337a9051e2c79742103f04dcbea3f569fa167144b4c
Instruction ID: 53f57794cbd0a733531a42cbbc459ca14ad12dbf43718eb56492db4e44e028d8
Opcode Fuzzy Hash: 0f7df9b6096091a0eda25337a9051e2c79742103f04dcbea3f569fa167144b4c
Instruction Fuzzy Hash: 54012D22A1CBC2C2DA14BF11A9540B8EB66FB8AFC57999131DE4E03714DF3CD4818702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F6235F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF74F623625
CreateMutexExW.KERNEL32 ref: 00007FF74F62366D

Part of subcall function 00007FF74F625C68: GetLastError.KERNEL32 ref: 00007FF74F625C8A

Strings

Local\SM0:%d:%d:%hs, xrefs: 00007FF74F623636

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: CreateCurrentErrorLastMutexProcess
String ID: Local\SM0:%d:%d:%hs
API String ID: 3298007088-4162240545
Opcode ID: a03f0cf941183372015bcfc4ec3ea1b60ba38ffcc7d119e64e780811779cb604
Instruction ID: c21c3a5d0c7c8b4b58a98c59891152581b541fc1c3d697b2dd4bd74ba4a2ff3c
Opcode Fuzzy Hash: a03f0cf941183372015bcfc4ec3ea1b60ba38ffcc7d119e64e780811779cb604
Instruction Fuzzy Hash: 7341313261CB82C6EB10BB15E8417EAA3AAFB88740F815035EA4D47795DF7CD505CB13

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF74F627084 Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,00007FF74F626E68,?,?,?,00007FF74F62826F), ref: 00007FF74F6270B9
HeapFree.KERNEL32(?,?,00000000,00007FF74F626E68,?,?,?,00007FF74F62826F), ref: 00007FF74F6270CD
GetProcessHeap.KERNEL32(?,?,00000000,00007FF74F626E68,?,?,?,00007FF74F62826F), ref: 00007FF74F6270F1
HeapFree.KERNEL32(?,?,00000000,00007FF74F626E68,?,?,?,00007FF74F62826F), ref: 00007FF74F627105

Memory Dump Source

Source File: 00000000.00000002.948802634.00007FF74F621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF74F620000, based on PE: true

Associated: 00000000.00000002.948797619.00007FF74F620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948807794.00007FF74F62A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948812724.00007FF74F62D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F62E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.948817509.00007FF74F630000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff74f620000_iexplore.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b48126e289383ea1a3766ba9d6cd6342a985ef06311d3cc3f288c71a0fd3198b
Instruction ID: 38552d705403cd16409e4ecda5b3fbaf98683c95b79ff44efae08b3afe86c7e8
Opcode Fuzzy Hash: b48126e289383ea1a3766ba9d6cd6342a985ef06311d3cc3f288c71a0fd3198b
Instruction Fuzzy Hash: 64114C32A08B81C6DB00AF56F9000ACBBB5FB49F81B9D8125DB4E03718DF38E496C742

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iexplore.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iexplore.exe_4ea5210d13788e8dcd35822d64aeb95daa7e6_e4713376_1e60916c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B22.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BCF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BEF.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
iexplore.exe